Reduce size to 922 bytes with elliptic-curve signatures.

[nneonneo]

"ec.keystore" was generated using:

keytool -genkeypair -keyalg EC -keysize 256 -v -keystore ec.keystore -storepass android -dname 'CN='

and then the APK was signed with

apksigner sign --in signed-release.apk --v1-signing-enabled false --v2-signing-enabled true --ks ec.keystore --ks-pass pass:android

Unfortunately, I haven't tested this yet because I don't have an Android 7.0 phone, nor enough internet on this airplane to download a suitable emulator :(.

I have tested the latest committed version, and it works properly on an Android 7.1.1 emulator.

[fractalwrench]

Adb doesn't seem to want to install an APK I generated with this method:

Failed to install signed-release.apk: Failure [INSTALL_PARSE_FAILED_NO_CERTIFICATES: Failed to collect certificates from /data/app/vmdl388350001.tmp/base.apk using APK Signature Scheme v2: Failed to parse/verify signer #1 block: Failed to verify SHA256withECDSA signature: java.lang.RuntimeException: error:0f00007b:elliptic curve routines:OPENSSL_internal:UNKNOWN_GROUP: error:0f00007b:elliptic curve routines:OPENSSL_internal:UNKNOWN_GROUP]

This seems like a really promising approach though! Also, the APK I generated was 821 bytes, so it looks like there's scope for generating an optimal keystore.

[zhuowei]

https://source.android.com/security/apksigning/v2#apk-signature-scheme-v2-block says that the 3 ec curves supported are NIST P-256, P-384, and P-521, so maybe use -keysize 256 to get the 256-bit curve?

[nneonneo]

@zhuowei thanks for the tip. I used a 256-byte EC curve and it works fine, albeit a little bigger. At least it is under 1KB (and under 1KiB) now!

[zhuowei]

@nneonneo Can confirm this installs on a physical device running Android 8.0.0.

[fractalwrench]

Can also confirm that this works on an Android device - would you be add the keysigning steps to the build script currently on master? I'll happily merge it in after that. Congrats @nneonneo - you got it under a kilobyte!

[nneonneo]

I have added the new keystore. The keysigning steps didn't change but I took the opportunity to make a few very minor tweaks to the build script.

[nneonneo]

Random luck made it 922 bytes. If I have time I might play with the crypto a bit to generate a really bad (but small) signature. It should be possible...

I also added the keystore generation to the build.sh and additionally added the currently-used keystore.jks. There's some randomness in ECDSA so the size might vary a bit from run to run.