Bug 28461 - Android signing parameters on the csproj / project preferences do URLDecode on passwords
Summary: Android signing parameters on the csproj / project preferences do URLDecode o...
Status: REOPENED
Alias: None
Product: Android
Classification: Xamarin
Component: MSBuild ()
Version: 4.20.0
Hardware: PC Mac OS
: Normal normal
Target Milestone: ---
Assignee: Jonathan Pryor
URL:
Depends on:
Blocks:
 
Reported: 2015-03-26 11:44 UTC by Alexandre Rocha Lima e Marcondes
Modified: 2015-05-27 19:08 UTC (History)
3 users (show)

Tags:
Is this bug a regression?: ---
Last known good build:

Notice (2018-05-24): bugzilla.xamarin.com is now in read-only mode.

Please join us on Visual Studio Developer Community and in the Xamarin and Mono organizations on GitHub to continue tracking issues. Bugzilla will remain available for reference in read-only mode. We will continue to work on open Bugzilla bugs, copy them to the new locations as needed for follow-up, and add the new items under Related Links.

Our sincere thanks to everyone who has contributed on this bug tracker over the years. Thanks also for your understanding as we make these adjustments and improvements for the future.


Please create a new report for Bug 28461 on Developer Community or GitHub if you have new information to add and do not yet see a matching new report.

If the latest results still closely match this report, you can use the original description:

  • Export the original title and description: Developer Community HTML or GitHub Markdown
  • Copy the title and description into the new report. Adjust them to be up-to-date if needed.
  • Add your new information.

In special cases on GitHub you might also want the comments: GitHub Markdown with public comments

Related Links:
Status:
REOPENED

Description Alexandre Rocha Lima e Marcondes 2015-03-26 11:44:19 UTC
If I setup a keystore, alias and passwords on the Android Build preferences and my password contains the percent sign (%) or amperstand (&) it gets decoded by some kind of URL Decode and my password is always wrong.

To reproduce create a keystore using a passowrod like:

MyPassw%34ord&Is%Very&Secure

Setup the project preferences accordingly and try to make an Android Package to use it. On the Build log you'll see that the password will be always sent URL decoded to the jarsigner execution, breaking the package creation.
Comment 1 Jonathan Pryor 2015-03-26 12:32:00 UTC
This is an MSBuild feature. The signing information is stored within a <PropertyGroup/>, as MSBuild properties:

https://msdn.microsoft.com/en-us/library/ms171458.aspx

MSBuild properties are not "literal" values; they're *interpreted* by MSBuild. For example, this allows *appending* values to MSBuild properties, as is done in Mono's Microsoft.Common.targets:

	<ResolveReferencesDependsOn>
		$(ResolveReferencesDependsOn);
		ImplicitlyExpandDesignTimeFacades
	</ResolveReferencesDependsOn>

Because Property values are interpreted, any "special characters" need to be hex-escaped. This includes '$', '%', '@', and others:

https://msdn.microsoft.com/en-us/library/bb383819.aspx
Comment 2 Alexandre Rocha Lima e Marcondes 2015-03-26 14:04:53 UTC
Ok @jonpryor, I see that it is a MSBuild feature. But shouldn't Xamarin.Android plugin solve it so that despite the escaping the password to store on the XML it reaches jarsigner unescaped? As it is implemented today it doesn't matter if I escape it once or twice it always reaches the jarsigner as a wrong password.
Comment 3 Jonathan Pryor 2015-03-26 14:58:32 UTC
> If I setup a keystore, alias and passwords on the Android Build preferences

Doh! I overlooked that.

Yes, absolutely, the IDE should properly escape your values on save.
Comment 4 Greg Munn 2015-03-27 14:01:34 UTC
@jon, back to you.

Even if we store the value of the password encoded in the .csproj, XA is still decoding it when it's passed to jarsginer.

The password above (MyPassw%34ord&Is%Very&Secure), stored encoded looks like

<AndroidSigningStorePass>MyPassw%2534ord&amp;Is%25Very&amp;Secure</AndroidSigningStorePass>

but gets passed to jarsigner like:

    -storepass MyPassw4ord&Is%Very&Secure 

which is the same as if we had not stored the password encoded.

The %34 part of the password is being decoded into 4, even after being decoded initially from the csproj.
Comment 5 Jonathan Pryor 2015-05-27 19:08:03 UTC
@greg: Back to you. :-)

There are two issues here:

1. Data stored within the .csproj needs to be properly encoded. That's you.

2. xbuild is buggy.

Assume the following escape.targets file:

  <?xml version="1.0" encoding="utf-8"?>
  <Project DefaultTargets="Run" ToolsVersion="4.0"
      xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
    <PropertyGroup>
      <IsThisEscaped>MyPassw%2534ord&amp;Is%25Very&amp;Secure</IsThisEscaped>
    </PropertyGroup>
    <Target Name="Run">
      <Message Text="What is the escaped text? $(IsThisEscaped)" />
    </Target>
  </Project>

Run with xbuild:

  $ xbuild escape.targets:
  ...
  What is the escaped text? MyPassw4ord&Is%Very&Secure

Compare to MSBuild:

  > msbuild escape.targets
  ...
  What is the escaped text? MyPassw%34ord&Is%Very&Secure

These are not the same. :-)

jarsigner using the wrong string (Comment #4) is due to an xbuild bug, and rather outside my domain. (Aside: we're trying to migrate to MSBuild proper, though we don't know how long that will take.)

In the meantime, many of our customers *are* on Windows, and thus use the actual (working) MSBuild. Consequently, Xamarin Studio should properly encode the strings so that MSBuild/Windows can behave properly.