VLC for Android

VLC is back on Play Store! Version 2.0 is more than 1 year old and will leave room for 2.5 which brings very interesting evolutions! VLC for Android releases have been trapped in VLC 3.0 preparation and big media library refactoring black holes. ... [More] So, there hasn’t been any update for 13 months, but development is still active and cool new stuff is coming! This post will focus on features, implementations will be detailed in other blog posts (like the DiffUtil intro). Incoming features UX evolutions New dynamic UI New Audio Player Style Picture-In-Picture mode Android TV Android Auto Chrome OS support 360° Videos support Search Miscellaneous new features Under the hood MediaLibrary Playback performance & formats support Future For now, let me introduce you to the new VLC for Android. Minimum Android version is now Gingerbread. FroYo support has been abandonned, these devices cannot access Google Play Store anymore. UX evolutions New dynamic UI Video cards have been refactored, we now show you video details over its cover picture. This is a nicer presentation and gives room for displaying more videos at once. Audio lists have been slightly lifted too. Others lists view have been reworked, like audio media, browsers and history. We got rid of cardview pattern, and got back to a more flat and clean design. You can now select multiple items at the same time, to start a playlist for example. Sort options have been spread to Audio and Browser sections. Info page has also been redesigned with a fancy collapse effect for thumbnail or cover. According to Material design principles, application has also become a bit more dynamic. New Audio Player Style Audio player background is now a blurred version of current art cover if available. Picture-In-Picture mode VLC implements PiP support for Oreo devices and even Nougat Android TVs. You can activate it from video advanced options during playback. We also added an option to automatically continue video playback in PiP or background mode (audio only) while multitasking. Go in VLC settings to activate it and video playback will switch to PiP when you’ll press HOME button. Android TV TV interface had its own minor lifting too. Background is filled with blurred covers and colors are warmer. Also I made long media titles scroll, I heard your (justified) frustration :) Android Auto This release will bring Android Auto compatibility. You’ll be able to use VLC as your travel music player with easy browsing into you audio library, with the minimum possible distraction from driving. VLC also supports voice actions on Android Auto: You can ask “play Daft Punk (with VLC)” and Google Assistant will recognize whether it’s an artist, an album or a song you’re asking for and command VLC to play it. Chrome OS support VLC has been tested and adapted for latest Chrome OS running Android apps. You now have an awesome media application ready for your chromebook! 360° Videos support VLC now supports 360° videos, you can change viewpoint by swiping or with remote control arrows. Cardboard/VR mode is not available yet but we are working on it. Search Search has been split in two modes: First step, the text you type in triggers a filtering in the current view. Exactly like in current playlist view. If you want to do a global search, click on the SEARCH IN ALL MEDIALIBRARY button to show the new search view. This will bring detailed results grouped by video/artist/album/songs/genres/playlist. Bonus: VLC is now compatible with voice search. Asking Google Now “Search Artic Monkeys in VLC” will trigger a Arctic Monkeys search and show you this new search result screen. Miscellaneous new features DayNight mode integration Audio boost in video Equalizer custom presets Save and resume position for podcasts & audiobooks Restored double/long click on remote play to skip songs Removed sound lowering on notification Force previous song on audioplayer swipe Fix audioplayer layout for black theme and RTL Save subtitles delay and optionally audio delay for each file. Support for devices with large aspect ratio, like G6 and S8 phones Under the hood MediaLibrary That’s the most important change in this update, because it affects the whole application, but you should barely notice it… VLC now uses medialibrary like VLC for Tizen (other VLC ports will follow). It’s a C++ library, written by Hugo Beauzée-Luyssen, which parses storages for video/audio files and manages a sqlite database to model your media library (with album, artist, genre classification, etc..). It replaces the old system we had on Android which just saved media files with their metadata, we had no proper structure for media library. Categories lists are now faster to show up, we don’t have to generate them at runtime. And this is all native code, which is faster than Java. Beside this speed improvement, one of the main benefits of this medialibrary is to provide better search results. For now we are focusing on the first scan performance to make it at least as fast as the previous system. So, this library is aimed to be a common module of all VLC ports, wich