APKs using deprecated MD5 signature #107

New Issue

Closed

opened 2025-11-07 08:26:34 -06:00 by GiteaMirror · 18 comments

GiteaMirror commented 2025-11-07 08:26:34 -06:00

Owner

Copy Link

Originally created by @IzzySoft on GitHub (Nov 1, 2017).

Just a note: your APKs are still signed using MD5, which is deprecated.

ERROR: JAR signer BITWARDE.RSA: Failed to verify JAR signature META-INF/BITWARDE.RSA against META-INF/BITWARDE.SF: java.security.SignatureException: Algorithm constraints check failed on disabled algorithm: MD5.

As you know, deprecated soon might mean unsupported – so you might wish to act on this 😉

Originally created by @IzzySoft on GitHub (Nov 1, 2017). Just a note: your APKs are still signed using MD5, which is deprecated. ERROR: JAR signer BITWARDE.RSA: Failed to verify JAR signature META-INF/BITWARDE.RSA against META-INF/BITWARDE.SF: java.security.SignatureException: Algorithm constraints check failed on disabled algorithm: MD5. As you know, deprecated soon might mean unsupported – so you might wish to act on this :wink:

GiteaMirror closed this issue 2025-11-07 08:26:34 -06:00

GiteaMirror commented 2025-11-07 08:26:35 -06:00

Author

Owner

Copy Link

@kspearrin commented on GitHub (Nov 1, 2017):

Not sure where this setting is. I'm not aware of anywhere we are explicitly setting md5. Will have to investigate more.

@kspearrin commented on GitHub (Nov 1, 2017): Not sure where this setting is. I'm not aware of anywhere we are explicitly setting md5. Will have to investigate more.

GiteaMirror commented 2025-11-07 08:26:35 -06:00

Author

Owner

Copy Link

@IzzySoft commented on GitHub (Nov 1, 2017):

Sorry that I cannot be more helpful. I'm just running a repo, I'm no Android dev …

@IzzySoft commented on GitHub (Nov 1, 2017): Sorry that I cannot be more helpful. I'm just running a repo, I'm no Android dev …

GiteaMirror commented 2025-11-07 08:26:35 -06:00

Author

Owner

Copy Link

@IzzySoft commented on GitHub (Nov 1, 2017):

Pointer: It's probably your signing key (linking you there so you maybe can exchange helpful findings).

@IzzySoft commented on GitHub (Nov 1, 2017): Pointer: [It's probably your signing key](https://github.com/zxing/zxing/issues/900#issuecomment-341115661) (linking you there so you maybe can exchange helpful findings).

GiteaMirror commented 2025-11-07 08:26:35 -06:00

Author

Owner

Copy Link

@kspearrin commented on GitHub (Nov 1, 2017):

Thanks, I'll watch that issue for a possible fix.

@kspearrin commented on GitHub (Nov 1, 2017): Thanks, I'll watch that issue for a possible fix.

GiteaMirror commented 2025-11-07 08:26:36 -06:00

Author

Owner

Copy Link

@IzzySoft commented on GitHub (Nov 1, 2017):

If you happen to find a solution first, Sean certainly would be happy to know as well. Quoting him on that key issue:

That said I don't know, can it be changed?

ie. the current show-stopper for him is the question how to update the signing key accordingly. If you know an answer to that … 😉

@IzzySoft commented on GitHub (Nov 1, 2017): If you happen to find a solution first, Sean certainly would be happy to know as well. Quoting him on that key issue: > That said I don't know, can it be changed? ie. the current show-stopper for him is the question how to update the signing key accordingly. If you know an answer to that … :wink:

GiteaMirror commented 2025-11-07 08:26:36 -06:00

Author

Owner

Copy Link

@IzzySoft commented on GitHub (Dec 11, 2017):

@kspearrin update: at least one other project successfully solved the issue: AdGuard (see here). Their solution might apply to Bitwarden as well. Quoting:

The solution was clearly one of the:

• Transition from Maven to Gradle build system.
• Update of Android SDK and build tools.

