I am trying out the APK signature scheme v4 introduced in Android 11. I use the apksigner from the Android Sdk and it seems to work fine: it signs the .apk and generates the .idsig file as expected:
$ls app.apk $/Android/Sdk/build-tools/30.0.3/apksigner sign -v --ks ~/keystore.jks --ks-key-alias testkey app.apk Keystore password for signer #1: Signed $ls app.apk app.apk.idsig
However, when I use the same apksigner tool to verify the signature, it outputs the following:
$/Android/Sdk/build-tools/30.0.3/apksigner verify -v ./app.apk Verifies Verified using v1 scheme (JAR signing): true Verified using v2 scheme (APK Signature Scheme v2): true Verified using v3 scheme (APK Signature Scheme v3): true Verified using v4 scheme (APK Signature Scheme v4): false Verified for SourceStamp: false Number of signers: 1 WARNING: META-INF/com/android/build/gradle/app-metadata.properties not protected by signature. Unauthorized modifications to this JAR entry will not be detected. Delete or move the entry outside of META-INF/. ... # and a bunch of other v1-related warnings $ echo $? 0
So it successfully verifies based on APK Signature Scheme v3 and doesn’t take into account the .idsig at all (modifying the .idsig file does not affect the verification result).
Verified using v4 scheme (APK Signature Scheme v4): to also be
true. Am I missing something?
Ubuntu 21.04, Android Sdk 30.0.3.