So what is the Android team's intention? Should v3.1-only APKs be considered valid? Or not? My guess is they should be not considered valid since the Android team has explicitly marked that kind of signature as invalid since apksigner v30.0.0 (besides v33). Are there any plans to unified the code that verifies APK signatures?
#Android #AndroidSDK #APK #apksigner
2/2
Interesting bug in #apksigner reported to @fdroidorg: an APK with only a v3.1 signature was only considered valid by v33. <33 error out with "APK Signature Scheme v2 signature 0 indicates the APK is signed using APK Signature Scheme v3 but no such signature was found." >33 error out with "The APK contains a v3.1 signing block without a v3.0 base block". Android uses its own verify code and treats it as valid. https://gitlab.com/fdroid/fdroidserver/-/issues/1253
1/2
In the official release of the #AndroidSDK package "build-tools_r35.0.1_linux.zip", they included what looks like a hand-edited "source.properties" metadata file that is a key part of the "sdkmanager" packaging system:
```
Pkg.UserSrc=false
Pkg.UserSrc=false
Pkg.Revision=35.0.1
#Pkg.Revision=35.0.0 rc4h
```
I mean really? The Android SDK packages are not automatically generated?
This is something I usually do during the 
Christmas Holiday ... this time I finished it a bit earlier... 
:
Here is the #recipe to build the #android 15 #sdk (#api #level 35) from source !
https://codeberg.org/Starfish/SDK-Rebuilds
So no need to download the binaries from G***le. Just compile by yourself. The #androidsdk is a collection of tools and binaries needed to #develop #android #apps .
Remember: #foss projects also need a free build chain.
Have fun and take care!
I wish the #AndroidSDK team would follow repository best practices and stop silently reissuing binary releases under the same name/version. #MavenCentral does not allow this, for example. The #FDroid transparency log shows the newest violation: two version of sources-34_r01.zip with the file name, version code, and metadata.
Big thanks to Kai-Chung Yan, Komal Sukhani (couldn't find them in the Fediverse), @eighthave and everyone else involved for packaging the open source parts of the Android SDK for Debian! 
With this I managed to revive an old Android app of mine that stopped working several years ago due to server-side changes.
#AndroidSDK #OpenSource #AndroidApp
Do you sometimes just want one tool from the #AndroidSDK in a container or VM, and don't want to deal with the whole pain of setting up #Java and everything? Try the #FDroid sdkmanager instead of the official one. For example, `apt-get install sdkmanager` then `sdkmanager platform-tools`. Plus this verifies all packages using `apt-get` style GPG-signed index with SHA256 values. Useful in #research on #Android #malware #tracking etc. In pypi, Debian, Ubuntu, and https://gitlab.com/fdroid/sdkmanager/
