Add apk (v1) FxR signer to config b/c Oculus Go store rejects APKs signed by Autograph with v2 signing support.
Categories
(Cloud Services :: Operations: Autograph, defect)
Tracking
(Not tracked)
People
(Reporter: rbarker, Unassigned)
References
Details
Attachments
(1 file)
|
86.51 KB,
image/png
|
Details |
Error message from Oculus Go store
The recent upgrade to autograph to allow v2 signing seems to be causing issues with the Oculus Go store. When the APK is uploaded we get the error dialog attached to the bug. If I run apksigner verify on the APK signed by autograph I get the following:
~/Downloads>> apksigner verify --v --min-sdk-version 23 FirefoxReality-6-33030052-oculusvr3dofStore-arm64-release-signed.apk
Verifies
Verified using v1 scheme (JAR signing): true
Verified using v2 scheme (APK Signature Scheme v2): true
So it would appear that the Oculus store is rejecting APK with v2 signing regardless if the APK is v1 signed.
|
||
Comment 1•5 years ago
|
||
I'm not sure how to proceed here. The Oculus store should prefer V2 signatures when present, and we can't strip the V1 signature without opening the APK, which breaks the V2 signature.
Would it be possible to get more information from Oculus on what type of signature they expect?
|
Reporter | |
Comment 2•5 years ago
|
||
(In reply to Julien Vehent [:ulfr] from comment #1)
I'm not sure how to proceed here. The Oculus store should prefer V2 signatures when present, and we can't strip the V1 signature without opening the APK, which breaks the V2 signature.
Would it be possible to get more information from Oculus on what type of signature they expect?
To be clear, Oculus has two stores. One for the Quest (which requires v2), and one for the Go and GearVR (which requires only v1). The APK for the Go/GearVR store is getting rejected because it is v2 signed in addition to being v1 signed. This is the exact opposite problem we had when autograph only supported v1 signing.
The APK for the Go/GearVR store is getting rejected because it is v2 signed in addition to being v1 signed.
Ugh, we could default to v1 and v2 signatures and use a signing request option to disable the v2 signature e.g.
"options": {
"v2": false
}
alternatively we could add an extra signer config and authorization for Go and GearVR and make the signature versions configurable in the signer config (against defaulting to both) e.g.
- id: some-android-app-gear-go
type: apk2
# defaults to versions 1 and 2, but can sign with just one version (or say v1 and v3 if we add v3 support)
signature_versions:
- 1
certificate: |
-----BEGIN CERTIFICATE-----
MIIH0zCCBbugAwIBAgIBATANBgkqhkiG9w0BAQsFADCBvDELMAkGA1UEBhMCVVMx
...
-----END CERTIFICATE-----
privatekey: |
...
|
|
Reporter | |
Comment 4•5 years ago
|
||
I would go with the lowest impact solution. It does not look like there will be a Go 2 and GearVR is dead so while Go users are a significant number of our current users, I expect that number to shrink over time until we just drop support.
Assuming the apk (v1) signer + zipalign worked for Go/GearVR we can leave that one in the config and add another apk2 signer to support both use cases, which limits this to just a config change.
|
|
Reporter | |
Comment 6•5 years ago
|
||
The version of Autograph that did only v1 signing worked with the Go store. It didn't break until we started v2 signing it also. So that should be fine if I understand what you are saying.
In config commit 13af68632aa32d4c3f798a8571a810fda4ab1e7d
- Added a signer with name
fx_reality_apk_v1with the old apk signer config - Added a new autograph edge authorization (creds to send to :rbarker)
Closing with changes to go out next week with train-6
Description
•