| 27 Oct 2021 |
|  puffnfresh set a profile picture. | 01:08:02 |
 Yuka (she/her) | I changed the microG patch in my build a bit, because I could not resolve the spoofing permission issue | 08:47:17 |
| Yuka (she/her) | diff --git a/services/core/java/com/android/server/pm/PackageManagerService.java b/services/core/java/com/android/server/pm/PackageManagerService.java
index c477546..88c9390 100644
--- a/services/core/java/com/android/server/pm/PackageManagerService.java
+++ b/services/core/java/com/android/server/pm/PackageManagerService.java
@@ -818,6 +818,11 @@ public class PackageManagerService extends IPackageManager.Stub
private static final String RANDOM_DIR_PREFIX = "~~";
+ /**
+ * The Google signature faked by microG.
+ */
+ private static final String MICROG_FAKE_SIGNATURE = "308204433082032ba003020102020900c2e08746644a308d300d06092a864886f70d01010405003074310b3009060355040613025553311330110603550408130a43616c69666f726e6961311630140603550407130d4d6f756e7461696e205669657731143012060355040a130b476f6f676c6520496e632e3110300e060355040b1307416e64726f69643110300e06035504031307416e64726f6964301e170d3038303832313233313333345a170d3336303130373233313333345a3074310b3009060355040613025553311330110603550408130a43616c69666f726e6961311630140603550407130d4d6f756e7461696e205669657731143012060355040a130b476f6f676c6520496e632e3110300e060355040b1307416e64726f69643110300e06035504031307416e64726f696430820120300d06092a864886f70d01010105000382010d00308201080282010100ab562e00d83ba208ae0a966f124e29da11f2ab56d08f58e2cca91303e9b754d372f640a71b1dcb130967624e4656a7776a92193db2e5bfb724a91e77188b0e6a47a43b33d9609b77183145ccdf7b2e586674c9e1565b1f4c6a5955bff251a63dabf9c55c27222252e875e4f8154a645f897168c0b1bfc612eabf785769bb34aa7984dc7e2ea2764cae8307d8c17154d7ee5f64a51a44a602c249054157dc02cd5f5c0e55fbef8519fbe327f0b1511692c5a06f19d18385f5c4dbc2d6b93f68cc2979c70e18ab93866b3bd5db8999552a0e3b4c99df58fb918bedc182ba35e003c1b4b10dd244a8ee24fffd333872ab5221985edab0fc0d0b145b6aa192858e79020103a381d93081d6301d0603551d0e04160414c77d8cc2211756259a7fd382df6be398e4d786a53081a60603551d2304819e30819b8014c77d8cc2211756259a7fd382df6be398e4d786a5a178a4763074310b3009060355040613025553311330110603550408130a43616c69666f726e6961311630140603550407130d4d6f756e7461696e205669657731143012060355040a130b476f6f676c6520496e632e3110300e060355040b1307416e64726f69643110300e06035504031307416e64726f6964820900c2e08746644a308d300c0603551d13040530030101ff300d06092a864886f70d010104050003820101006dd252ceef85302c360aaace939bcff2cca904bb5d7a1661f8ae46b2994204d0ff4a68c7ed1a531ec4595a623ce60763b167297a7ae35712c407f208f0cb109429124d7b106219c084ca3eb3f9ad5fb871ef92269a8be28bf16d44c8d9a08e6cb2f005bb3fe2cb96447e868e731076ad45b33f6009ea19c161e62641aa99271dfd5228c5c587875ddb7f452758d661f6cc0cccb7352e424cc4365c523532f7325137593c4ae341f4db41edda0d0b1071a7c440f0fe9ea01cb627ca674369d084bd2fd911ff06cdbf2cfa10dc0f893ae35762919048c7efc64c7144178342f70581c9de573af55b390dd7fdb9418631895d5f759f30112687ff621410c069308a";
+
final Handler mHandler;
private final ProcessLoggingHandler mProcessLoggingHandler;
@@ -3299,6 +3304,24 @@ public class PackageManagerService extends IPackageManager.Stub
return result;
}
+ private boolean requestsFakeSignature(AndroidPackage p) {
+ String packageName = p.getPackageName();
+ return packageName.equals("com.google.android.gms") || packageName.equals("com.android.vending");
+ }
+
+ private PackageInfo mayFakeSignature(AndroidPackage p, PackageInfo pi,
+ Set<String> permissions) {
+ try {
+ if (requestsFakeSignature(p)) {
+ pi.signatures = new Signature[] {new Signature(MICROG_FAKE_SIGNATURE)};
+ }
+ } catch (Throwable t) {
+ // We should never die because of any failures, this is system code!
