signatures are inconsistent (can't install xapk)

[hungntv]

• Victim: Zedge

• Where to get xapk:
  get version armeabi-v7a from https://apkpure.com/vn/zedge%E2%84%A2-wallpapers-ringtones/net.zedge.android/variant/7.8.3-XAPK
  I call above downloaded file: zedge.v7a.xapk

• Steps:
  -- run apk-mitm zedge.v7a.xapk, a patched file will be created (its name is zedge.v7a-patched.xapk)
  -- rename patched file to zedge.v7a-patched.xapk.zip, extract it to folder zedge.v7a-patched.xapk.zip
  -- cd to zedge.v7a-patched.xapk.zip folder
  -- install to android device, run adb install-multiple net.zedge.android.apk config.xxhdpi.apk config.en.apk config.armeabi_v7a.apk

• Final log:
  adb: failed to finalize session
Failure [INSTALL_FAILED_INVALID_APK: /data/app/vmdl411721873.tmp/config.xxhdpi.apk signatures are inconsistent]

The same error with all files exclude base file net.zedge.android.apk

How can I fix it?

Thank you

[niklashigi]

Do you still have the unpatched app installed on your device? If so, then you have to uninstall that first. Android apps always have to be signed and apk-mitm does this using a debug certificate which is of course different from the certificate originally used by the developer, resulting in this signatures are inconsistent error (I assume).

[hungntv]

Yes, I'm sure that there's no app with the same package name: net.zedge.android on my device

As I said, if I only install the base apk (run this command: adb install-multiple net.zedge.android.apk)
It works (of course, app can't launch like this)

If I install with more any apk file:

• like this adb install-multiple net.zedge.android.apk config.xxhdpi.apk
• or like this: adb install-multiple net.zedge.android.apk config.en.apk
• or like this adb install-multiple net.zedge.android.apk config.armeabi_v7a.apk

I always get the same error: adb: failed to finalize session

BTW, I'm a full-stack developer. So you can teach me how to fix if you have no free-time

Thanks

[niklashigi]

Could you share the result of running echo *.apk | xargs -P 0 -n 1 keytool -printcert -jarfile | grep SHA1 in the extracted folder? keytool is usually part of a Java installation and the rest of the command should work in any Linux or Mac terminal (alternatively you can just run manually run keytool on all the files and grab the SHA1 hashes manually).

Another thing you could try is installing the XAPK file through APKPure's XAPK Installer, maybe that will work or at least give you a better error message.

[hungntv]

It said xargs: max. processes must be >0
Please double-check!
Thanks

[hungntv]

I installed and tried all existed XAPK app
Always get error: one or more of the APKs was invalid

[niklashigi]

It said xargs: max. processes must be >0
Please double-check!
Thanks

Seems like the xargs implementation on your system parses arguments differently from mine. I'd recommend manually running keytool -printcert -jarfile <file> | grep SHA1 (inserting the names of the different APK files).

[niklashigi]

@hungntv Why did you close the issue? Were you able to resolve it?

[KrishnaST]

@shroudedcode were you able to resolve the issue?

getting following on "keytool -printcert -v -jarfile base.apk"

Signer #1:

Signature:

Owner: C=US, O=Android, CN=Android Debug
Issuer: C=US, O=Android, CN=Android Debug
Serial number: 1
Valid from: Wed Jun 02 23:36:35 IST 2021 until: Fri May 26 23:36:35 IST 2051
Certificate fingerprints:
         SHA1: 93:F7:88:24:40:EB:10:0B:C0:FA:BE:3A:C9:F3:53:47:B8:03:B0:33
         SHA256: 9A:25:8F:FF:1E:7A:55:2D:D9:BD:EF:EB:23:F3:81:E5:51:40:61:85:E1:90:87:6E:AA:DD:66:5D:84:50:B7:C3
Signature algorithm name: SHA1withRSA
Subject Public Key Algorithm: 2048-bit RSA key
Version: 1

I am always getting following
adb: failed to finalize session
Failure [INSTALL_FAILED_INVALID_APK: /data/app/vmdl995564996.tmp/config.xhdpi.apk signatures are inconsistent]

[niklashigi]

@KrishnaST I was not because I can't reproduce the issue and haven't received any useful information so far. Could you please run keytool for all the files (or use my echo *.apk | xargs -P 0 -n 1 keytool -printcert -jarfile | grep SHA1 command if possible) to see if the certificate fingerprints differ between the files? Note that the certificate itself doesn't really matter as it's different for every user. All I want to know is whether it's shared between all the files.

