Miui Apk Mod And Signatures

[adrenochrome]

just a little question, i have a very light modification to do on an apk so i extract with :
apktool d -s -r miuisystem.apk
i modify my xml file in assets/device_features/
and i build with :
apktool b -c miuisystem

since it's a system apk, i have read i should keep the original signature with the -c,--copy-original flag
but if i check the signature(v1 scheme since it is Marshmallow), with jarsigner or apksigner, it fail with SHA1 mismatches for every file in MANIFEST.MF

in many places it's written that if you do any modification you are obliged to resign the apk, but then it's not clear to me what is the use of the -c,--copy-original ?
what is the correct way of editing a system apk ?

BUT now i realised that the original apk i just pulled with adb has already the same signature error !?! i'm lost .... miui signatures are specifics ?

 

[Linuxx84]

Hi with system apk you have copy META-INF orignal folders from apk into apk recompiled. You use a method with various command. With apktool you have to use command like "apktool d miuisystem.apk", go into folder decompiled, make the mod then recompile with "apktool b miuisystem", after this go into folder dist and drag and drop (opening the original apk with winrar) the META-INF folder and AndroidManifest.xml, then insert the command "apktool b miuisystem miuisystem.apk. If you want a more simple method, download Advanced ApkTool (but you have to install two framework and miuisystem.apk + miuisystemui.apk) and follow the instructions gui. You have tu sign apk only when is a thirdy part app from google play store etc.

 

[adrenochrome]

thanks for your answer
copying original MATE-INF and AndroidManifest.xml is already exactly what do the option "-c"
but why the signature cant be checked for validity ? why do the MANIFEST.MF file contain wrong SHA1 checksums even in the original (xiaomi.eu) apk ?

#getting original apk from xiaomi.eu rom installed on my Redmi4X
$ adb pull /system/app/miuisystem/miuisystem.apk
/system/app/miuisystem/miuisystem.apk: 1 file pulled. 5.5 MB/s (1810515 bytes in 0.312s)

#checking signature validity with jarsigner
$ jarsigner -verify -verbose -certs ./miuisystem.apk
jarsigner: java.lang.SecurityException: SHA1 digest error for assets/device_features/aqua.xml

#checking signature validity with apksigner with filter because output report ALL file checksums are wrong
$ ~/android/android-sdk-linux/build-tools/25.0.3/apksigner verify miuisystem.apk 2>&1 | grep aqua.xml
ERROR: SHA-1 digest of assets/device_features/aqua.xml does not match the digest specified in META-INF/MANIFEST.MF. Expected: <h4nGWoEeaLcwshSZNhG7tJd1HNo=>, actual: <FxqHmA7VhhV0f6y3Dmykb+SN/VI=>

#extracting files from apk to check manually
$ 7z e miuisystem.apk assets/device_features/aqua.xml META-INF/MANIFEST.MF

7-Zip [64] 9.20 Copyright (c) 1999-2010 Igor Pavlov 2010-11-18
p7zip Version 9.20 (locale=fr_FR.UTF-8,Utf16=on,HugeFiles=on,4 CPUs)

Processing archive: miuisystem.apk

Extracting META-INF/MANIFEST.MF
Extracting assets/device_features/aqua.xml

Everything is Ok

Files: 2
Size: 22222
Compressed: 1810515

#checking MANIFEST.MF checsum value
$ grep -A1 aqua.xml MANIFEST.MF
Name: assets/device_features/aqua.xml
SHA1-Digest: h4nGWoEeaLcwshSZNhG7tJd1HNo=

#checking aqua.xml checksum
$ cat aqua.xml | openssl dgst -binary -sha1 | openssl base64
FxqHmA7VhhV0f6y3Dmykb+SN/VI=

edit : i just checked with miuisystem.apk from miui.com rom and the apk seems to be more valid (there is some warning but at least the validation tool dont fail)

$ jarsigner -verify ./miuisystem.apk
jar verified.

Warning:
This jar contains entries whose certificate chain is not validated.
This jar contains signatures that does not include a timestamp. Without a timestamp, users may not be able to validate this jar after the signer certificate's expiration date (2039-04-23) or after any future revocation date.

Re-run with the -verbose and -certs options for more details.

so it mean all apk from xiaomi.eu have bad signatures :/

 

[CosmicDan]

Xiaomi.eu signatures a fine. This must be a bug in apksigner or whatever you are using. Xiaomi.eu signatures must be an unsupported signature format or something.

If there was something wrong, the firmware would not work, obviously. So it's your signing/checking process in error - not the firmware as it works fine.

Xiaomi.eu ROM signature is different to official ROM's because they re-sign the whole the firmware with their own platform key - they need to because you need to re-sign APK's when you edit manifests.

Sent from my Redmi Note 4 using Tapatalk