Package: apksigner Version: 0.4+git162~g85a854b-1 Severity: severe Tags: fixed-upstream upstream
upstream bug report https://code.google.com/p/android/issues/detail?id=234089 When keytool and jarsigner obtain the keystore/key password via stdin or console, contrary to the expectation of Java KeyStore API, they do not appear to encrypt/decrypt the keystore/key using the Unicode characters comprising the password. Instead, these tools appear to convert the password to their encoded form (using the console's character encoding) and then upcast each resulting Java byte into a Java char. The keystore/key appears to be encrypted using the resulting array of characters. This behavior may be a remnant from the early days of Java when there was no standard way to convert textual input obtained via stdin to Unicode characters. The behavior is consistent with simply treating each Java byte read via stdin as a Java char and then passing in the resulting array of characters into KeyStore API as password. Unfortunately, when the password is passed in into keytool/jarsigner via the command-line, or when other tools (including apksigner) use the Java KeyStore API to create/read keystores/keys, the above strange behavior does not occur. As a result, there's a mismatch for non-ASCII passwords.