But no change in certificates and keys was made.

Worth a look I'd say (a quick glance informs me you're not using Gradle, so it might apply).

@IzzySoft commented on GitHub (Dec 11, 2017): @kspearrin update: at least one other project successfully solved the issue: AdGuard (see [here](https://github.com/AdguardTeam/AdguardForAndroid/issues/1575#issuecomment-350717523)). Their solution might apply to Bitwarden as well. Quoting: > The solution was clearly one of the: > >* Transition from Maven to Gradle build system. >* Update of Android SDK and build tools. > > But no change in certificates and keys was made. Worth a look I'd say (a quick glance informs me you're not using Gradle, so it might apply).

GiteaMirror commented 2025-11-07 08:26:36 -06:00

Author

Owner

Copy Link

@kspearrin commented on GitHub (Jan 10, 2018):

@IzzySoft We use Xamarin, which is a completely different way of building Android apps (with C#) so using something like Gradle is not possible. We are using the latest Android SDK tools already though. Not sure how else we could resolve this. We could use a new signing key for FDroid since it is not being distributed there yet but I am not even sure where the option of dropping MD5 in that process is.

@kspearrin commented on GitHub (Jan 10, 2018): @IzzySoft We use Xamarin, which is a completely different way of building Android apps (with C#) so using something like Gradle is not possible. We are using the latest Android SDK tools already though. Not sure how else we could resolve this. We could use a new signing key for FDroid since it is not being distributed there yet but I am not even sure where the option of dropping MD5 in that process is.

GiteaMirror commented 2025-11-07 08:26:36 -06:00

Author

Owner

Copy Link

@kspearrin commented on GitHub (Jan 10, 2018):

Running keytool on the APK shows SHA256withRSA is the signing algorithm. Where is this MD5 reference coming from? We see it listed in the fingerprints here, but thats just a fingerprint hash, not what is used to sign.

$ keytool -printcert -file BITWARDE.RSA
Valid from: Fri Aug 26 22:57:00 EDT 2016 until: Tue Jan 12 21:57:00 EST 2044
Certificate fingerprints:
         MD5:  BE:9E:C3:1A:F7:2B:4E:1B:0F:69:A0:7D:4C:60:EC:BD
         SHA1: 75:41:85:CD:4C:DF:DE:59:87:48:B0:43:04:8B:FE:59:A1:72:64:C2
         SHA256: 24:E0:6C:04:C2:08:04:8F:19:F1:C9:93:B4:DD:A4:43:0E:A8:B0:6D:B8:37:5E:A0:E3:7B:83:46:96:B9:AC:3A
Signature algorithm name: SHA256withRSA
Subject Public Key Algorithm: 2048-bit RSA key
Version: 3

@kspearrin commented on GitHub (Jan 10, 2018): Running keytool on the APK shows `SHA256withRSA` is the signing algorithm. Where is this MD5 reference coming from? We see it listed in the fingerprints here, but thats just a fingerprint hash, not what is used to sign. ``` $ keytool -printcert -file BITWARDE.RSA Valid from: Fri Aug 26 22:57:00 EDT 2016 until: Tue Jan 12 21:57:00 EST 2044 Certificate fingerprints: MD5: BE:9E:C3:1A:F7:2B:4E:1B:0F:69:A0:7D:4C:60:EC:BD SHA1: 75:41:85:CD:4C:DF:DE:59:87:48:B0:43:04:8B:FE:59:A1:72:64:C2 SHA256: 24:E0:6C:04:C2:08:04:8F:19:F1:C9:93:B4:DD:A4:43:0E:A8:B0:6D:B8:37:5E:A0:E3:7B:83:46:96:B9:AC:3A Signature algorithm name: SHA256withRSA Subject Public Key Algorithm: 2048-bit RSA key Version: 3 ```

