安卓15预置第三方apk时签名报错问题解决

有同事反馈集成apk时安装失败

PackageManager: Failed to scan /product/app/test: No APK Signature Scheme v2 signature in package /product/app/test/test.apk

查看编译后的apk签名信息

DOES NOT VERIFY

ERROR: JAR signer CERT.RSA: JAR signature META-INF/CERT.SF indicates the APK is signed using APK Signature Scheme v2 but no such signature was found. Signature stripped?

但是用命令查看我的apk是正常的apksigner verify -v test.apk | grep Verified

Verified using v1 scheme (JAR signing): true

Verified using v2 scheme (APK Signature Scheme v2): true

Verified using v3 scheme (APK Signature Scheme v3): false

Verified using v3.1 scheme (APK Signature Scheme v3.1): false

Verified using v4 scheme (APK Signature Scheme v4): false

Verified for SourceStamp: false

那么应该是编译过程做了某些变动。

解决办法

通过预编译的方法

android_app_import {
    name: "test",
    apk: "test.apk",
    // 保留apk自己的签名
    presigned: true,
    preprocessed: true,
    // 打开将放到对应分区目录的priv-app文件夹下
    // privileged: true,
    // 打开将放到system_ext分区
    // system_ext_specific: true,
    // 打开将放到product分区
    // product_specific: true,
    // 打开将放到vendor分区
    // proprietary: true,
    // odm分区
    // device_specific: true
    // apk优化，内置三方apk时建议关闭
    dex_preopt: {
        enabled: false,
    },
}

在安卓15上新增了app_import.go - OpenGrok cross reference for /build/soong/java/app_import.go

validatePresignedApk检测

如果加了presigned，但不加preprocessed，同时targetSdk大于等于30就会编译报错，更加方便开发者定位问题：

[100% 5/5 0s remaining] Check presigned apkFAILED: out/soong/.intermediates/packages/test/test/android_common/validated-prebuilt/check.stampbuild/soong/scripts/check_prebuilt_presigned_apk.py –aapt2 out/host/linux-x86/bin/aapt2 –zipalign out/host/linux-x86/bin/zipalign packages/test/test.apk out/soong/.intermediates/packages/test/test/android_common/validated-prebuilt/check.stamppackages/test/test.apk: Prebuilt, presigned apks with targetSdkVersion >= 30 (or a codename targetSdkVersion) must set preprocessed: true in the Android.bp definition (because they must be signed with signature v2, and the build system would wreck that signature otherwise)

另外apk里面的so不能压缩，否则会报错

FAILED: out/soong/.intermediates/packages/test/test/android_common/validated-prebuilt/check.stamp

build/soong/scripts/check_prebuilt_presigned_apk.py –aapt2 out/host/linux-x86/bin/aapt2 –zipalign out/host/linux-x86/bin/zipalign –preprocessed packages/test/test.apk out/soong/.intermediates/packages/test/test/android_common/validated-prebuilt/check.stamp

packages/test/test.apk: Contains compressed JNI libraries

因为安卓6开始支持直接加载apk里面的so，如果压缩的话，预编译会在apk内部进行解压，那么就会破坏apk签名。

其实，如果apk的minSdkVersion >= 23 并且 Android Gradle plugin >= 3.6.0情况下，打包时android:extractNativeLibs=false，apk的so默认是不压缩的。

在minSdkVersion < 23 或 Android Gradle plugin < 3.6.0情况下，打包时 android:extractNativeLibs=true，apk的so默认是压缩的。

参考：https://juejin.cn/post/6943920550125420558

Android13解决android_app_import内置第三方APK安装失败问题_but no such signature was found. signature strippe-CSDN博客

浅谈extractNativeLibs

通过直接拷贝的方法

参考：https://blog.csdn.net/wangwei6227/article/details/123727372

同样要注意apk so的压缩问题，如果是压缩过的，必须提取出来，并拷贝到apk机器目录。

可能遇到的selinux权限问题

01-01 12:00:39.520000 5326 5326 W om.skype.raider: type=1400 audit(0.0:64): avc: denied { read } for name=”libSkypeAndroid.so” dev=”mmcblk0p22” ino=770074 scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:system_data_file:s0 tclass=file permissive=0

#====================== untrusted_app.te ======================

allow untrusted_app system_data_file:file r_file_perms;

参考：采用Signature Scheme v2签名方式的APK预置失败