[TIMOB-26895] Android: APK signing will fail when using MD5 keystore and JDK 8 or newer

GitHub Issue	n/a
Type	Bug
Priority	None
Status	Closed
Resolution	Fixed
Resolution Date	2019-05-23T21:11:58.000+0000
Affected Version/s	n/a
Fix Version/s	Release 8.0.2
Components	Android
Labels	android, apk, engSchedule, jdk, md5, signing
Reporter	Joshua Quick
Assignee	Joshua Quick
Created	2019-03-12T03:05:27.000+0000
Updated	2019-05-23T21:11:58.000+0000

Description

*Summary:* Digitally signing an APK will fail when using a keystore using an MD5 encryption with JDK 8 or newer version. *Steps to reproduce:*

Go to a machine with JDK 8 or newer installed on it.

Create a Classic Titanium app.

Copy the [^testmd5.keystore] the project's root directory.

In Appc Studio, select "Package" from the top-left-most dropdown box.

In Appc Studio, select "Android Play Store" from the other dropdown box.

Click the build button.

For "Keystore Location", click the "Browse" button and select the "testmd5.keystore" file.

For "Keystore Password", enter: `testmd5`

For "Keypair Password", enter: `testmd5`

For "Key Alias", enter: `testmd5`

Click the "Publish" button.

*Result:* Build fails with the following logged error messages.

[ERROR] :  Failed to sign apk:
[ERROR] :  jarsigner error: java.security.NoSuchAlgorithmException: MD5withRSA (weak) Signature not available

*Cause:* When reading the keystore file's information via the JDK "keytool", the algorithm returned will be "MD5withRSA (weak)" with " (weak)" appended to it as of JDK 8. The returned "MD5withRSA (weak)" string is being blindly passed to the signing tool, when we should be passing "MD5withRSA" instead. *Note 1:* Issue was raised on github below... https://github.com/appcelerator/titanium_mobile/issues/10769 *Note 2:* Newest JDK "keytool" versions will typically create a keystore using SHA1 or SHA256 by default. I think MD5 was the default for JDK 6. *Note 3:* You can create a keystore file with "MD5withRSA" at the command line on Mac by entering the below in the Terminal. Note that we don't recommend signing a real app with MD5. You should use SHA256 instead. The below is for testing purposes only.

keytool -genkey -v -keystore <NewKeystoreFilePath> -alias <AliasName> -sigalg MD5withRSA -keyalg RSA -validity 999999

Attachments

File	Date	Size
testmd5.keystore	2019-03-12T02:53:42.000+0000	2577
testsha1.keystore	2019-05-15T00:49:39.000+0000	2579
testsha256.keystore	2019-05-15T00:49:39.000+0000	2583

Comments

Joshua Quick 2019-05-15

I've attached SHA1 and SHA256 keystore files to be used to test the fix for this issue. Note that there are not any issues with these algorithms, but we need to ensure the fix doesn't break them either. [^testsha1.keystore] *Keystore Password:* testsha1 *Keypair Password:* testsha1 *Key Alias:* testsha1 [^testsha256.keystore] *Keystore Password:* testsha256 *Keypair Password:* testsha256 *Key Alias:* testsha256
Joshua Quick 2019-05-15

PR (master): https://github.com/appcelerator/titanium_mobile/pull/10888 PR (8.0.x): https://github.com/appcelerator/titanium_mobile/pull/10889
Keerthi Mahalingam 2019-05-17

FR passed.
Keerthi Mahalingam 2019-05-17

PR merged for master.but on 8_0_X jenkin is failing .not able to merge

Keerthi Mahalingam 2019-05-23

Verified the fix on SDK 8.1.0.v20190523084559 and 8.0.2.v20190522031334.APP built successfully with keystore. Works as expected.

Operating System
     Name                        = Mac OS X
     Version                     = 10.13.6
     Architecture                = 64bit
     # CPUs                      = 8
     Memory                      = 17179869184
   Node.js
     Node.js Version             = 8.9.1
     npm Version                 = 5.5.1
   Titanium CLI
     CLI Version                 = 5.1.1
   Titanium SDK
     SDK Version                 = 8.1.0.v20190523084559 and 8.0.2.v20190522031334
   Cli =7.0.11
   Studio =5.1.2.201903111843

JSON Source