Exactly! I learned a lot about the zip format while researching this.
Argh! I saw your original question in that thread but I never found the solution because there were so many pages in between...
I ended up with a hack that appears to resemble Chainfire's minsignapk, but I didn't need to write my own zipadjust. Basically I simply sign the zip normally with signapk, then I unpack and repack the whole archive using 7zip (bonus: slightly better compression), and then I run the whole-zip-signer on the archive.
Here is my SignWholeFile.jar - the source code is just too ugly to publish. Attachment 2745848 If you find that it works better than Chainfire's version, I'll clean the source and release it.
This is the script I use for signing:
#!/bin/sh KEYDIR=~/android/aosp/build/target/product/security SIGNAPK=~/android/aosp/prebuilts/sdk/tools/lib/signapk.jar SIGNWHOLEFILE=~/android/src/signapk/SignWholeFile.jar java -jar $SIGNAPK -w $KEYDIR/testkey.x509.pem $KEYDIR/testkey.pk8 "$1" "$1.signed.zip" mv "$1" "$1.unsigned" signedzip=$(readlink -f "$1.signed.zip") [ -d /tmp/signapk2 ] && rm -rf /tmp/signapk2 mkdir /tmp/signapk2 pushd /tmp/signapk2 unzip $signedzip rm $signedzip 7z a -r -mx=9 $signedzip * #7z a -r $signedzip * popd mv "$1.signed.zip" "$1" java -jar $SIGNWHOLEFILE $KEYDIR/testkey.x509.pem $KEYDIR/testkey.pk8 "$1" "$1"
@TKruzze is working on converting his popular PA GApps packages over to shell script update-binary, and asked me to look into the signing issue again citing my old post there, so if Chainfire's doesn't do the trick then I'll point him this way.