X Tutup
Skip to content

Improve encrypted PCK robustness, by enforcing encrypted PCK usage and disabling certain unsafe features.#76161

Closed
bruvzg wants to merge 1 commit intogodotengine:masterfrom
bruvzg:19Mw_RGZrUU
Closed

Improve encrypted PCK robustness, by enforcing encrypted PCK usage and disabling certain unsafe features.#76161
bruvzg wants to merge 1 commit intogodotengine:masterfrom
bruvzg:19Mw_RGZrUU

Conversation

@bruvzg
Copy link
Member

@bruvzg bruvzg commented Apr 17, 2023
edited
Loading

Adds some extra restrictions to the exports with embedded encryption key (compiled with SCRIPT_AES256_ENCRYPTION_KEY) to make encryption bypass by overriding project settings harder:

Allows encrypting asset files in the APK/AAB using existing PCK encryption key/export config, without using APK extension.

  • Always encrypt PCK file list/metadata and some core files.
  • Allow only encrypted main PCK to be loaded and ignore project.godot/project.binary outside the PCK.
  • Disable command line arguments for remote filesystem, and script / scene selection when encryption is used.
  • Disable override.cfg.

Implements godotengine/godot-proposals#6675

@bruvzg bruvzg added this to the 4.x milestone Apr 17, 2023
@bruvzg bruvzg mentioned this pull request Apr 21, 2023
Closed
@bruvzg bruvzg marked this pull request as ready for review April 24, 2023 09:18
@bruvzg bruvzg requested review from a team as code owners April 24, 2023 09:18
@bruvzg bruvzg force-pushed the 19Mw_RGZrUU branch 3 times, most recently from d0b5c7e to aaf4f88 Compare May 15, 2023 16:35
@phil-hudson
Copy link
Contributor

phil-hudson commented Jun 14, 2023

Hey - thanks so much for working on this, it looks great.

One thing I wanted to ask - will this also support AAB export? As new apps uploaded to playstore can only be uploaded in AAB format.

From looking at the code, I would assume so based on export_project_helper method doing checks for both APK and AAB file types?

@m4gr3d m4gr3d modified the milestones: 4.x, 4.2 Jun 19, 2023
m4gr3d
m4gr3d requested changes Jun 19, 2023
View reviewed changes
Copy link
Contributor

@m4gr3d m4gr3d left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm curious if it's possible to add unit tests in order to validate the encryption logic and ensure we don't introduce regressions in the future.

@m4gr3d
Copy link
Contributor

m4gr3d commented Jun 19, 2023

Hey - thanks so much for working on this, it looks great.

One thing I wanted to ask - will this also support AAB export? As new apps uploaded to playstore can only be uploaded in AAB format.

From looking at the code, I would assume so based on export_project_helper method doing checks for both APK and AAB file types?

@bruvzg Following on this comment, doesn't look like the encryption logic is applied to the Gradle build export path.

@bruvzg bruvzg marked this pull request as draft June 30, 2023 10:48
@bruvzg bruvzg force-pushed the 19Mw_RGZrUU branch 3 times, most recently from f307c42 to ddd22be Compare July 3, 2023 11:37
AThousandShips
AThousandShips reviewed Jul 25, 2023
View reviewed changes
AThousandShips
AThousandShips reviewed Sep 21, 2023
View reviewed changes
m4gr3d
m4gr3d requested changes Feb 13, 2024
View reviewed changes
Copy link
Contributor

@m4gr3d m4gr3d left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

For the export logic, can you move all the added logic into separate functions in a new export_encrypted_util file and call those functions from the current export logic. This will help encapsulate and reuse the logic and make the code easier to read and maintain.

Also there seems to be a high usage of magic numbers; is it possible to turn them into constants with clear names, and comment what the logic is doing.

@bruvzg bruvzg force-pushed the 19Mw_RGZrUU branch 2 times, most recently from f547b6d to 61acc9d Compare February 15, 2024 14:16
m4gr3d
m4gr3d requested changes Feb 15, 2024
View reviewed changes
@timkrief
Copy link
Contributor

timkrief commented Mar 13, 2024

Did anyone tried to export an encrypted aab? I tried, compiling all of this and building an export template with this. The aab have encrypted assets, but the app doesn't launch. My app was running when exported not encrypted in aab using 4.2. It may be unrelated, I'm going to continue looking for the issue.

from the logcat
java.lang.RuntimeException: Unable to start activity ComponentInfo{com.timkrief.fallacyquiz/com.godot.game.GodotApp}: java.lang.IllegalStateException: Unable to initialize engine native layer

@x-mugen-x
Copy link

x-mugen-x commented May 7, 2024

Did anyone tried to export an encrypted aab? I tried, compiling all of this and building an export template with this. The aab have encrypted assets, but the app doesn't launch. My app was running when exported not encrypted in aab using 4.2. It may be unrelated, I'm going to continue looking for the issue.