means all debugging, performance and any improvement will benefit other platforms. Next steps for this library will be media scrapping, and network scan: Medialibrary will get information and illustrations for your media, so we’ll be able to present you a nice collection instead of an uncheerful files list. We will also group media by shows/seasons et genre/release year/whatever You will be able to scan your NAS content to access your media easily. This will make VLC a fully featured media center! Playback performance & formats support VLC core team worked hard too to bring performance improvements and some new features. Here are some highlights: Adaptive (HLS/Dash) & TS playback improved OpenGLES 2.0 is now used to render video (for software decoders & mediacodec) Support for VP8/9/10 in MP4 HDMI passthrough Future We also plan to implement a feature to download media on your device, in order to sync your series episodes or songs from your NAS to your device. We’d like to support videos playlists like we do with videos grouped by their common name prefix. As previously stated, medialibrary will help VLC to turn into a real media center with fancy movies/tv shows presentation, and better artists/albums artworks. At last, I started an extension API to help everyone eager to develop android applications that can provide content to VLC, and benefit from VLC Auto and TV implementation. As a start, we will release (with sources of course) extensions for podcasts subscriptions and Google Drive access. [Less]

VLC is back on Play Store! Version 2.0 is more than 1 year old and will leave room for 2.5 which brings very interesting evolutions! VLC for Android releases have been trapped in VLC 3.0 preparation and big media library refactoring black holes. ... [More] So, there hasn’t been any update for 13 months, but development is still active and cool new stuff is coming! This post will focus on features, implementations will be detailed in other blog posts (like the DiffUtil intro). Incoming features UX evolutions New dynamic UI New Audio Player Style Picture-In-Picture mode Android TV Android Auto Chrome OS support 360° Videos support Search Miscellaneous new features Under the hood MediaLibrary Playback performance & formats support Future For now, let me introduce you to the new VLC for Android. Minimum Android version is now Gingerbread. FroYo support has been abandonned, these devices cannot access Google Play Store anymore. UX evolutions New dynamic UI Video cards have been refactored, we now show you video details over its cover picture. This is a nicer presentation and gives room for displaying more videos at once. Audio lists have been slightly lifted too. Others lists view have been reworked, like audio media, browsers and history. We got rid of cardview pattern, and got back to a more flat and clean design. You can now select multiple items at the same time, to start a playlist for example. Sort options have been spread to Audio and Browser sections. Info page has also been redesigned with a fancy collapse effect for thumbnail or cover. According to Material design principles, application has also become a bit more dynamic. New Audio Player Style Audio player background is now a blurred version of current art cover if available. Picture-In-Picture mode VLC implements PiP support for Oreo devices and even Nougat Android TVs. You can activate it from video advanced options during playback. We also added an option to automatically continue video playback in PiP or background mode (audio only) while multitasking. Go in VLC settings to activate it and video playback will switch to PiP when you’ll press HOME button. Android TV TV interface had its own minor lifting too. Background is filled with blurred covers and colors are warmer. Also I made long media titles scroll, I heard your (justified) frustration :) Android Auto This release will bring Android Auto compatibility. You’ll be able to use VLC as your travel music player with easy browsing into you audio library, with the minimum possible distraction from driving. VLC also supports voice actions on Android Auto: You can ask “play Daft Punk (with VLC)” and Google Assistant will recognize whether it’s an artist, an album or a song you’re asking for and command VLC to play it. Chrome OS support VLC has been tested and adapted for latest Chrome OS running Android apps. You now have an awesome media application ready for your chromebook! 