Comments (11)
I see, thank you.
I will have to contact this team then. Did you already file an issue for androidx.security? If so, I will reuse that.
Also, did you try different versions of androidx.security? If so, what was the result?
from tink.
You may be able to test it if you tell gradle explicitly that you need at least Tink 1.9. I don't know Gradle at all, so I cannot help you with how to do that.
But basically, if you can say explicitly that you need com.google.crypto.tink:tink-android:1.9.0 the issue should go away.
I filed an issue in the Google internal bug tracker, I hope that they can soon upgrade androidx.security:security-crypto:1.1.0-alpha06. I didn't find a public component for this.
Please wait a week and then Ping this issue if there is no new release.
from tink.
I filed an issue in the Google internal bug tracker, I hope that they can soon upgrade androidx.security:security-crypto:1.1.0-alpha06. I didn't find a public component for this.
Thanks, I was indeed trying to find on Google Issue Tracker but I couldn't also, only for generic AndroidX.
You may be able to test it if you tell gradle explicitly that you need at least Tink 1.9. I don't know Gradle at all, so I cannot help you with how to do that.
But basically, if you can say explicitly that you need com.google.crypto.tink:tink-android:1.9.0 the issue should go away.
This makes a lot of sense, and the way to do that is by doing the following:
implementation("androidx.security:security-crypto:1.1.0-alpha06") {
exclude(group = "com.google.crypto.tink", module = "tink-android")
}
implementation("com.google.crypto.tink:tink-android:1.9.0")
And it works 🥳
But now I end up again with the runtime error which made me think it was a false positive. A bit of research and I found that either way I need to add the following rules:
# Keep generic signature of Call, Response (R8 full mode strips signatures from non-kept items).
-keep,allowobfuscation,allowshrinking interface retrofit2.Call
-keep,allowobfuscation,allowshrinking class retrofit2.Response
# With R8 full mode generic signatures are stripped for classes that are not
# kept. Suspend functions are wrapped in continuations where the type argument
# is used.
-keep,allowobfuscation,allowshrinking class kotlin.coroutines.Continuation
This leaves me with 2 solutions:
- With the new rules, add the following and leave the dependency as is:
-dontwarn com.google.api.client.http.**
-dontwarn org.joda.time.**
- With the new rules, exclude the dependency on 1.8.0 and force 1.9.0
Which do you think is the cleanest/safest? I prefer the second because as soon as the security-crypto
uses officially the 1.9.0 I just need to remove the gradle configuration. Having the 2 new rules added sounds like code smell 😅
from tink.
Can you expand on the runtime error? A stacktrace would be helpful.
Please do try to use 1.9.0 -- in the end, we do fix a problem with 1.9.0 over 1.8.0, and if there is another problem we need to debug that one too. We will upgrade to 1.9.0 anyhow, and if it doesn't work then you cannot avoid it in the medium term.
from tink.
Hey, thanks for the report.
What version of Tink do you use?
In general, the dependencies referenced (http-client and joda-time) are needed for the class com.google.crypto.tink.util.KeysDownloader -- and we didn't list them in early versions of Tink. We later added them, but they really shouldn't be there: unless you use exactly KeysDownloader directly, Tink doesn't need them.
Are you using tink-android? They shouldn't be there.
from tink.
I'm not using Tink directly, only via androidx.security:security-crypto:1.1.0-alpha06
from tink.
androidx.security:security-crypto:1.1.0-alpha06
depends on com.google.crypto.tink:tink-android:1.8.0
(source) which doesn't explicitly depend on http-client
(source). I am not very familiar with R8, but if IIUC adding -dontwarn com.google.api.client.http.*
and -dontwarn org.joda.time.*
to theproguard-rules.pro
file (https://developer.android.com/build/shrink-code#configuration-files) should solve the issue.
from tink.
Oh I see. And somehow in 1.8 we included the keys downloader by mistake :(
https://github.com/tink-crypto/tink-java/blob/1.8/BUILD.bazel#L696-L699
This should be fixed with 1.9 though: https://github.com/tink-crypto/tink-java/blob/1.9/BUILD.bazel#L780-L782
So what remains to do is for someone to try to see if androidx.security:security-crypto can update to 1.9
from tink.
androidx.security:security-crypto:1.1.0-alpha06
depends oncom.google.crypto.tink:tink-android:1.8.0
(source) which doesn't explicitly depend onhttp-client
(source). I am not very familiar with R8, but if IIUC adding-dontwarn com.google.api.client.http.*
and-dontwarn org.joda.time.*
to theproguard-rules.pro
file (https://developer.android.com/build/shrink-code#configuration-files) should solve the issue.
This doesn't work, by adding:
-dontwarn com.google.api.client.http.**
-dontwarn org.joda.time.**
The build will succeed (because it mutes the warnings/errors) but then it will fail in runtime:
java.lang.ClassCastException: java.lang.Class cannot be cast to java.lang.reflect.ParameterizedType at retrofit2.HttpServiceMethod.parseAnnotations(HttpServiceMethod.java:46) at retrofit2.ServiceMethod.parseAnnotations(ServiceMethod.java:39)
at retrofit2.Retrofit.loadServiceMethod(Retrofit.java:202)
at retrofit2.Retrofit$1.invoke(Retrofit.java:160)
at java.lang.reflect.Proxy.invoke(Proxy.java:1006)
at $Proxy3.login(Unknown Source)
...
I'm using EncryptedSharedPreferences to store some credentials.
Oh I see. And somehow in 1.8 we included the keys downloader by mistake :(
https://github.com/tink-crypto/tink-java/blob/1.8/BUILD.bazel#L696-L699
This should be fixed with 1.9 though: https://github.com/tink-crypto/tink-java/blob/1.9/BUILD.bazel#L780-L782
So what remains to do is for someone to try to see if androidx.security:security-crypto can update to 1.9
Is it something I can test on my end?
I will have to contact this team then. Did you already file an issue for androidx.security? If so, I will reuse that.
I have not, I'll so you can reuse 😉
from tink.
The runtime error was a false positive towards Tink, the stacktrace was relative to coroutines and retrofit, thus the 3 proguard rules that also saved the day 🙏🏼
from tink.
I will mark this as finished as you said it was a false positive. I will also do another release as in Java Tink 1.9.0 still has some problems with regard to this class. However, if anyone has still issues with this, please comment here or open a new issue in https://github.com/tink-crypto/tink-java
from tink.
Related Issues (20)
- tink cannot be installed on arm64 linux HOT 9
- Cannot install it with googleapis-common-protos and other related libs in python HOT 7
- Envelope AEAD Performance with GCP KMS HOT 1
- java tink library is not scaling with java threads HOT 1
- Tink installation on bazel and pip3 fail HOT 4
- Is Tink for Objective-C buildable via Bazel? HOT 9
- Recommendation on the best approach for rotation HOT 1
- tink 1.7.0 depends on protobuf 3.20.1 which has a security vulnerability patched in a newer version HOT 4
- Windows OS Support HOT 4
- Cannot download tinkey - The project to be billed is associated with a closed billing account. HOT 2
- cannot verify signature HOT 3
- java.security.GeneralSecurityException: cannot verify signature HOT 1
- No manager for type 'type.googleapis.com/google.crypto.tink.HpkePrivateKey' has been registered HOT 2
- H HOT 1
- compile tink cpp library for ios HOT 4
- OSS-Fuzz issue 66058 HOT 1
- Intent to archive https://github.com/google/tink
- Duplicate class found in modules jetified-tink-1.8.0 and jetified-tink-android-1.8.0 HOT 1
- Add PRF Documentation to website HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from tink.