Please note the following

[obfusk]

Please note the following

apksigcopier is a tool that enables using an android APK signature as a build input (by copying it from a signed APK to an unsigned one), making it possible to create a (bit-by-bit identical) reproducible build from the source code without having access to the private key used to create the signature.

This is a tool for reproducible builds only. Its purpose is to allow verifying that different builds from the same source code produce identical results, to prove that two APKs -- one built and signed by the upstream developer, another one built by you (or some trusted third party) from the published source code -- are identical. Since you cannot create an identical signature without the private key, you need to copy it (and nothing else) as part of the build process instead to be able to create a bit-by-bit identical APK.

The motivation behind the Reproducible Builds project is [...] to allow verification that no vulnerabilities or backdoors have been introduced during this compilation process. By promising identical results are always generated from a given source, this allows multiple third parties to come to a consensus on a “correct” result, highlighting any deviations as suspect and worthy of scrutiny.

• Please use issues to report bugs and discussions to ask questions.
• Please check the FAQ first.
• Please make sure you understand how APK signatures work.
• Copying a signature to a modified APK will not work:
  • Copying a signature will succeed even if the signature is not valid for the target APK -- as long as the target APK is unsigned and not larger than the source APK it can be inserted successfully.
  • But a signature that is not valid for the target APK will never verify.
• The error Unexpected metadata means the target APK was signed; you can only copy a signature to an unsigned APK.