360° Videos support VLC now supports 360° videos, you can change viewpoint by swiping or with remote control arrows. Cardboard/VR mode is not available yet but we are working on it. Search Search has been split in two modes: First step, the text you type in triggers a filtering in the current view. Exactly like in current playlist view. If you want to do a global search, click on the SEARCH IN ALL MEDIALIBRARY button to show the new search view. This will bring detailed results grouped by video/artist/album/songs/genres/playlist. Bonus: VLC is now compatible with voice search. Asking Google Now “Search Artic Monkeys in VLC” will trigger a Arctic Monkeys search and show you this new search result screen. Miscellaneous new features DayNight mode integration Audio boost in video Equalizer custom presets Save and resume position for podcasts & audiobooks Restored double/long click on remote play to skip songs Removed sound lowering on notification Force previous song on audioplayer swipe Fix audioplayer layout for black theme and RTL Save subtitles delay and optionally audio delay for each file. Support for devices with large aspect ratio, like G6 and S8 phones Under the hood MediaLibrary That’s the most important change in this update, because it affects the whole application, but you should barely notice it… VLC now uses medialibrary like VLC for Tizen (other VLC ports will follow). It’s a C++ library, written by Hugo Beauzée-Luyssen, which parses storages for video/audio files and manages a sqlite database to model your media library (with album, artist, genre classification, etc..). It replaces the old system we had on Android which just saved media files with their metadata, we had no proper structure for media library. Categories lists are now faster to show up, we don’t have to generate them at runtime. And this is all native code, which is faster than Java. Beside this speed improvement, one of the main benefits of this medialibrary is to provide better search results. For now we are focusing on the first scan performance to make it at least as fast as the previous system. So, this library is aimed to be a common module of all VLC ports, wich means all debugging, performance and any improvement will benefit other platforms. Next steps for this library will be media scrapping, and network scan: Medialibrary will get information and illustrations for your media, so we’ll be able to present you a nice collection instead of an uncheerful files list. We will also group media by shows/seasons et genre/release year/whatever You will be able to scan your NAS content to access your media easily. This will make VLC a fully featured media center! Playback performance & formats support VLC core team worked hard too to bring performance improvements and some new features. Here are some highlights: Adaptive (HLS/Dash) & TS playback improved OpenGLES 2.0 is now used to render video (for software decoders & mediacodec) Support for VP8/9/10 in MP4 HDMI passthrough Future We also plan to implement a feature to download media on your device, in order to sync your series episodes or songs from your NAS to your device. We’d like to support videos playlists like we do with videos grouped by their common name prefix. As previously stated, medialibrary will help VLC to turn into a real media center with fancy movies/tv shows presentation, and better artists/albums artworks. At last, I started an extension API to help everyone eager to develop android applications that can provide content to VLC, and benefit from VLC Auto and TV implementation. As a start, we will release (with sources of course) extensions for podcasts subscriptions and Google Drive access. [Less]

Using XML-RPC with Python3 is really simple. Calling system.version on http://localhost/RCP2 is as simple as: import xmlrpc.client proxy = xmlrpc.client.ServerProxy("http://localhost/RPC2") print(proxy.system.version()) However, the default ... [More] client is missing many features, like handling proxies. Using requests for the underlying connection allows … [Less]

At VideoLAN, we recently changed our signing procedure to leverage our security keys. As explained on Yubico website, Android signing is quite easy. On This Page Setup Install dependencies Prepare configuration file ... [More] Set up your own management key Change your PIN Keystore import App signature Scripting Jarsigner With this method, I can now sign the VLC releases on any of my computers without duplicating the keystore file. And keystore password is replaced by my Yubikey PIN. Here is the precise process we went through to get this done. Setup Install dependencies I am considering a Debian based distribution with open JDK 8 installed for this post. First of all, we need to install the pkcs11 opensc lib and the zipalign tool sudo apt-get install opensc-pkcs11 zipalign zipalign can also be found in android_sdk_path/build-tools/version/ Prepare configuration file Then, we prepare the pkcs11 configuration. Let’s create file pkcs11_java.cfg and fill it with: name = OpenSC-PKCS11 description = SunPKCS11 via OpenSC library = /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so slotListIndex = 0 Yubico How-To advises slotListIndex = 1, but I had to set it to 0 to make it work with my Yubikey 4. Let’s assume we save it in: ~/.pkcs11_java.cfg Set up your own management key If you did not set your management key, you have to do it now: key=`dd if=/dev/random bs=1 count=24 2>/dev/null | hexdump -v -e '/1 "%02X"'` echo $key yubico-piv-tool -a set-mgm-key -n $key Change your PIN Same for PIN setting, default one is 123456 yubico-piv-tool -a change-pin -P 123456 -N Keystore import Now it’s time to import our keystore to the key PIV slot. keytool -importkeystore -srckeystore mykeystore.keystore -destkeystore mykeystorey.p12 -srcstoretype jks -deststoretype pkcs12 yubico-piv-tool -s 9a -a import-key -a import-cert -i mykeystorey.p12 -K PKCS12 -k You will be asked to type in the keystore password, then the certificate management key. Starting from now, you won’t have to type the keystore password anymore but your Yubikey PIN. We can check that our key is ready to sign apps: keytool -providerClass sun.security.pkcs11.SunPKCS11 -providerArg ~/.pkcs11_java.cfg -keystore NONE -storetype PKCS11 -list -J-Djava.security.debug=sunpkcs11 This is the Yubikey PIN you have to type-in now. And don’t forget to touch it if you enabled the ‘touch-to-sign’ option. App signature In build tools 24.0.3 Google has released apksigner, a new signature tool with convenient arguments like --min-sdk-version to get sure the application signature is correct. Until release (26.0.1) apksigner doesn’t handle pkcs11 protocol correctly. So, you need to use build-tools 26.0.1+ We now have to get an unsigned apk, so we must tell gradle to not apply any signing config for release builds buildTypes { release { signingConfig null //… } } Finally we can sign an apk without our keystore, we just need the Yubikey to be plugged and fire up apksigner ANDROID_SDK_PATH/build-tools/BUILD_TOOLS_VERSION/apksigner sign --ks NONE --ks-pass "pass:$YUBI_PIN" \ --min-sdk-version 9 --provider-class sun.security.pkcs11.SunPKCS11 \ --provider-arg pkcs11_java.cfg --ks-type PKCS11 app.apk We can now verify the package is signed: apksigner verify --verbose app.apk verify accepts --min-sdk-version and --max-sdk-version to ensure your users won’t get 103 Play Store error code once the app is released. Scripting Here is the full bash script I use to sign all my apks at once: #! /bin/sh echo "Please enter Yubikey PIN code " stty -echo trap 'stty echo' EXIT read -p 'PIN: ' YUBI_PIN stty echo trap - EXIT BT_VERSION="26.0.1" echo "\nSigning apks\n" for i in `ls *.apk`; do $ANDROID_SDK/build-tools/$BT_VERSION/zipalign 4 $i $i.tmp && mv -vf $i.tmp $i $ANDROID_SDK/build-tools/$BT_VERSION/apksigner sign --ks NONE \ --ks-pass "pass:$YUBI_PIN" --min-sdk-version 9 \ --max-sdk-version 26 --provider-class sun.security.pkcs11.SunPKCS11 \ --provider-arg ~/.pkcs11_java.cfg --ks-type PKCS11 $i done unset YUBI_PIN Jarsigner We can also use jarsigner to sign your apk: jarsigner -providerClass sun.security.pkcs11.SunPKCS11 -providerArg ~/.pkcs11_java.cfg \ -keystore NONE -storetype PKCS11 -sigalg SHA1withRSA -digestalg SHA1 \ app.apk "Certificate for PIV Authentication" The -sigalg SHA1withRSA -digestalg SHA1 parameters are needed because we support old devices. If you don’t support Android 4.2 and older you can rip it off. With jarsigner, we need to zipalign the apk after signing them. And verify the package is signed: jarsigner -verify app.apk [Less]

At VideoLAN, we recently changed our signing procedure to leverage our security keys. As explained on Yubico website, Android signing is quite easy. On This Page Setup Keystore import App signature Scripting Apksigner With ... [More] this method, I can now sign the VLC releases on any of my computers without duplicating the keystore file. And keystore password is replaced by my Yubikey PIN. Here is the precise process we went through to get this done. Setup I am considering a Debian based distribution with open JDK 8 installed for this post. First of all, we need to install the pkcs11 opensc lib and the zipalign tool sudo apt-get install opensc-pkcs11 zipalign zipalign can also be found in android_sdk_path/build-tools/version/ Then, we prepare the pkcs11 configuration. Let’s create file pkcs11_java.cfg and fill it with: name = OpenSC-PKCS11 description = SunPKCS11 via OpenSC library = /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so slotListIndex = 0 Yubico How-To advises slotListIndex = 1, but I had to set it to 0 to make it work with my Yubikey 4. Let’s assume we save it in: ~/.pkcs11_java.cfg Keystore import Now it’s time to import our keystore to the key PIV slot. keytool -importkeystore -srckeystore mykeystore.keystore -destkeystore mykeystorey.p12 -srcstoretype jks -deststoretype pkcs12 yubico-piv-tool -s 9a -a import-key -a import-cert -i mykeystorey.p12 -K PKCS12 You will be asked to type in the keystore password. Starting from now, you won’t have to type the keystore password anymore but your Yubikey PIN. We can check that our key is ready to sign apps: keytool -providerClass sun.security.pkcs11.SunPKCS11 -providerArg ~/.pkcs11_java.cfg -keystore NONE -storetype PKCS11 -list -J-Djava.security.debug=sunpkcs11 This is the Yubikey PIN you have to type-in now. Default PIN is 123456, no need to tell you it must be changed… And don’t forget to touch it I you enabled the ‘touch-to-sign’ option. App signature We now have to get an unsigned apk, so we must tell gradle to not apply any signing config for release builds buildTypes { release { signingConfig null //… } } Finally we can sign an apk without our keystore, we just need the Yubikey to be plugged and fire up jarsigner jarsigner -providerClass sun.security.pkcs11.SunPKCS11 -providerArg ~/.pkcs11_java.cfg \ -keystore NONE -storetype PKCS11 -sigalg SHA1withRSA -digestalg SHA1 \ app.apk "Certificate for PIV Authentication" We can now verify the package is signed: jarsigner -verify app.apk The -sigalg SHA1withRSA -digestalg SHA1 parameters are needed because we support old devices. If you don’t support Android 4.2 and older you can rip it off. Scripting Here is the full bash script I use to sign all my apks at once: #! /bin/sh echo "Please enter Yubikey PIN code " stty -echo trap 'stty echo' EXIT read -p 'PIN: ' YUBI_PIN stty echo trap - EXIT echo "\nSigning apks\n" for i in `ls *.apk`; do jarsigner -providerClass sun.security.pkcs11.SunPKCS11 \ -providerArg ~/.pkcs11_java.cfg -keystore NONE -storetype PKCS11 \ -sigalg SHA1withRSA -digestalg SHA1 -storepass $YUBI_PIN \ $i "Certificate for PIV Authentication" zipalign 4 $i $i.tmp && mv -vf $i.tmp $i done unset YUBI_PIN Apksigner Since build tools 24.0.3, Google released apksigner, a newer signature tool with convenient arguments like --min-sdk-version to get sure the application signature is correct. But current release (25.0.3) doesn’t handle pkcs11 protocol correctly. builds tools 26.0.0 have just been released and they do not contain apksigner anymore We still can build apksigner from source to get upstream version which is able to manage our Yubikey! git clone https://android.googlesource.com/platform/tools/apksig We need Bazel to build this project, here are some instructions to install it Then go into apksig folder, create a Bazel workspace and let’s build it. touch WORKSPACE export WORKSPACE=`pwd` bazel build :apksigner And here is how we can sign with it: ~/tmp/apksig/bazel-bin/apksigner sign --ks NONE --ks-pass "pass:$YUBI_PIN"\ --min-sdk-version 9 --provider-class sun.security.pkcs11.SunPKCS11\ --provider-arg pkcs11_java.cfg --ks-type PKCS11 app.apk With apksigner, we need to zipalign the apk BEFORE signing them. We can also verify apk is well signed: ~/tmp/apksig/bazel-bin/apksigner verify app.apk And verify accepts --min-sdk-version and --max-sdk-version to ensure your users won’t get 103 once the release is out. [Less]

At VideoLAN, we recently changed our signing procedure to leverage our security keys. As explained on Yubico website, Android signing is quite easy. On This Page Setup Keystore import App signature Scripting With this method ... [More] , I can now sign the VLC releases on any of my computers without duplicating the keystore file. And keystore password is replaced by my Yubikey PIN. Here is the precise process we went through to get this done. Setup I am considering a Debian based distribution with open JDK 8 installed for this post. First of all, we need to install the pkcs11 opensc lib and the zipalign tool sudo apt-get install opensc-pkcs11 zipalign zipalign can also be found in android_sdk_path/build-tools/version/ Then, we prepare the pkcs11 configuration. Let’s create file pkcs11_java.cfg and fill it with: name = OpenSC-PKCS11 description = SunPKCS11 via OpenSC library = /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so slotListIndex = 0 Yubico How-To advises slotListIndex = 1, but I had to set it to 0 to make it work with my Yubikey 4. Let’s assume we save it in: ~/.pkcs11_java.cfg Keystore import Now it’s time to import our keystore to the key PIV slot. keytool -importkeystore -srckeystore mykeystore.keystore -destkeystore mykeystorey.p12 -srcstoretype jks -deststoretype pkcs12 yubico-piv-tool -s 9a -a import-key -a import-cert -i mykeystorey.p12 -K PKCS12 You will be asked to type in the keystore password. Starting from now, you won’t have to type the keystore password anymore but your Yubikey PIN. We can check that our key is ready to sign apps: keytool -providerClass sun.security.pkcs11.SunPKCS11 -providerArg ~/.pkcs11_java.cfg -keystore NONE -storetype PKCS11 -list -J-Djava.security.debug=sunpkcs11 This is the Yubikey PIN you have to type-in now. Default PIN is 123456, no need to tell you it must be changed… And don’t forget to touch it I you enabled the ‘touch-to-sign’ option. App signature We now have to get an unsigned apk, so we must tell gradle to not apply any signing config for release builds buildTypes { release { signingConfig null //… } } Finally we can sign an apk without our keystore, we just need the Yubikey to be plugged and fire up jarsigner jarsigner -providerClass sun.security.pkcs11.SunPKCS11 -providerArg ~/.pkcs11_java.cfg \ -keystore NONE -storetype PKCS11 -sigalg SHA1withRSA -digestalg SHA1 \ app.apk "Certificate for PIV Authentication" We can now verify the package is signed: jarsigner -verify app.apk The -sigalg SHA1withRSA -digestalg SHA1 parameters are needed because we support old devices. If you don’t support Android 4.2 and older you can rip it off. Scripting Here is the full bash script I use to sign all my apks at once: #! /bin/sh echo "Please enter Yubikey PIN code " stty -echo trap 'stty echo' EXIT read -p 'PIN: ' YUBI_PIN stty echo trap - EXIT echo "\nSigning apks\n" for i in `ls *.apk`; do jarsigner -providerClass sun.security.pkcs11.SunPKCS11 \ -providerArg ~/.pkcs11_java.cfg -keystore NONE -storetype PKCS11 \ -sigalg SHA1withRSA -digestalg SHA1 -storepass $YUBI_PIN \ $i "Certificate for PIV Authentication" zipalign 4 $i $i.tmp && mv -vf $i.tmp $i done unset YUBI_PIN [Less]