[niklashigi]

Reopening this due to #58.

[jamie7893]

when i try to run your command on the apk file, keytool says
"Not a signed jar file"

the apk files inside the bundle folder all match
the one apk file by itself in the framework folder says the error above

[jamie7893]

hey, you asking me to use these commands gave me an idea and it was just windows, something must have been silently failing, i setup ubuntu subsystem and patched it the same way and now it installs, i had to manually install unzip and zip inside ubuntu but its all good now

[niklashigi]

@jamie7893

the apk files inside the bundle folder all match

Interesting, so that doesn't seem to be the issue... 🤔

the one apk file by itself in the framework folder says the error above

That doesn't matter, the framework file is only there for Apktool to function.

when i try to run your command on the apk file, keytool says "Not a signed jar file"

Which file are you talking about here? In case you mean the .xapk/.apks file: This one doesn't have to be signed, it's just a .zip file (you can literally rename and open it) containing the different .apk files of the App Bundle. It's not an APK/JAR file by itself and isn't supposed to be signed.

it was just windows, something must have been silently failing, i setup ubuntu subsystem and patched it the same way and now it installs

Huh, interesting. On one hand it doesn't surprise me (Windows is known for causing problems), but I also have no idea what could be going wrong here... The entire time I was assuming the issue was that the bundle APKs were somehow inconsistently signed, but I guess that's not true.

Just to make sure we're not going down the wrong path here:

• Can you 100% confirm that all the APK files in the bundle folder have exactly the same Certificate fingerprints?
• Can you 100% confirm that the (original) app was not installed on the device before attempting to install the patched app? (It's okay if it has been on there before, but it has to be uninstalled at the time of first installing the patched app.)

i had to manually install unzip and zip inside ubuntu but its all good now

I guess #57 is more relevant than I thought. 😅

[jamie7893]

yep all the apks in bundle all had the same sha1 tag, and yes I didn't have the app installed, I even tried installing on a fresh device also yes windows is horrible i shouldnt have tried to do it there in the first place :) "Which file are you talking about here? In case you mean the .xapk/.apks file: This one doesn't have to be signed, it's just a .zip file (you can literally rename and open it) containing the different .apk files of the App Bundle. It's not an APK/JAR file by itself and isn't supposed to be signed." i was talking about the apk in framework here

[niklashigi]

yep all the apks in bundle all had the same sha1 tag, and yes I didn't have the app installed, I even tried installing on a fresh device

Mmh, okay. Thanks for confirming!

also yes windows is horrible i shouldnt have tried to do it there in the first place :)

Hahaha yes, I've thought about just not supporting Windows, but that seems like the lazy way out. I'd prefer if I could actually figure out the cause and maybe implement a fix (or at least have a good explanation for why it doesn't work on Windows), but I still have no clue... If you have any ideas, please share them. 😅

[KrishnaST]

@shroudedcode can you give windows equivalent of the "echo *.apk | xargs -P 0 -n 1 keytool -printcert -jarfile | grep SHA1 "

I will share u the results.

[niklashigi]

@KrishnaST I have no idea what the Windows equivalent would be, but you could just run manually run keytool on all the APK files in the folder and copy the SHA1 hashes from the output.

[KrishnaST]

Here are the results. Only hash of base apk is changed while whole apks archive was provided to apk-mitm.
A. Before Patching

1. base.apk
Certificate fingerprints:
         SHA1: D3:28:DB:B3:35:7C:67:9E:BD:16:6F:4E:3E:51:52:32:5C:47:E8:4C
         SHA256: B2:AF:CB:69:11:41:96:B1:90:BD:3C:50:2F:7A:28:E4:93:D7:DC:02:BC:D1:AF:55:05:52:0A:72:E3:B8:59:1A
Signature algorithm name: SHA1withRSA
Subject Public Key Algorithm: 1024-bit RSA key
Version: 3


2. config.en.apk
Certificate fingerprints:
         SHA1: D3:28:DB:B3:35:7C:67:9E:BD:16:6F:4E:3E:51:52:32:5C:47:E8:4C
         SHA256: B2:AF:CB:69:11:41:96:B1:90:BD:3C:50:2F:7A:28:E4:93:D7:DC:02:BC:D1:AF:55:05:52:0A:72:E3:B8:59:1A
Signature algorithm name: SHA1withRSA
Subject Public Key Algorithm: 1024-bit RSA key
Version: 3