+ Log.w("PackageManagerService.FAKE_PACKAGE_SIGNATURE", t);
+ }
+ return pi;
+ }
+
public final PackageInfo generatePackageInfo(PackageSetting ps, int flags, int userId) {
if (!mUserManager.exists(userId)) return null;
if (ps == null) {
@@ -3327,12 +3350,14 @@ public class PackageManagerService extends IPackageManager.Stub
final int[] gids = (flags & PackageManager.GET_GIDS) == 0 ? EMPTY_INT_ARRAY
: mPermissionManager.getGidsForUid(UserHandle.getUid(userId, ps.appId));
// Compute granted permissions only if package has requested permissions
- final Set<String> permissions = ((flags & PackageManager.GET_PERMISSIONS) == 0
+ final Set<String> permissions = (((flags & PackageManager.GET_PERMISSIONS) == 0
+ && !requestsFakeSignature(p))
|| ArrayUtils.isEmpty(p.getRequestedPermissions())) ? Collections.emptySet()
: mPermissionManager.getGrantedPermissions(ps.name, userId);
- PackageInfo packageInfo = PackageInfoUtils.generate(p, gids, flags,
- ps.firstInstallTime, ps.lastUpdateTime, permissions, state, userId, ps);
+ PackageInfo packageInfo = mayFakeSignature(p, PackageInfoUtils.generate(p, gids, flags,
+ ps.firstInstallTime, ps.lastUpdateTime, permissions, state, userId, ps),
+ permissions);
if (packageInfo == null) {
return null;
| 08:48:27 |
| Yuka (she/her) | * diff --git a/services/core/java/com/android/server/pm/PackageManagerService.java b/services/core/java/com/android/server/pm/PackageManagerService.java
index c477546..88c9390 100644
--- a/services/core/java/com/android/server/pm/PackageManagerService.java
+++ b/services/core/java/com/android/server/pm/PackageManagerService.java
@@ -818,6 +818,11 @@ public class PackageManagerService extends IPackageManager.Stub
private static final String RANDOM_DIR_PREFIX = "~~";
+ /**
+ * The Google signature faked by microG.
