Wrapped app parsing issue after successful wrap
Closed this issue · 16 comments
Describe the bug:
Using the Android Intune SDK wrapper I was successful in wrapping our app. Once I distribute the app or even side load the app it has a parsing error on the device
To Reproduce
Steps to reproduce the behavior:
- create and sign app
- configure windows 11 for android wrapping tool with java updated
- run script
- downloaded and wrapped success
- install apk on intune and push to device
- begins to install and fails with parsing error
Expected behavior:
App should install
Screenshots and logs:
- If applicable, add screenshots to help explain your problem.
- If your app is crashing post-wrapping, do you have app logs for the crash itself?
- If your app is crashing pre-wrapping, do you have app logs for the wrapper errors?
Smartphone (please complete the following information):
- Device: Pixel 3a
- OS: Android 12
Intune app wrapping tool (please complete the following information):
- What version of the wrapper are you using? Are you using the latest version? Current
- What platform is your app based in (Java, Xamarin based, Cordova, etc)? JAVA
- For
pre-wrapping errors, does the app build without being wrapped? none
- For post-wrapping errors, does the app launch without being wrapped? none
- Who is the customer? Firstup
- Do you see a trend with it only being reproduced on a specific device? all device
Additional context:
Add any other context about the problem here.
@mikektmobile, in your repro steps, you don't mention signing the app after it has been wrapped. See this doc for more info. Can you confirm that you are signing after wrapping?
Hi @mikektmobile, Android has a few different versions of its signature format that apps can be signed with.
The v1, v2, and v3 signature formats are written directly into the apkfile itself, while the v4 signature is written to a separate .idsig file.
I don't know whether Intune has support for v4-only signed apps. You will likely want to sign the app with a v2 / v3 signature as well depending on which apis your app supports. If you set the --min-sdk-version argument, the appropriate signature versions should be set, but if you need you can explicitly enable specific versions as well.
https://developer.android.com/tools/apksigner#options-sign
Hi @rygo-msft I was able to resign the app successfully, but still have issues
After wrapping our .apk file with android sdk wrapping tool it says successful
Built apk into: C:\Users\mike.kt\AppData\Local\Temp\IntuneAppWrappingTool-7094597179150155580\appWrapper_5530558032404902904.apk
The package name for this app is 'com.socialchorus.daga.android.googleplay'. If you need to specify the package name during deployment, please use this one.
The application was successfully wrapped.
Then we resign the app with our cert successfully
Signer
X.509, CN=Social Chorus, OU=S, O=C, C=US
Signature algorithm: SHA256withRSA, 2048-bit key
[trusted certificate]
jar signed.
Warning:
The signer's certificate is self-signed.
mike.kt@MBP14-2021-F2H-1p-mk apk % jarsigner -verify -verbose /Users/mike.kt/Desktop/apk/firstupwrapped.apk
When we go to install the app we get app not installed as package appears to be invalid. Im not sure what is wrong the app before wrapping was tested and working.
Did you zipalign your apk prior to signing?
Also note, jarsigner will not tell you if your signature is valid for Android as the apksignature formats only use jar signing as a base. You should use apksigner for verification purposes.
@rygo-msft Thanks for that info. I just rewrapped the app and ran zipalign
36492126 firebase-measurement-connector.properties (OK - compressed)
36492262 firebase-messaging.properties (OK - compressed)
36492386 isoparser-default.properties (OK - compressed)
36495108 kotlin-tooling-metadata.json (OK - compressed)
36495463 play-services-base.properties (OK - compressed)
36495592 play-services-basement.properties (OK - compressed)
36495731 play-services-cloud-messaging.properties (OK - compressed)
36495868 play-services-stats.properties (OK - compressed)
36495995 play-services-tasks.properties (OK - compressed)
36496109 review.properties (OK - compressed)
36496215 transport-api.properties (OK - compressed)
36496337 transport-backend-cct.properties (OK - compressed)
36496463 transport-runtime.properties (OK - compressed)
36496568 version.txt (OK)
36496650 okhttp3/internal/publicsuffix/NOTICE (OK - compressed)
36496892 okhttp3/internal/publicsuffix/publicsuffixes.gz (OK)
Verification succesful
mike.kt@MBP14-2021-F2H-1p-mk 30.0.3 %
After that I resigned the app and the app still failed to install (app not installed as package appears to be invalid
@rygo-msft I do see this when I verify
jar verified.
Warning:
This jar contains entries whose certificate chain is invalid. Reason: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
This jar contains entries whose signer certificate is self-signed.
This jar contains signatures that do not include a timestamp. Without a timestamp, users may not be able to validate this jar after any of the signer certificates expire (as early as 2046-03-18).
Re-run with the -verbose and -certs options for more details.
The signer certificate will expire on 2046-03-18.
mike.kt@MBP14-2021-F2H-1p-mk apk %
@rygo-msft Im new to apksigner what would be the path for that if I used the following for jarsigner
jarsigner -verbose -keystore /Users/mike.kt/Desktop/apk/socialchorus.jks -storepass scinsider /Users/mike.kt/Desktop/apk/firstupresigned.apk com.socialchorus.daga.android.googleplay
You can find the documentation on zipalign and apksigner on the android developer website.
https://developer.android.com/tools/zipalign
https://developer.android.com/tools/apksigner
These are also linked in the docs that Bannus shared above for future reference
@mikektmobile Did the information Ryan provided unblock y'all?
@meghandaly No, we are still having errors no matter what resigning tool
Currently facing the same issue. App works OK before wrapping. Wrapped the app, signed the app, then parsing error appears.
Edit: Error was fixed by zip aligning the application before signing.
Yes zip-aligning needs to be performed prior to signing. Zip-aligning after will break the signature.
I'm resolving this, as it sounds like these issues were resolved by signing in accordance with the Android docs. Please re-open if you are still facing issues.
I have a fresh apk I ran the zip align and apkresign against this and tested the app after and the app installed and functioned properly.
So I took the fresh apk and ran it through the app wrapping tool, it came out successfully. I zip aligned it and that worked then I ran the apkresign tool and it ask for password and worked. I uploaded it to intune and it says App not installed as package appears to be invalid. what am I missing?
I have followed below steps to resolved the same issue:
Android app wrapping steps:
Step-1: Build wrapping using Intune app wrapper tool(Run using Windows Powershell(x86))
Invoke-AppWrappingTool -InputPath C:\Apps\SampleApp.apk -OutputPath C:\Apps\SampleApp-wrapped.apk -Verbose
Step-2: Zip Align the wrapped build using command prompt
ZipAlign Command:
C:\Users\AppData\Local\Android\Sdk\build-tools\34.0.0\zipalign.exe -p -f -v 4 C:\Apps\SampleApp-wrapped.apk C:\Apps\SampleApp-wrapped-zipalign.apk
Step-3: Build signing using command prompt
Signing Command:
C:\Users\AppData\Local\Android\Sdk\build-tools\34.0.0\apksigner.bat sign --ks C:\Apps\MyServicesKS.keystore C:\Apps\SampleApp-wrapped-zipalign-signed.apk