At VideoLAN, we recently changed our signing procedure to leverage our security keys. As explained on Yubico website, Android signing is quite easy. On This Page Setup Install dependencies Prepare configuration file ... [More] Set up your own management key Change your PIN Keystore import App signature Scripting Apksigner With this method, I can now sign the VLC releases on any of my computers without duplicating the keystore file. And keystore password is replaced by my Yubikey PIN. Here is the precise process we went through to get this done. Setup Install dependencies I am considering a Debian based distribution with open JDK 8 installed for this post. First of all, we need to install the pkcs11 opensc lib and the zipalign tool sudo apt-get install opensc-pkcs11 zipalign zipalign can also be found in android_sdk_path/build-tools/version/ Prepare configuration file Then, we prepare the pkcs11 configuration. Let’s create file pkcs11_java.cfg and fill it with: name = OpenSC-PKCS11 description = SunPKCS11 via OpenSC library = /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so slotListIndex = 0 Yubico How-To advises slotListIndex = 1, but I had to set it to 0 to make it work with my Yubikey 4. Let’s assume we save it in: ~/.pkcs11_java.cfg Set up your own management key If you did not set your management key, you have to do it now: key=`dd if=/dev/random bs=1 count=24 2>/dev/null | hexdump -v -e '/1 "%02X"'` echo $key yubico-piv-tool -a set-mgm-key -n $key Change your PIN Same for PIN setting, default one is 123456 yubico-piv-tool -a change-pin -P 123456 -N Keystore import Now it’s time to import our keystore to the key PIV slot. keytool -importkeystore -srckeystore mykeystore.keystore -destkeystore mykeystorey.p12 -srcstoretype jks -deststoretype pkcs12 yubico-piv-tool -s 9a -a import-key -a import-cert -i mykeystorey.p12 -K PKCS12 -k You will be asked to type in the keystore password, then the certificate management key. Starting from now, you won’t have to type the keystore password anymore but your Yubikey PIN. We can check that our key is ready to sign apps: keytool -providerClass sun.security.pkcs11.SunPKCS11 -providerArg ~/.pkcs11_java.cfg -keystore NONE -storetype PKCS11 -list -J-Djava.security.debug=sunpkcs11 This is the Yubikey PIN you have to type-in now. And don’t forget to touch it if you enabled the ‘touch-to-sign’ option. App signature We now have to get an unsigned apk, so we must tell gradle to not apply any signing config for release builds buildTypes { release { signingConfig null //… } } Finally we can sign an apk without our keystore, we just need the Yubikey to be plugged and fire up jarsigner jarsigner -providerClass sun.security.pkcs11.SunPKCS11 -providerArg ~/.pkcs11_java.cfg \ -keystore NONE -storetype PKCS11 -sigalg SHA1withRSA -digestalg SHA1 \ app.apk "Certificate for PIV Authentication" We can now verify the package is signed: jarsigner -verify app.apk The -sigalg SHA1withRSA -digestalg SHA1 parameters are needed because we support old devices. If you don’t support Android 4.2 and older you can rip it off. Scripting Here is the full bash script I use to sign all my apks at once: #! /bin/sh echo "Please enter Yubikey PIN code " stty -echo trap 'stty echo' EXIT read -p 'PIN: ' YUBI_PIN stty echo trap - EXIT echo "\nSigning apks\n" for i in `ls *.apk`; do jarsigner -providerClass sun.security.pkcs11.SunPKCS11 \ -providerArg ~/.pkcs11_java.cfg -keystore NONE -storetype PKCS11 \ -sigalg SHA1withRSA -digestalg SHA1 -storepass $YUBI_PIN \ $i "Certificate for PIV Authentication" zipalign 4 $i $i.tmp && mv -vf $i.tmp $i done unset YUBI_PIN Apksigner Since build tools 24.0.3, Google released apksigner, a newer signature tool with convenient arguments like --min-sdk-version to get sure the application signature is correct. But current release (25.0.3) doesn’t handle pkcs11 protocol correctly. builds tools 26.0.0 have just been released and they do not contain apksigner anymore We still can build apksigner from source to get upstream version which is able to manage our Yubikey! git clone https://android.googlesource.com/platform/tools/apksig We need Bazel to build this project, here are some instructions to install it Then go into apksig folder, create a Bazel workspace and let’s build it. touch WORKSPACE export WORKSPACE=`pwd` bazel build :apksigner And here is how we can sign with it: ~/tmp/apksig/bazel-bin/apksigner sign --ks NONE --ks-pass "pass:$YUBI_PIN" \ --min-sdk-version 9 --provider-class sun.security.pkcs11.SunPKCS11 \ --provider-arg pkcs11_java.cfg --ks-type PKCS11 app.apk With apksigner, we need to zipalign the apk before signing them. We can also verify apk is well signed: ~/tmp/apksig/bazel-bin/apksigner verify app.apk And verify accepts --min-sdk-version and --max-sdk-version to ensure your users won’t get 103 once the release is out. [Less]

