AndroidCreateDebugKey uses weak signature algorithm

[ThomasZeman]

Steps to Reproduce

I did this under Linux but I guess it is the same under Windows:

1. msbuild an Xamarin.Android project with target Debug / SignAndroidPackage
2. msbuild task _CreateAndroidDebugSigningKey calls into AndroidDebugKey
3. AndroidDebugKey calls keytool with something like: /usr/bin/keytool -genkeypair -alias androiddebugkey -storepass android -keypass android -keystore "..debug.keystore" -dname "CN=Android Debug,O=Android,C=US" -keyalg RSA -validity 10950

Expected Behavior

Debug APK is signed with an accepted algorithm. Refer to this page:
http://www.oracle.com/technetwork/java/javase/8u131-relnotes-3565278.html

Actual Behavior

The value "RSA" for parameter keyalg leads to a signed APK which is considered not signed right after creation. Output of:

jarsigner -verify -verbose -certs ./bin/Android/AnyCPU/Release/some-Signed.apk

shows:

Signed by "CN=Android Debug, O=Android, C=US"
Digest algorithm: SHA1
Signature algorithm: MD5withRSA (weak), 2048-bit key

WARNING: The jar will be treated as unsigned, because it is signed with a weak algorithm that is now disabled by the security property:

jdk.jar.disabledAlgorithms=MD2, MD5, RSA keySize < 1024, DSA keySize < 1024

Version Information

Tried with:

java version "1.8.0_161"
Java(TM) SE Runtime Environment (build 1.8.0_161-b12)
Java HotSpot(TM) 64-Bit Server VM (build 25.161-b12, mixed mode)

xamarin-android build version 8.3.99.19

[dellis1972]

We have to be careful about what key algorithm is used. Older devices probably won't support newer key algorithms. So we need to pick one which will work with our minimum platform which is api-10 I believe.
That said we can expose the keyalg and validity as MSBuild properties which would allow developers to override the defaults.

[dellis1972]

see https://developer.android.com/training/articles/keystore.html#SupportedKeyPairGenerators

[ThomasZeman]

I agree that this has low urgency because 1st it is only relevant for debug builds and 2nd only for people who don't maintain their own keystores. Stil,l I believe it is a bit odd to get something "outdated" right out of the box. Maybe it is a compromise to follow up on the exposure of the keyalg property and maybe make the ones default which are accepted by javas keytool.