from the logcat java.lang.RuntimeException: Unable to start activity ComponentInfo{com.timkrief.fallacyquiz/com.godot.game.GodotApp}: java.lang.IllegalStateException: Unable to initialize engine native layer

I tried building this commit and the export templates (as well as 4.2.1, and 4.3dev6) and it wasn't working for me either unfortunately... is there any update on this? Kind regards

@NovaSoftInteractive
Copy link

NovaSoftInteractive commented May 9, 2024
edited
Loading

I tried to install an encrypted aab and it also crashed on startup, here's the full logcat:

Start proc 14858:com.novasoftinteractive.ahch1/u0a158 for activity {com.novasoftinteractive.ahch1/com.godot.game.GodotApp}
Invalid ID 0x00000000.
Late-enabling -Xcheck:jni
Unknown bits set in runtime_flags: 0x8000
mCompatibilityFlags - 4
applicationDensity - 240
applicationScale - 1.0
rotationForOrientation cts_verifier=
rotationForOrientation animationExist=1
rotationForOrientation mUserRotation=1 mUserRotationMode=0
rotationForOrientation rotationLocked=false mLastSensorRotation=1
mCompatibilityFlags - 4
applicationDensity - 240
applicationScale - 1.0
onPause
(REDACTED) [%s] forcing onFeedHide from onPause()
getTransport: Cannot find entry vendor.qti.hardware.servicetracker@1.0::IServicetracker/default in either framework or device manifest.
(REDACTED) [%s] onFeedHide().  Feed was already hidden.
Transmission is done.
Connecting to perf service.
getTransport: Cannot find entry vendor.qti.hardware.iop@2.0::IIop/default in either framework or device manifest.
IIop:: Iop HAL Service is not available.
wallpaper visibility changes to: false
[Surface(name=AppWindowToken{28ecb25 token=Token{705c31c ActivityRecord{314548f u0 com.novasoftinteractive.ahch1/com.godot.game.GodotApp t264}}})/@0xb7889e - animation-leash#0] No local sync point found
[Surface(name=AppWindowToken{fb5d652 token=Token{8347add ActivityRecord{5a9feb4 u0 com.android.launcher3/com.android.searchlauncher.SearchLauncher t254}}})/@0xf6fc947 - animation-leash#0] No local sync point found
Creating new Godot fragment instance.
Warning: "/data/app/com.novasoftinteractive.ahch1-kNJOpc15sKXOjWPyAJfnRA==/base.apk!/lib/arm64-v8a/libc++_shared.so" unused DT entry: unknown processor-specific (type 0x70000001 arg 0x0) (ignoring)
USER ERROR: Can't open encrypted pack-referenced file '.godot/extension_list.cfg'.
   at: open_internal (platform/android/file_access_android.cpp:182)
Error: Can't run project: no main scene defined in the project.
App trying to use insecure INPUT_FEATURE_NO_INPUT_CHANNEL flag. Ignoring
Unable to setup the Godot engine! Aborting...
Shutting down VM
--------- beginning of crash
FATAL EXCEPTION: main
Process: com.novasoftinteractive.ahch1, PID: 14858
java.lang.RuntimeException: Unable to start activity ComponentInfo{com.novasoftinteractive.ahch1/com.godot.game.GodotApp}: java.lang.IllegalStateException: Unable to initialize engine native layer
	at android.app.ActivityThread.performLaunchActivity(ActivityThread.java:3271)
	at android.app.ActivityThread.handleLaunchActivity(ActivityThread.java:3410)
	at android.app.servertransaction.LaunchActivityItem.execute(LaunchActivityItem.java:83)
	at android.app.servertransaction.TransactionExecutor.executeCallbacks(TransactionExecutor.java:135)
	at android.app.servertransaction.TransactionExecutor.execute(TransactionExecutor.java:95)
	at android.app.ActivityThread$H.handleMessage(ActivityThread.java:2017)
	at android.os.Handler.dispatchMessage(Handler.java:107)
	at android.os.Looper.loop(Looper.java:214)
	at android.app.ActivityThread.main(ActivityThread.java:7407)
	at java.lang.reflect.Method.invoke(Native Method)
	at com.android.internal.os.RuntimeInit$MethodAndArgsCaller.run(RuntimeInit.java:492)
	at com.android.internal.os.ZygoteInit.main(ZygoteInit.java:935)
Caused by: java.lang.IllegalStateException: Unable to initialize engine native layer
	at org.godotengine.godot.GodotFragment.performEngineInitialization(GodotFragment.java:199)
	at org.godotengine.godot.GodotFragment.onCreate(GodotFragment.java:190)
	at androidx.fragment.app.Fragment.performCreate(Fragment.java:3094)
	at androidx.fragment.app.FragmentStateManager.create(FragmentStateManager.java:504)
	at androidx.fragment.app.FragmentStateManager.moveToExpectedState(FragmentStateManager.java:268)
	at androidx.fragment.app.FragmentManager.executeOpsTogether(FragmentManager.java:1943)
	at androidx.fragment.app.FragmentManager.removeRedundantOperationsAndExecute(FragmentManager.java:1839)
	at androidx.fragment.app.FragmentManager.execSingleAction(FragmentManager.java:1751)
	at androidx.fragment.app.BackStackRecord.commitNowAllowingStateLoss(BackStackRecord.java:323)
	at org.godotengine.godot.GodotActivity.onCreate(GodotActivity.kt:79)
	at com.godot.game.GodotApp.onCreate(GodotApp.java:45)
	at android.app.Activity.performCreate(Activity.java:7825)
	at android.app.Activity.performCreate(Activity.java:7814)
	at android.app.Instrumentation.callActivityOnCreate(Instrumentation.java:1307)
	at android.app.ActivityThread.performLaunchActivity(ActivityThread.java:3246)
	... 11 more
App trying to use insecure INPUT_FEATURE_NO_INPUT_CHANNEL flag. Ignoring
add tag=data_app_crash isTagEnabled=true flags=0x2
  Force finishing activity com.novasoftinteractive.ahch1/com.godot.game.GodotApp
finishActivityLocked packagename=com.novasoftinteractive.ahch1
ActivityTrigger activityPauseTrigger 
Background execution not allowed: receiving Intent { act=android.intent.action.DROPBOX_ENTRY_ADDED flg=0x10 (has extras) } to com.google.android.gms/.stats.service.DropBoxEntryAddedReceiver
QUALCOMM build                   : a7d4a14, Iba1deb6915
Build Date                       : 07/23/20
OpenGL ES Shader Compiler Version: EV031.27.05.10
Local Branch                     : 
Remote Branch                    : 
Remote Branch                    : 
Reconstruct Branch               : 
Build Config                     : S L 8.0.12 AArch64
mCompatibilityFlags - 4
applicationDensity - 240
applicationScale - 1.0
PFP: 0x005ff113, ME: 0x005ff066
getTransport: Cannot find entry vendor.qti.hardware.servicetracker@1.0::IServicetracker/default in either framework or device manifest.
Sending signal. PID: 14858 SIG: 9

