[tor-commits] [Git][tpo/applications/tor-browser-build][maint-15.0] 3 commits: Bug 41620: Do not rerun zipalign when signing.

Pier Angelo Vendrame pushed to branch maint-15.0 at The Tor Project / Applications / tor-browser-build

Commits:

dbe953b4

by Pier Angelo Vendrame at 2025-10-30T13:32:23+01:00

Bug 41620: Do not rerun zipalign when signing.

APKs are already aligned during the build step.

78db8a09

by Pier Angelo Vendrame at 2025-10-30T13:32:24+01:00

Bug 41621: Remove support for older android tools while signing.

We had some conditional check to use Android tools version 12 when
signing Tor Browser 14.5.x.
Now that it's EOL, we do not need it anymore.

2244a6f1

by Pier Angelo Vendrame at 2025-10-30T13:32:24+01:00

Bug 41617: Align .so pages to 16KiB with zipalign.

Apps are required to support 16KiB page size.
We already build our binaries so that they comply with this
requirement, but we also need to pass the specific argument to zipalign
before signing, for it to actually work.

Changes:

projects/browser/build.android

@@ -87,7 +87,7 @@ function generate_apk {
    popd
    aligned_apk=$(basename $apk .apk)_aligned.apk
 -  zipalign -vp 4 repacked.apk $aligned_apk
 +  zipalign -P 16 4 repacked.apk $aligned_apk
    # Sign a QA build. This .apk is not a debug version and doesn't contain a debug
    # flag in the manifest.

tools/signing/wrappers/sign-apk

@@ -30,10 +30,6 @@ test -f "$android_signing_key_path" || exit_error "$android_signing_key_path is
  setup_build_tools() {
    abt_version=16
 -  # If signing 14.5, keep using android-12 build tools
 -  # (we can remove this when 15.0 is the stable release)
 -  ( test -z "$tbb_version" || echo "$tbb_version" | grep -q '^14\.5' ) && \
 -    abt_version=12
    build_tools_dir=/signing/android-build-tools
    test -f "$build_tools_dir"/android-$abt_version/apksigner || \
      exit_error "$build_tools_dir/android-$abt_version/apksigner is missing"
@@ -41,49 +37,31 @@ setup_build_tools() {
+ }
  # Sign individual apk
 +# https://developer.android.com/studio/publish/app-signing#sign-manually
  sign_apk() {
      INPUTAPK="$1"
      OUTPUTAPK="$2"
 +    SIGNEDAPK=$(basename "${INPUTAPK}")
 -    # https://developer.android.com/studio/publish/app-signing#sign-manually
 -    # After running `gradlew assembleRelease`, creates an unsigned-unaligned apk
+-
 -    # Aligning ensures that all uncompressed data starts with a particular byte
 -    # alignment relative to the start of the file, which may reduce the amount
 -    # of RAM consumed by an app.
 -    # zipalign -v -p 4 my-app-unsigned.apk my-app-unsigned-aligned.apk
 -    echo Aligning and signing ${INPUTAPK}
+-
 -    # Append the different stages of signing
 -    UNSIGNED_UNALIGNED_APK=`basename "${INPUTAPK}" | sed 's/\.apk/-unsigned-unaligned.apk/'`
 -    UNSIGNED_APK=`echo "${UNSIGNED_UNALIGNED_APK}" | sed 's/-unaligned//'`
 -    SIGNED_APK=`echo "${UNSIGNED_APK}" | sed 's/-unsigned//'`
+-
 -    # ${INPUTAPK} is full path. We copy to local tmp directory.
 -    cp "${INPUTAPK}" "${UNSIGNED_UNALIGNED_APK}"
+-
 -    # Step 1: Align
 -    zipalign -v -p 4 "${UNSIGNED_UNALIGNED_APK}" "${UNSIGNED_APK}"
 -    if [ ! $? = 0 ]; then
 -        echo "zipalign failed"
 -        exit 1
 -    fi
 -    echo zipalign succeeded
+-
 -    # Step 2: Verify alignment
 -    zipalign -vc 4 "${UNSIGNED_APK}"
 +    # Verify alignment before signing
 +    # APKs have various requirements for being published on the Play Store.
 +    # The input APKs should be ready before starting this process.
 +    echo Verifying ${INPUTAPK}
 +    zipalign -c -P 16 4 "${INPUTAPK}"
      if [ ! $? = 0 ]; then
          echo "zipalign verify failed"
          exit 1
      fi
      echo zipalign verify succeeded
 -    # Step 3: Sign
 +    # Sign
 +    echo Signing ${INPUTAPK}
++
      # Use this command if reading key from file
 -    apksigner sign --verbose -ks ${android_signing_key_path} --ks-type pkcs12 --ks-pass env:KSPASS --debuggable-apk-permitted=false --out "${SIGNED_APK}" "${UNSIGNED_APK}"
 +    apksigner sign --verbose -ks ${android_signing_key_path} --ks-type pkcs12 --ks-pass env:KSPASS --debuggable-apk-permitted=false --out "${SIGNEDAPK}" "${INPUTAPK}"
      # Or, use below command if using a hardware token
 -    # apksigner sign --verbose --provider-class sun.security.pkcs11.SunPKCS11 --provider-arg pkcs11_java.cfg --ks NONE --ks-type PKCS11 --debuggable-apk-permitted=false --out "${SIGNED_APK}" "${UNSIGNED_APK}"
 +    # apksigner sign --verbose --provider-class sun.security.pkcs11.SunPKCS11 --provider-arg pkcs11_java.cfg --ks NONE --ks-type PKCS11 --debuggable-apk-permitted=false --out "${SIGNEDAPK}" "${INPUTAPK}"
      if [ ! $? = 0 ]; then
          echo "apksigner sign failed"
@@ -91,15 +69,16 @@ sign_apk() {
      fi
      echo apksigner sign succeeded
 -    # Step 4: Verify signature
 -    apksigner verify --verbose "${SIGNED_APK}"
 +    # Verify signature
 +    apksigner verify --verbose "${SIGNEDAPK}"
      if [ ! $? = 0 ]; then
          echo "apksigner verify failed"
          exit 1
      fi
+-
 -    mv -f "${SIGNED_APK}" "$OUTPUTAPK"
      echo apksigner verify succeeded
++
 +    mv -f "${SIGNEDAPK}" "${OUTPUTAPK}"
 +    echo ${OUTPUTAPK} signed
+ }
  setup_build_tools