3. config.x86_64.apk
Certificate fingerprints:
         SHA1: D3:28:DB:B3:35:7C:67:9E:BD:16:6F:4E:3E:51:52:32:5C:47:E8:4C
         SHA256: B2:AF:CB:69:11:41:96:B1:90:BD:3C:50:2F:7A:28:E4:93:D7:DC:02:BC:D1:AF:55:05:52:0A:72:E3:B8:59:1A
Signature algorithm name: SHA1withRSA
Subject Public Key Algorithm: 1024-bit RSA key
Version: 3


4. config.xxxhdpi.apk
Certificate fingerprints:
         SHA1: D3:28:DB:B3:35:7C:67:9E:BD:16:6F:4E:3E:51:52:32:5C:47:E8:4C
         SHA256: B2:AF:CB:69:11:41:96:B1:90:BD:3C:50:2F:7A:28:E4:93:D7:DC:02:BC:D1:AF:55:05:52:0A:72:E3:B8:59:1A
Signature algorithm name: SHA1withRSA
Subject Public Key Algorithm: 1024-bit RSA key
Version: 3

B. After Patching

1. base.apk
Certificate fingerprints:
         SHA1: 93:F7:88:24:40:EB:10:0B:C0:FA:BE:3A:C9:F3:53:47:B8:03:B0:33
         SHA256: 9A:25:8F:FF:1E:7A:55:2D:D9:BD:EF:EB:23:F3:81:E5:51:40:61:85:E1:90:87:6E:AA:DD:66:5D:84:50:B7:C3
Signature algorithm name: SHA1withRSA
Subject Public Key Algorithm: 2048-bit RSA key
Version: 1


2. config.en.apk
Certificate fingerprints:
         SHA1: D3:28:DB:B3:35:7C:67:9E:BD:16:6F:4E:3E:51:52:32:5C:47:E8:4C
         SHA256: B2:AF:CB:69:11:41:96:B1:90:BD:3C:50:2F:7A:28:E4:93:D7:DC:02:BC:D1:AF:55:05:52:0A:72:E3:B8:59:1A
Signature algorithm name: SHA1withRSA
Subject Public Key Algorithm: 1024-bit RSA key
Version: 3


3. config.x86_64.apk
Certificate fingerprints:
         SHA1: D3:28:DB:B3:35:7C:67:9E:BD:16:6F:4E:3E:51:52:32:5C:47:E8:4C
         SHA256: B2:AF:CB:69:11:41:96:B1:90:BD:3C:50:2F:7A:28:E4:93:D7:DC:02:BC:D1:AF:55:05:52:0A:72:E3:B8:59:1A
Signature algorithm name: SHA1withRSA
Subject Public Key Algorithm: 1024-bit RSA key
Version: 3


4. config.xxxhdpi.apk
Certificate fingerprints:
         SHA1: D3:28:DB:B3:35:7C:67:9E:BD:16:6F:4E:3E:51:52:32:5C:47:E8:4C
         SHA256: B2:AF:CB:69:11:41:96:B1:90:BD:3C:50:2F:7A:28:E4:93:D7:DC:02:BC:D1:AF:55:05:52:0A:72:E3:B8:59:1A
Signature algorithm name: SHA1withRSA
Subject Public Key Algorithm: 1024-bit RSA key
Version: 3

[KrishnaST]

I am going to try applying apk-mitm to individual packages.

[niklashigi]

@KrishnaST Thank you so much for providing the logs! I'm not 100% sure yet, but I have a feeling that this has to do with the different config.*.apk files not being matched by the glob pattern I'm using to find the relevant files on Windows. I'll have a closer look at this tomorrow as soon as I can find the time and see if I can come up with a fix.

[KrishnaST]

I tried apk-mitm on individual apks, I got following error on installation

adb install-multiple base-patched.apk config.en-patched.apk
adb: failed to finalize session
Failure [INSTALL_PARSE_FAILED_MANIFEST_MALFORMED: Failed parse during installPackageLI: /data/app/vmdl1987330700.tmp/base.apk (at Binary XML file line #80): <meta-data> requires an android:value or android:resource attribute]

[niklashigi]

This should be fixed in v1.0.3.