GiteaMirror commented 2025-11-07 08:26:37 -06:00

Author

Owner

Copy Link

@anortiz08 commented on GitHub (Jan 10, 2018):

@kspearrin See this post which discusses the root cause: https://forums.xamarin.com/discussion/101114/visual-studio-build-jarsigner-algorithm

@anortiz08 commented on GitHub (Jan 10, 2018): @kspearrin See this post which discusses the root cause: https://forums.xamarin.com/discussion/101114/visual-studio-build-jarsigner-algorithm

GiteaMirror commented 2025-11-07 08:26:37 -06:00

Author

Owner

Copy Link

@kspearrin commented on GitHub (Jan 10, 2018):

@anortiz08 Awesome. Thanks for that. Looks like a Xamarin issue then. I can confirm our build output is using -sigalg md5withRSA:

  C:\Program Files\Java\jdk1.8.0\\bin\jarsigner.exe -keystore 8bit.keystore -storepass ***** -keypass ***** -digestalg SHA1 -sigalg md5withRSA -signedjar bin\FDroid\\com.x8bit.bitwarden-Signed-Unaligned.apk C:\projects\mobile\src\Android\obj\FDroid\android\bin\com.x8bit.bitwarden.apk bitwarden 

According to that post they are suppose to be switching to apksigner which will support SHA256withRSA. Looks like the change has already landed but not sure if it is live in latest Xamarin.Android/VS version. Need to investigate more.

@kspearrin commented on GitHub (Jan 10, 2018): @anortiz08 Awesome. Thanks for that. Looks like a Xamarin issue then. I can confirm [our build output](https://ci.appveyor.com/project/bitwarden/mobile) is using `-sigalg md5withRSA`: ``` C:\Program Files\Java\jdk1.8.0\\bin\jarsigner.exe -keystore 8bit.keystore -storepass ***** -keypass ***** -digestalg SHA1 -sigalg md5withRSA -signedjar bin\FDroid\\com.x8bit.bitwarden-Signed-Unaligned.apk C:\projects\mobile\src\Android\obj\FDroid\android\bin\com.x8bit.bitwarden.apk bitwarden ``` According to that post they are suppose to be switching to apksigner which will support `SHA256withRSA`. Looks like the change has already landed but not sure if it is live in latest Xamarin.Android/VS version. Need to investigate more.

GiteaMirror commented 2025-11-07 08:26:37 -06:00

Author

Owner

Copy Link

@kspearrin commented on GitHub (Jan 10, 2018):

See https://bugzilla.xamarin.com/show_bug.cgi?id=57914

Target milestone shows 15.6 so hopefully that will be available soon. Current VS is 15.5.

@kspearrin commented on GitHub (Jan 10, 2018): See https://bugzilla.xamarin.com/show_bug.cgi?id=57914 Target milestone shows 15.6 so hopefully that will be available soon. Current VS is 15.5.

GiteaMirror commented 2025-11-07 08:26:37 -06:00

Author

Owner

Copy Link

@kspearrin commented on GitHub (Mar 12, 2018):

15.6 is now out. Could you check the latest dev builds here again? https://ci.appveyor.com/project/bitwarden/mobile/build/1370/artifacts

@kspearrin commented on GitHub (Mar 12, 2018): 15.6 is now out. Could you check the latest dev builds here again? https://ci.appveyor.com/project/bitwarden/mobile/build/1370/artifacts

GiteaMirror commented 2025-11-07 08:26:38 -06:00

Author

Owner

Copy Link

@IzzySoft commented on GitHub (Mar 12, 2018):

If you meant me, @kspearrin: I'd only do what you could check for yourself: apksigner verify <APKFile> 😉 Apart from that, all that page gives me is:

The build job does not contain any artifacts.

So there's nothing I could check, sorry.

