apksigcopier

copy/extract/patch android apk signatures & compare apks

apksigcopier is a tool for copying android APK signatures from a signed APK to an unsigned one (in order to verify reproducible builds). It can also be used to compare two APKs with different signatures. Its command-line tool offers four operations:

• copy signatures directly from a signed to an unsigned APK
• extract signatures from a signed APK to a directory
• patch previously extracted signatures onto an unsigned APK
• compare two APKs with different signatures

Extract

$ mkdir meta
$ apksigcopier extract signed.apk meta
$ ls -1 meta
8BEA2A77.RSA
8BEA2A77.SF
APKSigningBlock
APKSigningBlockOffset
MANIFEST.MF

Patch

$ apksigcopier patch meta unsigned.apk out.apk

Copy (Extract & Patch)

$ apksigcopier copy signed.apk unsigned.apk out.apk

Compare

This command requires apksigner.

$ apksigcopier compare foo-from-fdroid.apk foo-built-locally.apk
$ apksigcopier compare --unsigned foo.apk foo-unsigned.apk

Help

$ apksigcopier --help
$ apksigcopier copy --help      # extract --help, patch --help, etc.

$ man apksigcopier              # requires the man page to be installed

Environment Variables

The following environment variables can be set to 1, yes, or true to override the default behaviour:

• set APKSIGCOPIER_EXCLUDE_ALL_META=1 to exclude all metadata files
• set APKSIGCOPIER_COPY_EXTRA_BYTES=1 to copy extra bytes after data (e.g. a v2 sig)

Python API

>>> from apksigcopier import do_extract, do_patch, do_copy, do_compare
>>> do_extract(signed_apk, output_dir, v1_only=NO)
>>> do_patch(metadata_dir, unsigned_apk, output_apk, v1_only=NO)
>>> do_copy(signed_apk, unsigned_apk, output_apk, v1_only=NO)
>>> do_compare(first_apk, second_apk, unsigned=False)

You can use False, None, and True instead of NO, AUTO, and YES respectively.

The following global variables (which default to False), can be set to override the default behaviour:

• set exclude_all_meta=True to exclude all metadata files
• set copy_extra_bytes=True to copy extra bytes after data (e.g. a v2 sig)

FAQ

What kind of signatures does apksigcopier support?

It currently supports v1 + v2 + v3 (which is a variant of v2).

It should also support v4, since these are stored in a separate file (and require a complementary v2/v3 signature).

When using the extract command, the v2/v3 signature is saved as APKSigningBlock + APKSigningBlockOffset.

Tab Completion

For Bash, add this to ~/.bashrc:

eval "$(_APKSIGCOPIER_COMPLETE=source_bash apksigcopier)"

For Zsh, add this to ~/.zshrc:

eval "$(_APKSIGCOPIER_COMPLETE=source_zsh apksigcopier)"

For Fish, add this to ~/.config/fish/completions/apksigcopier.fish:

eval (env _APKSIGCOPIER_COMPLETE=source_fish apksigcopier)

Installing

Debian

Official packages are available in Debian unstable and Ubuntu impish.

$ apt install apksigcopier

You can also manually build a Debian package using the debian/sid branch, or download a pre-built .deb via GitHub releases.

NixOS & Arch Linux

Official packages are also available in nixpkgs unstable and Arch Linux (and derivatives).

Using pip

$ pip install apksigcopier

NB: depending on your system you may need to use e.g. pip3 --user instead of just pip.

From git

NB: this installs the latest development version, not the latest release.

$ git clone https://github.com/obfusk/apksigcopier.git
$ cd apksigcopier
$ pip install -e .

NB: you may need to add e.g. ~/.local/bin to your $PATH in order to run apksigcopier.

To update to the latest development version:

$ cd apksigcopier
$ git pull --rebase

Dependencies

• Python >= 3.5 + click.
• The compare command also requires apksigner.

Debian/Ubuntu

$ apt install python3-click
$ apt install apksigner         # only needed for the compare command

License