Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Google apps breaking, play services signature may have changed #712

Open
st3rox opened this issue Dec 12, 2024 · 7 comments
Open

Google apps breaking, play services signature may have changed #712

st3rox opened this issue Dec 12, 2024 · 7 comments

Comments

@st3rox
Copy link

st3rox commented Dec 12, 2024

microg/GmsCore#2680

If your google apps are working disable auto-updates for them before they break
@mar-v-in
Copy link

microg/GmsCore#2680 (comment)

Google seemingly has updated their signature checking code. On Android 9 and above, the latest code uses PackageInfo.signingInfo (via GET_SINGNING_CERTIFICATES flags) instead of PackageInfo.signatures (via GET_SIGNATURES flag). This will likely roll out to non-Google apps in the future as well.

This means that all signature spoofing patches need to be updated to address the change of API usage. There's unfortunately nothing we can do in microG itself.

@petefoth
Copy link
Contributor

petefoth commented Dec 12, 2024
edited
Loading

This means that all signature spoofing patches need to be updated to address the change of API usage.

I'll try and work out what - if anything we can or should do

  • We no longer use the signature spoofing patches in our monthly builds, as they are not needed for 18.1 and later branches.
  • From what I can see, most of our patch files aren't doing anything with the PackageInfo class.
  • The only one that looks like it may be affected is this patch which is not used in building any branch that we currently support.

From all of that, my understanding is that we don't need to do anything. Our builds should continue to work, and apps which want to spoof signatures will still be allowed to do so, though those apps may need to change in response to Google's changes.

@mar-v-in I am definitely not an expert in these area. Please let me know If you think that I have got this wrong, and that we do need to make some changes. Thanks

@mar-v-in
Copy link

@petefoth You don't need to do anything at this point as the patch is in upstream LineageOS. And they already started the process, see https://review.lineageos.org/c/LineageOS/android_frameworks_base/+/411374. So once they have merged this in a few days, apps that require the updated patch will work again.

The problem is how the signature spoofing in LineageOS worked: To minimize potential security impact it would only spoof the signature for a single specific API that is used by the Google Play Services client library to discover if Play Services is signed using Google's key - which is what microG needs to work. But there is more than one API to request the signature (or precisely the signing certificate) of an app, and the new version of the Play Services client library uses a newer API that was not handled by the signature spoofing feature in LineageOS (and others).

Luckily we catched this pretty early. Google's apps have early access to new versions of Google's Play Services client library, so that's why for now only a few Google apps are affected. But soon we'll see other, non-Google apps adopt those client libraries with the new signature check that would then stop working as well.

@petefoth
Copy link
Contributor

Thanks @mar-v-in
I saw that the change has been submitted to LineageOS. We should pick it up if / when it gets merged there

The patch in this comment in the microG issue tracker looks a lot like the patches we used to apply before Lineage started supporting spoofing.

We would need to change our patches to match (i.e. s/packageInfo.signatures = new Signature[]/packageInfo.signingInfo = new SigningInfo(..../) if we want those patches to continue to work for people making ROMs using our Docker engine which allow unrestricted signature spoofing. I am not aware of anybody who does actually use that functionality, so it is not worth the effort (IMHO) of changing all our patches (and testing that the changes work).

Instead, I will update our documentation to say

  1. We no longer support unrestricted signature spoofing AND
  2. Our patches are out-of-date, of historical interest only, and will no longer work in the light of the Google changes

(Documentation and Website changes are on the To Do list, but have taken a back seat. Time to move them up the list 😄 )

Thanks again.

@petefoth
Copy link
Contributor

I saw that the change has been submitted to LineageOS. We should pick it up if / when it gets merged there

Though we should be aware that, given LineageOS's history of describing signature spoofing as 'lying about security', they may choose not to accept the change. In which case, we will be back to patching android_frameworks_base ourselves in our build process. I will watch that upstream change with interest!

@ale5000-git
Copy link

ale5000-git commented Dec 17, 2024
edited
Loading

The fix was merged in LineageOS 19.1/20/21/22: https://review.lineageos.org/c/LineageOS/android_frameworks_base/+/411386

@petefoth
Copy link
Contributor

petefoth commented Dec 17, 2024
edited
Loading

The fix was merged in LineageOS 19.1/20/21/22

Thanks. Any builds started after the change was submitted, should pick up the change: the code was merged in the 21.0 branch at 20:52 yesterday. Looking at the Matrix room, I think that lemonadep should be the first build to have the fix. Other devices will pick up the fix in due course as they are built

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@petefoth @mar-v-in @st3rox @ale5000-git