At VideoLAN, we recently changed our signing procedure to leverage our security keys. As explained on Yubico website, Android signing is quite easy. On This Page Setup Install dependencies Prepare configuration file ... [More] Set up your own management key Change your PIN Keystore import App signature Scripting Jarsigner With this method, I can now sign the VLC releases on any of my computers without duplicating the keystore file. And keystore password is replaced by my Yubikey PIN. Here is the precise process we went through to get this done. Setup Install dependencies I am considering a Debian based distribution with open JDK 8 installed for this post. First of all, we need to install the pkcs11 opensc lib and the zipalign tool sudo apt-get install opensc-pkcs11 zipalign zipalign can also be found in android_sdk_path/build-tools/version/ Prepare configuration file Then, we prepare the pkcs11 configuration. Let’s create file pkcs11_java.cfg and fill it with: name = OpenSC-PKCS11 description = SunPKCS11 via OpenSC library = /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so slotListIndex = 0 Yubico How-To advises slotListIndex = 1, but I had to set it to 0 to make it work with my Yubikey 4. Let’s assume we save it in: ~/.pkcs11_java.cfg Set up your own management key If you did not set your management key, you have to do it now: key=`dd if=/dev/random bs=1 count=24 2>/dev/null | hexdump -v -e '/1 "%02X"'` echo $key yubico-piv-tool -a set-mgm-key -n $key Change your PIN Same for PIN setting, default one is 123456 yubico-piv-tool -a change-pin -P 123456 -N Keystore import Now it’s time to import our keystore to the key PIV slot. keytool -importkeystore -srckeystore mykeystore.keystore -destkeystore mykeystorey.p12 -srcstoretype jks -deststoretype pkcs12 yubico-piv-tool -s 9a -a import-key -a import-cert -i mykeystorey.p12 -K PKCS12 -k You will be asked to type in the keystore password, then the certificate management key. Starting from now, you won’t have to type the keystore password anymore but your Yubikey PIN. We can check that our key is ready to sign apps: keytool -providerClass sun.security.pkcs11.SunPKCS11 -providerArg ~/.pkcs11_java.cfg -keystore NONE -storetype PKCS11 -list -J-Djava.security.debug=sunpkcs11 This is the Yubikey PIN you have to type-in now. And don’t forget to touch it if you enabled the ‘touch-to-sign’ option. App signature In build tools 24.0.3 Google has released apksigner, a new signature tool with convenient arguments like --min-sdk-version to get sure the application signature is correct. Until release (26.0.1) apksigner doesn’t handle pkcs11 protocol correctly. So, you need to use build-tools 26.0.1+ We now have to get an unsigned apk, so we must tell gradle to not apply any signing config for release builds buildTypes { release { signingConfig null //… } } Finally we can sign an apk without our keystore, we just need the Yubikey to be plugged and fire up apksigner ANDROID_SDK_PATH/build-tools/BUILD_TOOLS_VERSION/apksigner sign --ks NONE --ks-pass "pass:$YUBI_PIN" \ --min-sdk-version 9 --provider-class sun.security.pkcs11.SunPKCS11 \ --provider-arg pkcs11_java.cfg --ks-type PKCS11 app.apk We can now verify the package is signed: apksigner verify --verbose app.apk verify accepts --min-sdk-version and --max-sdk-version to ensure your users won’t get 103 Play Store error code once the app is released. Scripting Here is the full bash script I use to sign all my apks at once: #! /bin/sh echo "Please enter Yubikey PIN code " stty -echo trap 'stty echo' EXIT read -p 'PIN: ' YUBI_PIN stty echo trap - EXIT BT_VERSION="26.0.1" echo "\nSigning apks\n" for i in `ls *.apk`; do $ANDROID_SDK/build-tools/$BT_VERSION/zipalign 4 $i $i.tmp && mv -vf $i.tmp $i $ANDROID_SDK/build-tools/$BT_VERSION/apksigner sign --ks NONE \ --ks-pass "pass:$YUBI_PIN" --min-sdk-version 9 \ --max-sdk-version 26 --provider-class sun.security.pkcs11.SunPKCS11 \ --provider-arg ~/.pkcs11_java.cfg --ks-type PKCS11 $i done unset YUBI_PIN Jarsigner We can also use jarsigner to sign your apk: jarsigner -providerClass sun.security.pkcs11.SunPKCS11 -providerArg ~/.pkcs11_java.cfg \ -keystore NONE -storetype PKCS11 -sigalg SHA1withRSA -digestalg SHA1 \ app.apk "Certificate for PIV Authentication" The -sigalg SHA1withRSA -digestalg SHA1 parameters are needed because we support old devices. If you don’t support Android 4.2 and older you can rip it off. With jarsigner, we need to zipalign the apk after signing them. And verify the package is signed: jarsigner -verify app.apk [Less]

Jinja2 is a powerful templating engine for Python. Inside LAVA, we use Jinja2 to generate configuration files for every boards that we support. The configuration is generated from a template that does inherit from a base template. For instance, for a beaglebone-black called bbb-01, the template inheritance tree is the …