+ */
+ private static final String MICROG_FAKE_SIGNATURE = "308204433082032ba003020102020900c2e08746644a308d300d06092a864886f70d01010405003074310b3009060355040613025553311330110603550408130a43616c69666f726e6961311630140603550407130d4d6f756e7461696e205669657731143012060355040a130b476f6f676c6520496e632e3110300e060355040b1307416e64726f69643110300e06035504031307416e64726f6964301e170d3038303832313233313333345a170d3336303130373233313333345a3074310b3009060355040613025553311330110603550408130a43616c69666f726e6961311630140603550407130d4d6f756e7461696e205669657731143012060355040a130b476f6f676c6520496e632e3110300e060355040b1307416e64726f69643110300e06035504031307416e64726f696430820120300d06092a864886f70d01010105000382010d00308201080282010100ab562e00d83ba208ae0a966f124e29da11f2ab56d08f58e2cca91303e9b754d372f640a71b1dcb130967624e4656a7776a92193db2e5bfb724a91e77188b0e6a47a43b33d9609b77183145ccdf7b2e586674c9e1565b1f4c6a5955bff251a63dabf9c55c27222252e875e4f8154a645f897168c0b1bfc612eabf785769bb34aa7984dc7e2ea2764cae8307d8c17154d7ee5f64a51a44a602c249054157dc02cd5f5c0e55fbef8519fbe327f0b1511692c5a06f19d18385f5c4dbc2d6b93f68cc2979c70e18ab93866b3bd5db8999552a0e3b4c99df58fb918bedc182ba35e003c1b4b10dd244a8ee24fffd333872ab5221985edab0fc0d0b145b6aa192858e79020103a381d93081d6301d0603551d0e04160414c77d8cc2211756259a7fd382df6be398e4d786a53081a60603551d2304819e30819b8014c77d8cc2211756259a7fd382df6be398e4d786a5a178a4763074310b3009060355040613025553311330110603550408130a43616c69666f726e6961311630140603550407130d4d6f756e7461696e205669657731143012060355040a130b476f6f676c6520496e632e3110300e060355040b1307416e64726f69643110300e06035504031307416e64726f6964820900c2e08746644a308d300c0603551d13040530030101ff300d06092a864886f70d010104050003820101006dd252ceef85302c360aaace939bcff2cca904bb5d7a1661f8ae46b2994204d0ff4a68c7ed1a531ec4595a623ce60763b167297a7ae35712c407f208f0cb109429124d7b106219c084ca3eb3f9ad5fb871ef92269a8be28bf16d44c8d9a08e6cb2f005bb3fe2cb96447e868e731076ad45b33f6009ea19c161e62641aa99271dfd5228c5c587875ddb7f452758d661f6cc0cccb7352e424cc4365c523532f7325137593c4ae341f4db41edda0d0b1071a7c440f0fe9ea01cb627ca674369d084bd2fd911ff06cdbf2cfa10dc0f893ae35762919048c7efc64c7144178342f70581c9de573af55b390dd7fdb9418631895d5f759f30112687ff621410c069308a";
+
final Handler mHandler;
private final ProcessLoggingHandler mProcessLoggingHandler;
@@ -3299,6 +3304,24 @@ public class PackageManagerService extends IPackageManager.Stub
return result;
}
+ private boolean requestsFakeSignature(AndroidPackage p) {
+ String packageName = p.getPackageName();
+ return packageName.equals("com.google.android.gms") || packageName.equals("com.android.vending");
+ }
+
+ private PackageInfo mayFakeSignature(AndroidPackage p, PackageInfo pi,
+ Set<String> permissions) {
+ try {
+ if (requestsFakeSignature(p)) {
+ pi.signatures = new Signature[] {new Signature(MICROG_FAKE_SIGNATURE)};
+ }
+ } catch (Throwable t) {
+ // We should never die because of any failures, this is system code!
+ Log.w("PackageManagerService.FAKE_PACKAGE_SIGNATURE", t);
+ }
+ return pi;
+ }
+
public final PackageInfo generatePackageInfo(PackageSetting ps, int flags, int userId) {
if (!mUserManager.exists(userId)) return null;
if (ps == null) {
@@ -3327,12 +3350,14 @@ public class PackageManagerService extends IPackageManager.Stub
final int[] gids = (flags & PackageManager.GET_GIDS) == 0 ? EMPTY_INT_ARRAY
: mPermissionManager.getGidsForUid(UserHandle.getUid(userId, ps.appId));
// Compute granted permissions only if package has requested permissions
- final Set<String> permissions = ((flags & PackageManager.GET_PERMISSIONS) == 0
+ final Set<String> permissions = (((flags & PackageManager.GET_PERMISSIONS) == 0
+ && !requestsFakeSignature(p))
|| ArrayUtils.isEmpty(p.getRequestedPermissions())) ? Collections.emptySet()
: mPermissionManager.getGrantedPermissions(ps.name, userId);
- PackageInfo packageInfo = PackageInfoUtils.generate(p, gids, flags,
- ps.firstInstallTime, ps.lastUpdateTime, permissions, state, userId, ps);
