Uploaded image for project: 'Titanium SDK/CLI'
  1. Titanium SDK/CLI
  2. TIMOB-26895

Android: APK signing will fail when using MD5 keystore and JDK 8 or newer

    Details

    • Story Points:
      3
    • Sprint:
      2019 Sprint 11

      Description

      Summary:
      Digitally signing an APK will fail when using a keystore using an MD5 encryption with JDK 8 or newer version.

      Steps to reproduce:

      1. Go to a machine with JDK 8 or newer installed on it.
      2. Create a Classic Titanium app.
      3. Copy the testmd5.keystore the project's root directory.
      4. In Appc Studio, select "Package" from the top-left-most dropdown box.
      5. In Appc Studio, select "Android Play Store" from the other dropdown box.
      6. Click the build button.
      7. For "Keystore Location", click the "Browse" button and select the "testmd5.keystore" file.
      8. For "Keystore Password", enter: testmd5
      9. For "Keypair Password", enter: testmd5
      10. For "Key Alias", enter: testmd5
      11. Click the "Publish" button.

      Result:
      Build fails with the following logged error messages.

      [ERROR] :  Failed to sign apk:
      [ERROR] :  jarsigner error: java.security.NoSuchAlgorithmException: MD5withRSA (weak) Signature not available
      

      Cause:
      When reading the keystore file's information via the JDK "keytool", the algorithm returned will be "MD5withRSA (weak)" with " (weak)" appended to it as of JDK 8. The returned "MD5withRSA (weak)" string is being blindly passed to the signing tool, when we should be passing "MD5withRSA" instead.

      Note 1:
      Issue was raised on github below...
      https://github.com/appcelerator/titanium_mobile/issues/10769

      Note 2:
      Newest JDK "keytool" versions will typically create a keystore using SHA1 or SHA256 by default. I think MD5 was the default for JDK 6.

      Note 3:
      You can create a keystore file with "MD5withRSA" at the command line on Mac by entering the below in the Terminal. Note that we don't recommend signing a real app with MD5. You should use SHA256 instead. The below is for testing purposes only.

      keytool -genkey -v -keystore <NewKeystoreFilePath> -alias <AliasName> -sigalg MD5withRSA -keyalg RSA -validity 999999
      

        Attachments

          Activity

            People

            • Assignee:
              jquick Joshua Quick
              Reporter:
              jquick Joshua Quick
              Reviewer:
              Yordan Banev
              Tester:
              Keerthi Mahalingam (Inactive)
            • Watchers:
              2 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:

                Backbone Issue Sync

                • Titanium SDK/CLI <> Titanium Mobile
                  Synced with:
                  TIMOB-21092
                  Sync status:
                  PENDING
                  Last received:
                  Last sent:

                  Git Integration