DiffUtil steps Threading Skip queued updates Code factorization As stated in the previous post, we do process all DiffUtil.DiffResult calculations in main thread to preserve adapter state consistency. But in VLC, we have to deal with ... [More] potentially HUGE datasets, so calculation could take some time. Background calculation is mandatory then, and we have to preserve dataset consistency. I lost a few days trying different techniques then finally chose to stack updates within a queue and use it for all dataset operations, because it provides consistency safetyness. I’ve been inspired by Jon F Hancock blog post to get this right. To achieve background calculation and preserve data consistency, we now have to use our update() method for all dataset updates or manage the pending queue state manually. Threading update(list) method is now splitted in two, in order to allow queueing and recursivity: update(list) which is now limited to queueing the new list and triggering internalUpdate(list) to do the actual job. Notice all queue accesses or modifications are done in the main thread (for the same reasons that for dataset changes). // Our queue with next dataset private final ArrayDeque<Item[]> mPendingUpdates = new ArrayDeque<>(); @MainThread void update(final ArrayList<Item> newList) { mPendingUpdates.add(newList); if (mPendingUpdates.size() == 1) internalUpdate(newList); //no pending update, let's go } //private method, called exclusively by update() private void internalUpdate(final ArrayList<Item> newList) { VLCApplication.runBackground(new Runnable() { @Override public void run() { final DiffUtil.DiffResult result = DiffUtil.calculateDiff(new MediaItemDiffCallback(mDataset, newList), false); //back to main thread for the update VLCApplication.runOnMainThread(new Runnable() { @Override public void run() { mDataset = newList; result.dispatchUpdatesTo(BaseBrowserAdapter.this); //We are done with this dataset mPendingUpdates.remove(); //Process the next queued dataset if any if (!mPendingUpdates.isEmpty()) internalUpdate(mPendingUpdates.peek()); } }); } }); } For simple actions, like item insertion/removal, we must check the mPendingUpdates state. Either we handle it, either we use update(list) in order to respect the queue process we just set. So, we have to copy the most recent dataset, add/remove the item then call update(list). Using mDataset as the current reference state can be a mistake, if mPendingUpdates is not empty, another dataset will be processed between mDataset and our new list with item added or removed. In this case, we have to peek the last list from mPendingUpdates. @MainThread void addItem(Item item) { ArrayList<Item> newList = new ArrayList<>(mPendingUpdates.isEmpty() ? mDataset : mPendingUpdates.peekLast()); newList.add(item); update(newList); } For item removal, I’d recommend to just avoid calling it with position only, prefer to pass the item reference. Because the position value is likely to be wrong if there is a pending update at this time. Skip queued updates In case you can receive a bunch of updates while DiffUtil is calculating the DiffUtil.DiffResult, you get a stack of new datasets to process. Let’s skip to the last one: as we made sure they are consistent we can do it. That’s just factorizing the updates. We have to clear the mPendingUpdates queue from all its elements but the last one. Here is our current queue processing: mPendingUpdates.remove(); if (!mPendingUpdates.isEmpty()) internalUpdate(mPendingUpdates.peek()); Which becomes: mPendingUpdates.remove(); if (!mPendingUpdates.isEmpty()) { if (mPendingUpdates.size() > 1) { // more than one update queued ArrayList<Item> lastList = mPendingUpdates.peekLast(); mPendingUpdates.clear(); mPendingUpdates.add(lastList); } internalUpdate(mPendingUpdates.peek()); } Code factorization Here is my base adapter class, dedicated to pending queue management. Children classes just need to call update(newList) for any update. (I chose to not specify List because I also use arrays) public abstract class BaseQueuedAdapter <T, VH extends RecyclerView.ViewHolder> extends RecyclerView.Adapter<VH> { protected T mDataset; private final ArrayDeque<T> mPendingUpdates = new ArrayDeque<>(); final Handler mHandler = new Handler(Looper.getMainLooper()); @MainThread public boolean hasPendingUpdates() { return !mPendingUpdates.isEmpty(); } @MainThread public T peekLast() { return mPendingUpdates.isEmpty() ? mDataset : mPendingUpdates.peekLast(); } @MainThread public void update(final T items) { mPendingUpdates.add(items); if (mPendingUpdates.size() == 1) internalUpdate(items); } private void internalUpdate(final T newList) { new thread(new Runnable() { @Override public void run() { final DiffUtil.DiffResult result = DiffUtil.calculateDiff(new ItemDiffCallback(mDataList, newList), false); mHandler.post(new Runnable() { @Override public void run() { mDataset = newList; result.dispatchUpdatesTo(BaseQueuedAdapter.this); processQueue(); } }); } }).start(); } @MainThread private void processQueue() { mPendingUpdates.remove(); if (!mPendingUpdates.isEmpty()) { if (mPendingUpdates.size() > 1) { T lastList = mPendingUpdates.peekLast(); mPendingUpdates.clear(); mPendingUpdates.add(lastList); } internalUpdate(mPendingUpdates.peek()); } } } My adapter class becomes: public class MyAdapter extends BaseQueuedAdapter<List<Item>, MyAdapter.ViewHolder> That’s it, we now have asynchronous and classy RecyclerView updates without extra boilerplate 😎 [Less]