@IzzySoft commented on GitHub (Mar 12, 2018): If you meant me, @kspearrin: I'd only do what you could check for yourself: `apksigner verify <APKFile>` :wink: Apart from that, all that page gives me is: > The build job does not contain any artifacts. So there's nothing I could check, sorry.

GiteaMirror commented 2025-11-07 08:26:38 -06:00

Author

Owner

Copy Link

@kspearrin commented on GitHub (Mar 12, 2018):

I updated the URI. It's at https://ci.appveyor.com/project/bitwarden/mobile/build/1370/artifacts

@kspearrin commented on GitHub (Mar 12, 2018): I updated the URI. It's at https://ci.appveyor.com/project/bitwarden/mobile/build/1370/artifacts

GiteaMirror commented 2025-11-07 08:26:38 -06:00

Author

Owner

Copy Link

@kspearrin commented on GitHub (Mar 12, 2018):

@IzzySoft I am having trouble getting this apksigner util to work on my dev machine. Could you check?

@kspearrin commented on GitHub (Mar 12, 2018): @IzzySoft I am having trouble getting this apksigner util to work on my dev machine. Could you check?

GiteaMirror commented 2025-11-07 08:26:38 -06:00

Author

Owner

Copy Link

@IzzySoft commented on GitHub (Mar 12, 2018):

com.x8bit.bitwarden-1370.apk doesn't provoke any error from apksigner, neither does com.x8bit.bitwarden-fdroid-1370.apk – so it looks fine to me from that point (including this issue seemingly solved).

Still wondering what keeps it from working on your machine; I don't even have a full dev install here (just the very basic binaries in a "fake environment") …

@IzzySoft commented on GitHub (Mar 12, 2018): `com.x8bit.bitwarden-1370.apk` doesn't provoke any error from `apksigner`, neither does `com.x8bit.bitwarden-fdroid-1370.apk` – so it looks fine to me from that point (including this issue seemingly solved). Still wondering what keeps it from working on your machine; I don't even have a full dev install here (just the very basic binaries in a "fake environment") …

GiteaMirror commented 2025-11-07 08:26:38 -06:00

Author

Owner

Copy Link

@kspearrin commented on GitHub (Mar 12, 2018):

I'm on windows, trying to run apksigner.bat verify com.x8bit.bitwarden and it keeps throwing errors about not finding the APK file. I've tried all kinds of file path variations. 😕

Oh well.

Thanks for testing! I will close this issue now.

@kspearrin commented on GitHub (Mar 12, 2018): I'm on windows, trying to run `apksigner.bat verify com.x8bit.bitwarden` and it keeps throwing errors about not finding the APK file. I've tried all kinds of file path variations. 😕 Oh well. Thanks for testing! I will close this issue now.

GiteaMirror commented 2025-11-07 08:26:39 -06:00

Author

Owner

Copy Link

@IzzySoft commented on GitHub (Mar 12, 2018):

Heh! Naturally not. Unless the file name is com.x8bit.bitwarden, which I don't think it is. What I was running (on Linux): apksigner verify com.x8bit.bitwarden-1370.apk (while being in the directory the .apk file is in, and having apksigner in my $PATH).

However that might be: Glad I could help!

@IzzySoft commented on GitHub (Mar 12, 2018): Heh! Naturally not. Unless the ***file*** name is `com.x8bit.bitwarden`, which I don't think it is. What I was running (on Linux): `apksigner verify com.x8bit.bitwarden-1370.apk` (while being in the directory the `.apk` file is in, and having `apksigner` in my `$PATH`). However that might be: Glad I could help!