+ PackageInfo packageInfo = mayFakeSignature(p, PackageInfoUtils.generate(p, gids, flags,
+ ps.firstInstallTime, ps.lastUpdateTime, permissions, state, userId, ps),
+ permissions);
if (packageInfo == null) {
return null;
| 08:48:31 |
| Yuka (she/her) | Not sure how secure it is, since I only check for the package name. Better would be to check that the original signature matches our system microG cert as well. | 08:49:32 |
| Yuka (she/her) | Now that I have a way to make it work regardless of whether the permission stuff, I can also update my SO's phone. | 08:51:50 |
| Yuka (she/her) | I will first try to use the patch that's currently used in Robotnix | 08:52:18 |
| Yuka (she/her) | And if that doesn't work, switch to the patch i posted above | 08:52:36 |
 cde | In reply to @yuka:yuka.dev
Not sure how secure it is, since I only check for the package name. Better would be to check that the original signature matches our system microG cert as well. if microG is a system app then this would be safe I'd say since you cannot easily replace system apps due to verified boot. | 12:09:18 |
| Yuka (she/her) | I think I could replace it, but only with an updated version signed with the same key | 12:09:50 |
| cde | exactly. it'd be an update | 12:10:08 |
| Yuka (she/her) | 
Download scaled_screenshot_20211027-141055.jpg | 12:11:30 |
| Yuka (she/her) | I can not get the background location and SMS permissions granted | 12:12:23 |
| Yuka (she/her) | Or rather I think the background location permission is granted, but microG can't detect it | 12:13:47 |
| Yuka (she/her) | It prevents exposure notifications from being enabled | 12:14:26 |
| Yuka (she/her) | * It prevents covid exposure notifications from being enabled | 12:14:31 |
| Yuka (she/her) | 
Download scaled_screenshot_20211027-141452.jpg | 12:15:02 |
| Yuka (she/her) | In reply to @yuka:yuka.dev
It prevents covid exposure notifications from being enabled As a workaround I disabled the microG gms in my main profile, and instead use CCTG's builtin EN. | 12:16:08 |
| Yuka (she/her) | I can still use microG in the work profile | 12:16:20 |
| Yuka (she/her) | * I can still use microG gms in the work profile | 12:16:26 |
| Yuka (she/her) | For SMS permissions I can click "allow" but when I go back it's under "Not allowed" every time | 12:17:04 |
| Yuka (she/her) | Another problem: My banking app wants me to re-login with full account details each time I open it, which wasn't the case with microG on Android 11. | 12:18:16 |
| Yuka (she/her) | This happens both with sandboxed play services and microG on Android 12. | 12:18:45 |
 jack | In reply to @danielrf:matrix.org
Pushed new tags: vanilla-2021102614 and grapheneos-2021102503. Tested on sunfish and crosshatch, respectively. redfin boots, and works as expected under limited testing | 15:21:45 |
 danielrf | And yet more tags: vanilla-2021102720 and grapheneos-2021102613. Tested on sunfish and crosshatch, respectively. | 21:31:20 |
| 29 Oct 2021 |
 hmenke | danielrf: You must have had a lot of sandbox headaches while trying to convince the Android build process to run in Nix. Have you ever had an application just hang when run inside the sandbox? If yes, what did you do to fix it? | 18:06:18 |
| danielrf | I can't recall encountering that specific issue. 90% of my issues have been with improper LD_LIBRARY_PATHs and stuff like that | 18:14:24 |
| danielrf | Btw, I saw your issue on the upstream grapheneos issue tracker. Vanadium webview/browser is one place where our current builds differ from upstream | 18:15:18 |
| danielrf | we're supposed to be using trichrome instead of monochrome, but a user-generated certificate digest needs to be included in the trichrome build that isn't needed for monochrome. | 18:15:59 |
| danielrf | So, if we switched to trichrome (which you could pretty easily by modifying isTriChrome in modules/apps/chromium.nix, users couldn't use the prebuilt versions on cachix | 18:17:29 |
