android_binary.debug_key fails to accept custom keystore

[nkoroste]

Description of the problem / feature request:

In theory debug_key should sign your APK with the given key. In practice I couldn't get it to work.

Two issues:

1. if I don't use password android I get the following error:

keytool -genkeypair \
   -alias androiddebugkey \
   -dname "CN=Android Debug, O=Android, C=US" \
   -keystore foo \
   -storepass barpass \
   -sigalg SHA256withDSA \
   -validity 10950

exception:

Failed to load  "signer #1"
java.io.IOException: Keystore was tampered with, or password was incorrect
	at java.base/sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:792)
	at java.base/sun.security.util.KeyStoreDelegator.engineLoad(KeyStoreDelegator.java:243)
	at java.base/java.security.KeyStore.load(KeyStore.java:1479)
	at com.android.apksigner.ApkSignerTool$SignerParams.loadKeyStoreFromFile(ApkSignerTool.java:833)
	at com.android.apksigner.ApkSignerTool$SignerParams.loadPrivateKeyAndCertsFromKeyStore(ApkSignerTool.java:723)
	at com.android.apksigner.ApkSignerTool$SignerParams.loadPrivateKeyAndCerts(ApkSignerTool.java:663)
	at com.android.apksigner.ApkSignerTool$SignerParams.access$500(ApkSignerTool.java:615)
	at com.android.apksigner.ApkSignerTool.sign(ApkSignerTool.java:269)
	at com.android.apksigner.ApkSignerTool.main(ApkSignerTool.java:89)
Caused by: java.security.UnrecoverableKeyException: Password verification failed
	at java.base/sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:790)
	... 8 more

The underlying command bazel runs looks something like this:

bazel-out/host/bin/external/androidsdk/apksigner sign --ks scripts/keystore/andy --ks-pass pass:android --v1-signing-enabled true --v1-signer-name CERT --v2-signing-enabled true --out path/to/app.apk path/to/app.apk

I think the issue has happens because bazel has the password hardcoded to --ks-pass pass:android .

2. If I use android as the password I get the following error

keytool -genkeypair \
   -alias androiddebugkey \
   -dname "CN=Android Debug, O=Android, C=US" \
   -keystore foo \
   -storepass android \
   -sigalg SHA256withDSA \
   -validity 10950

exception

Use --sandbox_debug to see verbose messages from the sandbox
Exception in thread "main" java.security.InvalidKeyException: Failed to sign using signer "CERT"
	at com.android.apksig.internal.apk.v1.V1SchemeSigner.signManifest(V1SchemeSigner.java:295)
	at com.android.apksig.internal.apk.v1.V1SchemeSigner.sign(V1SchemeSigner.java:256)
	at com.android.apksig.DefaultApkSignerEngine.outputJarEntries(DefaultApkSignerEngine.java:602)
	at com.android.apksig.ApkSigner.sign(ApkSigner.java:410)
	at com.android.apksig.ApkSigner.sign(ApkSigner.java:190)
	at com.android.apksigner.ApkSignerTool.sign(ApkSignerTool.java:330)
	at com.android.apksigner.ApkSignerTool.main(ApkSignerTool.java:89)
Caused by: java.security.InvalidKeyException: Failed to sign using SHA1withDSA
	at com.android.apksig.internal.apk.v1.V1SchemeSigner.generateSignatureBlock(V1SchemeSigner.java:519)
	at com.android.apksig.internal.apk.v1.V1SchemeSigner.signManifest(V1SchemeSigner.java:293)
	... 6 more
Caused by: java.security.InvalidKeyException: The security strength of SHA-1 digest algorithm is not sufficient for this key size
	at java.base/sun.security.provider.DSA.checkKey(DSA.java:124)
	at java.base/sun.security.provider.DSA.engineInitSign(DSA.java:156)
	at java.base/java.security.Signature$Delegate.tryOperation(Signature.java:1308)
	at java.base/java.security.Signature$Delegate.chooseProvider(Signature.java:1257)
	at java.base/java.security.Signature$Delegate.engineInitSign(Signature.java:1354)
	at java.base/java.security.Signature.initSign(Signature.java:636)
	at com.android.apksig.internal.apk.v1.V1SchemeSigner.generateSignatureBlock(V1SchemeSigner.java:515)
	... 7 more

Instead, maybe there should be a way to pass it in or pass in a keystore.properties

Bugs: what's the simplest, easiest way to reproduce this bug? Please provide a minimal example if possible.

Try passing in a custom keystore file to debug_key and try to compile the apk

What operating system are you running Bazel on?

Linux
osx

What's the output of bazel info release?

2.1.1

Have you found anything relevant by searching the web?

• Building signed APK for release for Android app? #1613
• https://developer.android.com/studio/publish/app-signing.html#opt-out
• https://developer.android.com/studio/command-line/apksigner

[github-actions]

Thank you for contributing to the Bazel repository! This issue has been marked as stale since it has not had any activity in the last 2+ years. It will be closed in the next 14 days unless any other activity occurs or one of the following labels is added: "not stale", "awaiting-bazeler". Please reach out to the triage team (@bazelbuild/triage) if you think this issue is still relevant or you are interested in getting the issue resolved.

[github-actions]

This issue has been automatically closed due to inactivity. If you're still interested in pursuing this, please reach out to the triage team (@bazelbuild/triage). Thanks!