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

sdlc/sdk-update

llm/skill-refinements

release/2026.3-rc49

PM-24380/flight-recorder-redact-hostname

sdk-folder-repo-interface

PM-25654-preview-attachment

android-collections

cx/android-architect-agent

PM-30130-remove-archive-feature-flag

llm/add-resolving-sdk-updates-skill

QA-1523/sanity-test-saucelabs

release/2026.3-rc48

PM-26577-app-links-support

PM-26896-autofill-fix

release/2026.2-rc47

PM-32714/fallback-to-web-vault-host

pr-6572

PM-28834/setting-app-layout-horizonos

release/2026.2-rc46

release/2026.1-rc45

PM-30644/added-logs-for-debug

PM-30644/quicktile-nav-not-showing-migration

minor-gradle-updates

release/2026.1-rc42

release/2026.1-rc44

release/2026.1-rc43

PM-28834/set-landscape-on-horizonos-devices

context-rules

devclarity/update-code-review-command

PM-20026/force-ltr-passwords-and-codes

release/2025.12-rc41

cmcg/testCoverage

PM-29014/talkback-support-for-passwords

release/2025.12-rc40

BRE-1305/publish_test

accept-user-certs

autofill-permissions

release/2025.11-rc39

PM-22479/check-all-certificates-validate-asset-links

release/2025.10-rc38

agalles/android-latest

optimize-test-workflows

tier2-test-sharding

retro-agent

PM-27001/skip-account-selection-only-one-exists-cxp

release/2025.10-rc37

agalles/test-1118

release/2025.10-rc36

PM-20593-token-refresh

QA-1126b/adding-native-sanity-test

release/2025.9-rc35

pm-25933/sdk-update-password

release/2025.9-rc34

release/2025.8-rc33

agalles/20250821-release

debug-release-issues

pm-24249-allow-automated-prs-for-sdk-updates

release/2025.8-rc32

release/WORKFLOW-TEST-2025.8-rc28

agalles/20250807release

release/2025.07-rc25

release/hotfix-v2025.7.0-bwa

pm-23311/export-vault-policy-bypass

release/2025.07-rc24

authenticator-pm-sync-flags-issue

ps/implement-sdk-repository-example

release/hotfix-v2025.6.0-bwpm

release/2025.06-rc21

agalles/automate-android-fastlane-patch

release/2025.05-rc20

release/2025.04-rc19

languages/basque

release/2025.03-rc19

update-readme

qrcode/feature

innovation/archive/pm-19153-archive-items

qrcode/2-ui-fields

qrcode/1-page

hold-on-biometric-prompt-alternative

release-notes-process

release/2025.02-rc16

bwa-monorepo

PM-8223/new-device-verification-ux-improvements

pm-18451/exempt-from-policies

test-bwa

cs-workaround-linked-0-copy

release/2025.01-rc15

release/2025.01-rc14

release/2024.12-rc13

pm-16670/sync-leave-notice

821

PM-16695/backport-lean-more-new-device-verification

km/15084-testing

release/hotfix-v2024.11.7

release/2024.11-rc1

pm-11304/collection-add-item-button

PM-14241/disabling-logs-app-crash

poc/offline-editing

new-version-calc

pm-11649/expired-link-services

pm-6702/add-feature-flag

pm-6702/email-verification-feature

pm-9933/marketing-copy-update

