Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

isBuildArtifactSigned Fails for Protected AABs in Bitrise Sign Step #90

Open
ghostgarrix opened this issue Nov 27, 2024 · 1 comment
Open

isBuildArtifactSigned Fails for Protected AABs in Bitrise Sign Step #90

ghostgarrix opened this issue Nov 27, 2024 · 1 comment

Comments

@ghostgarrix
Copy link

ghostgarrix commented Nov 27, 2024
edited
Loading

Troubleshooting

  • I've searched discuss.bitrise.io for possible solutions.
  • Which version of the step is affected? V2
  • Is the issue reproducible with the latest version? YES
  • Does the issue happen sporadically, or every time? EVERY TIME
  • Is the issue reproducible locally by following our local debug guide? YES

Issue description

We are encountering an issue with the sign-apk Bitrise step when signing an .aab file that has been protected and obfuscated using DexGuard. The signing process fails because the isBuildArtifactSigned check always fails. This happens because the aapt tool used in the check cannot open or list files in a protected .aab, as its contents are encrypted and obfuscated.

No issue when ran on unprotected version of .aab.
No issue when ran on protected/unprotected .apk, (APKs are signed with apksigner though)

Observed Behavior

  • The aapt list command fails to parse the protected .aab file.
  • The signing process terminates with an error.
  • The step fails with Run: failed to check if build artifact is signed: [ERROR: failed opening '/tmp/bitrise-sign-build-artifact1892284604/unsigned.aab' as Zip file.

Expected Behavior

  • The sign-apk step should allow signing of protected .aab files without relying on aapt list to verify the signature, as protected files cannot be processed by aapt.

Proposed Solutions

  • Provide an option to skip the isBuildArtifactSigned check in the sign-apk step, allowing users to bypass this validation for protected files.
  • Implement a fallback mechanism in isBuildArtifactSigned to handle cases where aapt cannot process the .aab, perhaps by assuming the AAB is unsigned if the check fails due to obfuscation.

Step implementation

- sign-apk@2:
          inputs:
            - android_app: ${DEPLOY_BUILD_ARTEFACTS_LOCATION}/app-production-release-protected.aab'
            - keystore_url: $BITRISEIO_ANDROID_KEYSTORE_1_URL
            - keystore_password: $BITRISEIO_ANDROID_KEYSTORE_1_PASSWORD
            - private_key_password: $BITRISEIO_ANDROID_KEYSTORE_1_PRIVATE_KEY_PASSWORD
            - keystore_alias: $BITRISEIO_ANDROID_KEYSTORE_1_ALIAS
            - signer_scheme: v2

Error screenshot

Capture d’écran, le 2024-11-27 à 15 43 52
@jeremiebardon
Copy link

The issue arises because the .aab file was compressed using the zip64 format on our end. Compressing it with the standard zip format resolves the problem since aapt didn't support zip64 format.

For reference, is there a workaround to support zip64 for this step, or do we need to implement a custom signing step instead?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@jeremiebardon @ghostgarrix