Home Explore Help
Register Sign In
Tobiwan
/
ffupdater
Watch 3
Star 10
Fork 8
Files Issues 6 Pull Requests 0 Wiki
Labels Milestones
New Issue

#49 Crashes if downloaded package is unsigned

Closed
opened 3 years ago by mrey · 2 comments
Martin Rey commented 3 years ago

Currently the latest Firefox Lite release is version 2.6.0.

Unlike the previous version, the released apk for 2.6.0 is unsigned: https://github.com/mozilla-mobile/FirefoxLite/releases/download/v2.6.0/FirefoxLite-2.6.0-20651-release-unsigned.apk

Thus ffupdater crashes when trying to verify the fingerprint of the downloaded apk file:

java.lang.NullPointerException at FingerprintValidator.kt:32
java.lang.NullPointerException

java.lang.NullPointerException
    at de.marmaro.krt.ffupdater.security.FingerprintValidator.checkApkFile(FingerprintValidator.kt:32)
    at de.marmaro.krt.ffupdater.InstallActivity$State$8$fingerprint$1.invokeSuspend(InstallActivity.kt:236)
    at kotlin.coroutines.jvm.internal.BaseContinuationImpl.resumeWith(ContinuationImpl.kt:33)
    at kotlinx.coroutines.DispatchedTask.run(DispatchedTask.kt:106)
    at kotlinx.coroutines.scheduling.CoroutineScheduler.runSafely(CoroutineScheduler.kt:571)
    at kotlinx.coroutines.scheduling.CoroutineScheduler$Worker.executeTask(CoroutineScheduler.kt:750)
    at kotlinx.coroutines.scheduling.CoroutineScheduler$Worker.runWorker(CoroutineScheduler.kt:678)
    at kotlinx.coroutines.scheduling.CoroutineScheduler$Worker.run(CoroutineScheduler.kt:665)


Android Version: 30
Device Manufacturer: Xiaomi
Device Model: Mi Note 10
Currently the latest Firefox Lite release is version 2.6.0. Unlike the previous version, the released apk for 2.6.0 is unsigned: https://github.com/mozilla-mobile/FirefoxLite/releases/download/v2.6.0/FirefoxLite-2.6.0-20651-release-unsigned.apk Thus ffupdater crashes when trying to verify the fingerprint of the downloaded apk file: ``` java.lang.NullPointerException at FingerprintValidator.kt:32 java.lang.NullPointerException java.lang.NullPointerException at de.marmaro.krt.ffupdater.security.FingerprintValidator.checkApkFile(FingerprintValidator.kt:32) at de.marmaro.krt.ffupdater.InstallActivity$State$8$fingerprint$1.invokeSuspend(InstallActivity.kt:236) at kotlin.coroutines.jvm.internal.BaseContinuationImpl.resumeWith(ContinuationImpl.kt:33) at kotlinx.coroutines.DispatchedTask.run(DispatchedTask.kt:106) at kotlinx.coroutines.scheduling.CoroutineScheduler.runSafely(CoroutineScheduler.kt:571) at kotlinx.coroutines.scheduling.CoroutineScheduler$Worker.executeTask(CoroutineScheduler.kt:750) at kotlinx.coroutines.scheduling.CoroutineScheduler$Worker.runWorker(CoroutineScheduler.kt:678) at kotlinx.coroutines.scheduling.CoroutineScheduler$Worker.run(CoroutineScheduler.kt:665) Android Version: 30 Device Manufacturer: Xiaomi Device Model: Mi Note 10 ```
Tobiwan commented 3 years ago
Owner

This is a big problem.

Even if FFUpdater won't crash, you wouldn't be able to update FirefoxLite. Android requires that the signature of the old and the new version of an app must match.

I add a comment to the existing issue on the Github page https://github.com/mozilla-mobile/FirefoxLite/issues/5353 - maybe the developers will respond to it.

What should I do when the developers don't respond? Should I remove FirefoxLite from FFUpdater because it's not longer active developed? But security holes are stilled fixed according to this section in the README:

Notice - Firefox Lite is currently in Maintenance Mode. No active feature is being done on the product. Older Pull Requests and Issues have been marked with the archived label and have been closed. However, if you feel an issue is critical enough to be re-opened, please leave a note on the issue with an explanation.

This is a big problem. Even if FFUpdater won't crash, you wouldn't be able to update FirefoxLite. Android requires that the signature of the old and the new version of an app must match. I add a comment to the existing issue on the Github page https://github.com/mozilla-mobile/FirefoxLite/issues/5353 - maybe the developers will respond to it. What should I do when the developers don't respond? Should I remove FirefoxLite from FFUpdater because it's not longer active developed? But security holes are stilled fixed according to this section in the README: > Notice - Firefox Lite is currently in Maintenance Mode. No active feature is being done on the product. Older Pull Requests and Issues have been marked with the archived label and have been closed. However, if you feel an issue is critical enough to be re-opened, please leave a note on the issue with an explanation.
Tobiwan referenced this issue from a commit 3 years ago
Tobiwan/ffupdater#49...
Tobiwan referenced this issue from a commit 3 years ago
Release 72.0.0...
Tobiwan commented 3 years ago
Owner

I will remove Firefox Lite for now. If the developers publish a signed update, I can revert my changes.

I will remove Firefox Lite for now. If the developers publish a signed update, I can revert my changes.
Tobiwan closed 3 years ago
Sign in to join this conversation.
Labels
Clear labels
backlog difficult bug fix will be soon available on F-Droid fixed but not yet released waiting_for_response
No Label
backlog
difficult bug
fix will be soon available on F-Droid
fixed but not yet released
waiting_for_response
Milestone
Clear milestone
No Milestone
Assignee
Clear assignee
No assignee
2 Participants
Write Preview
Loading...
Cancel
Save
There is no content yet.