pm-6702/registration-flows

update-templates

pm-6701/email-verification-selfhost-registration

v2026.3.0-bwpm

v2026.3.0-bwa

v2026.2.1-bwpm

v2026.2.1-bwa

v2026.2.0-bwpm

v2026.2.0-bwa

v2026.1.1-bwa

v2026.1.1-bwpm

temp-test

v2026.1.0-bwpm

v2026.1.0-bwa

v2025.12.1-bwa

v2025.12.1-bwpm

v2025.12.0-bwa

v2025.12.0-bwpm

v2025.11.1-bwpm

v2025.11.1-bwa

v2025.11.0-bwpm

v2025.11.0-bwa

v2025.10.1-bwa

v2025.10.1-bwpm

v2025.10.0-bwa

v2025.10.0-bwpm

v2025.9.1-bwa

v2025.9.1-bwpm

v2025.9.0-bwa

v2025.9.0-bwpm

v2025.8.1-bwa

v2025.8.1-bwpm

v2025.8.0-bwa

v2025.8.0-bwpm

v2025.7.2-bwa

v2025.7.2-bwpm

v2025.7.1-bwa

v2025.7.1-bwpm

v2025.7.0-bwa

v2025.7.0-bwpm

v2025.6.1-bwpm

v2025.6.0-bwa

v2025.6.0-bwpm

v2025.1.0-bwa

v2025.5.0-bwa

v2025.5.0-bwpm

v2025.5.999

2025.4.0

v2025.4.0

untagged-4731eaadac73f3dfbbb8

v2025.3.0

v2025.2.0

untagged-815a165c5d70ffe75bc7

v2025.1.2

v2025.1.1

v2025.1.0

v2024.12.0

untagged-5a76b6392a4c8998c63a

v2024.11.7

v2024.11.6

v2024.11.5

v2024.11.4

v2024.11.3

v2024.11.2

v2024.11.1

v2024.11.0

v2024.10.2

v2024.10.1

v2024.10.0

v2024.9.0

v2024.8.1

v2024.8.0

v2024.7.3

v2024.7.2

v2024.7.1

v2024.7.0

v2024.6.1

v2024.6.0

v2024.5.1

v2024.4.1

v2024.4.2

v2024.4.0

v2024.3.3

v2024.3.1

v2024.3.0

v2024.2.1

v2024.2.0

v2024.1.1

v2024.1.0

v2023.12.0

v2023.10.0

v2023.9.2

maui-single-project-android

v2023.9.1

v2023.9.0

v2023.8.0

v2023.7.0

v2023.5.0

v2023.4.0

v2023.3.2

v2023.3.1

v2023.3.0

v2023.2.0

v2023.1.0

v2022.11.0

v2022.10.0

v2022.9.1

v2022.9.0

v2022.8.0

v2022.6.2

v2022.6.1

v2022.6.0

v2022.05.0

v2.18.0

v2.17.0

v2.16.4

v2.16.3

v2.16.2

v2.16.1

v2.15.0

v2.14.2

v2.14.1

v2.14.0

v2.13.0

v2.12.0

v2.11.3

v2.11.2

v2.11.1

v2.11.0

v2.10.0

v2.9.1

v2.9.0

v2.8.2

v2.8.1

v2.8.0

v2.7.2

v2.7.0

v2.6.1

v2.6.0

v2.5.6

v.2.5.5

v2.5.5

v2.5.4

v2.5.3

v2.5.2

v2.5.1

v2.5.0

v2.4.3

v2.4.2

v2.4.1

v2.4.0

v2.3.1

v2.3.0

v2.2.8

v2.2.7

v2.2.6

v2.2.2

v2.2.1

v2.2.0

v2.1.2

v2.1.0

v2.0.6

v2.0.5

v2.0.4

v2.0.3

v2.0.2

v2.0.1

v2.0.0

v1.22.1

v1.22.0

v1.21.0

v1.20.0

v1.19.0

v1.18.1

v1.18.0

v1.17.0

v1.16.0

v1.15.2

v1.15.1

v1.15.0

v1.14.4

v1.14.1

v1.14.0

v1.13.0

v1.12.2

v1.12.1

v1.12.0

v1.11.1

v1.11.0

v1.10.0

v1.9.0

v1.8.1

v1.8.0

v1.7.0

v1.6.5

v1.6.1

v1.6.0

v1.5.1

v1.5.0

v1.4.4

v1.4.3

v1.4.0

v1.3.0

v1.2.1

v1.2.0

v1.1.0

v1.0.0

v0.0.6

v0.0.5

v0.0.4

v0.0.3

v0.0.2

v0.0.1

Labels

Clear labels

app:authenticator

app:password-manager

bug

bug-passkey

customer-support

duplicate

enhancement

good first issue

help wanted

needs-reply

needs-response

pull-request

Mirrored from GitHub Pull Request

question

No Label

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

GiteaMirror ninjasurge

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/android#107