Merge pull request #12 from AdguardTeam/fix/apps_rejecting_our_cert

Fix apps rejecting our cert in some cases
AdguardTeam · Apr 11, 2022 · 8780e16 · 8780e16
2 parents 78d7494 + 47dbc5e
commit 8780e16
Show file tree

Hide file tree

Showing 3 changed files with 22 additions and 7 deletions.
diff --git a/README.md b/README.md
@@ -29,6 +29,9 @@ Unfortunately, this is only possible on rooted devices.
 
 If a new version comes out, repeat steps 3-5 to update the module.
 
+The module does its work during the system boot. If your AdGuard certificate changes,
+you'll have to reboot the device for the new certificate to be copied to the system store.
+
 <details>
     <summary>Illustrated instruction</summary>
 

diff --git a/module/module.prop b/module/module.prop
@@ -1,6 +1,6 @@
 id=adguardcert
 name=AdGuard Certificate
-version=v1.1
-versionCode=2
+version=v1.2
+versionCode=3
 author=AdGuard
 description=Copies AdGuard's CA certificate from the user certificate store to the system store and forces Zygisk unmount procedures for certain browsers.
diff --git a/module/post-fs-data.sh b/module/post-fs-data.sh
@@ -1,12 +1,24 @@
 #!/system/bin/sh
 MODDIR=${0%/*}
 
-# Android hashes the subject to get the filename, field order is significant
-# AdGuard certificate is /C=EN/O=AdGuard/CN=AdGuard Personal CA
-# The filename is then <hash>.<n> where <n> is an integer
+# Android hashes the subject to get the filename, field order is significant.
+# AdGuard's certificate is "/C=EN/O=AdGuard/CN=AdGuard Personal CA".
+# The filename is then <hash>.<n> where <n> is an integer to disambiguate
+# different certs with the same hash (e.g. when the same cert is installed repeatedly).
+#
+# Due to https://github.com/AdguardTeam/AdguardForAndroid/issues/2108
+# 1. Take the last cert with our hash from the user store.
+#    Assuming the last installed AdGuard's cert is the correct one.
+# 2. Copy it to the system store under the name "<hash>.0".
+#    Apparently, some apps may ignore other certs.
+# 3. Remove the "<hash>.0" cert from the `cacerts-removed` directory.
+#    It might get there if it's "unchecked" in the security settings.
+#    Apps will reject certs that are in the `cacerts-removed`.
 AG_CERT_HASH=0f4ed297
-cp -f /data/misc/user/*/cacerts-added/${AG_CERT_HASH}.* $MODDIR/system/etc/security/cacerts
-chown -R 0:0 $MODDIR/system/etc/security/cacerts
+AG_CERT_FILE=$(ls /data/misc/user/*/cacerts-added/${AG_CERT_HASH}.* | sort | tail -n1)
+cp -f ${AG_CERT_FILE} ${MODDIR}/system/etc/security/cacerts/${AG_CERT_HASH}.0
+chown -R 0:0 ${MODDIR}/system/etc/security/cacerts
+rm -f /data/misc/user/*/cacerts-removed/${AG_CERT_HASH}.0
 
 [ "$(getenforce)" = "Enforcing" ] || exit 0