I think this is causing the crash in particular: USER ERROR: Can't open encrypted pack-referenced file '.godot/extension_list.cfg'.. If I extract the contents of the encrypted aab, there is no .godot/ folder in assets directory, it's only present in the non-encrypted aab.

@akien-mga akien-mga modified the milestones: 4.3, 4.4 Jun 21, 2024
@thangbx2014

This comment was marked as off-topic.

Sign in to view
@rabid-dev

This comment was marked as off-topic.

Sign in to view
@akien-mga akien-mga modified the milestones: 4.4, 4.5 Feb 5, 2025
This was referenced Mar 21, 2025
Closed
Open
@bruvzg bruvzg requested a review from a team as a code owner March 27, 2025 21:42
@bruvzg bruvzg force-pushed the 19Mw_RGZrUU branch 2 times, most recently from a713a86 to 0be3a68 Compare March 27, 2025 22:03
@bruvzg
Improve export encryption robustness.
815af29 
Add support for APK/AAB assets encryption using PCK encryption key/export config.
Enforce encrypted core files and file directory usage, and disable certain unsafe features to prevent external code/overrides loading.
@bruvzg bruvzg mentioned this pull request May 1, 2025
Merged
@bruvzg
Copy link
Member Author

bruvzg commented May 17, 2025

Closing in favor of #105984 (also enabled encryption for APK/AAB without excessive changes).

@bruvzg bruvzg closed this May 17, 2025
@bruvzg bruvzg removed this from the 4.5 milestone May 17, 2025
@bruvzg bruvzg mentioned this pull request Jul 21, 2025
Merged
@sinni800
Copy link

sinni800 commented Aug 20, 2025

Closing in favor of #105984 (also enabled encryption for APK/AAB without excessive changes).

I might be misunderstanding but wasn't this issue meant to improve robustness for every platform, while #105984 is ONLY for android? So are the other platforms just basically removed from consideration? Because this feature would make sure that when encryption is enabled, only further encrypted PCKs can be loaded.

That feature is not the case now though... I think the whole addition of require_encryption to the PCK loader would have been generally a sweet thing to have, to have more safeguards in place to prevent exported games from being penetrated with imported packfiles too easily, heh

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@m4gr3d m4gr3d m4gr3d requested changes

@akien-mga akien-mga akien-mga approved these changes

@AThousandShips AThousandShips AThousandShips approved these changes

Assignees

No one assigned

Labels

archived enhancement topic:editor topic:export

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.
X Tutup