Verified failed by v2

[Hellow676]

After use sign copy tool sign copy successful but that error i face Verified failed by v2 give me solution to fix

[obfusk]

Copying a signature will succeed even if the signature is not valid for the target APK.

You can even copy a signature from an entirely different app and it will work as long as the target APK is unsigned and not larger than the source APK (as it will not insert the signature in the middle of the ZIP data).

Copying an invalid signature is of course pointless as it will fail verification.

Please note that (as the README says):

apksigcopier is a tool that enables using an android APK signature as a build input (by copying it from a signed APK to an unsigned one), making it possible to create a (bit-by-bit identical) reproducible build from the source code without having access to the private key used to create the signature.

I don't know what you're trying to do, but e.g. copying a signature to a modified APK is not possible. This is a tool for reproducible builds only. You seem to be trying to copy a signature to an APK that's not valid for that APK, hence the error.

If you want me to look into this, please confirm your use case matches the above, and provide more details on what exactly you're trying to do when you get that error.

[Hellow676]

Actually I am testing your tool
I removed signed from apk
And try to signed with the orginal.apk
Most probably it happens when v2sign was there v1+v2 signed Verified failed by v2 this error come
When going to check signed data buy your command
apksigner verify -v out.apk I grep -v WARNING:
Output-
DOES NOT VERIFY ERROR: APK Signature Scheme v2 signer #1: APK integrity check failed. CHUNKED_SHA256 digest mismatch. Expected: <660f0ab86db59fdf21b0925daf3f82f1e39d596acb9e3f1cf473cba2e6264762>, actual: <f73e80a76cdb3421299a05271b419156f0153569a28a4a1383f5313d6b137b94>

[obfusk]

I removed signed from apk

This seems likely to be the issue. I don't know how you removed the signature. Removing the signature files/block from the APK is easy. But you need to do it in a way that produces an APK that is bit-by-bit identical to the original unsigned APK. If e.g. any of the ZIP metadata is different, the v2/v3 signature will not be valid, even if all the files in the APK are identical (which is sufficient for v1).

[Hellow676]

Can provide me your social media anything where i send you video how i removed signature then maybe you know where is the problem

[obfusk]

bit-by-bit identical to the original unsigned APK

Actually, some differences like ZIP alignment in the unsigned APK will still produce identical signed APKs, as the alignment is modified during signing. So e.g. an unsigned APK that is not aligned will produce an identical APK as one that is aligned exactly the same way apksigner will align it during signing. Because of this it is impossible to remove the signature in a way that guarantees you have the same APK as the unsigned original.

But this may allow you to remove the signature in such a way that the APK will verify after copying the signature back:

import apksigcopier
apksigcopier.copy_apk("signed.apk", "unsigned.apk", exclude=apksigcopier.exclude_meta)

[Hellow676]

If I remove .RSA ,.SF and .MF from-META-INF then that no signature and that apk unsigned apk right
If i am wrong then correct me please

[obfusk]

Can provide me your social media anything where i send you video how i removed signature then maybe you know where is the problem

I do not provide support for apksigcopier via any other channel than this issue tracker. I am also happy to answer relevant questions about apksigcopier in discussions. However, questions about how to remove signatures or how APK signatures work are out of scope.

[obfusk]

If I remove .RSA ,.SF and .MF from-META-INF then that no signature and that apk unsigned apk right If i am wrong then correct me please

Unsigned, yes (those are the v1 signature files, the v2 signature is in the APK signing block which is not preserved by most ZIP tools). But using standard ZIP tools to simply remove those files from the APK or creating a new APK without them will almost certainly produce different ZIP metadata and/or ordering, making the v2 signature invalid.

[obfusk]

import apksigcopier
apksigcopier.copy_apk("signed.apk", "unsigned.apk", exclude=apksigcopier.exclude_meta)

This only works because it will ensure all the ZIP metadata is copied correctly as well, unlike standard ZIP tools. And it will still likely fail if e.g. the v1 signature files are not stored at the end of the ZIP file where they can be removed without affecting the rest of the ZIP metadata.

[obfusk]

There simply is no reliable way to remove the v2/v3 signature from an APK such that the original signature is still valid after copying it back. Nor is this a supported use case for apksigcopier.