Add v21.0 release notes

Update Magisk Manager app translation
 - Korean translation updated
(Translation based on "en" strings.xml)

.gitattributes

@@ -11,9 +11,14 @@
 *.bat text eol=crlf
 
 # Denote all files that are truly binary and should not be modified.
-chromeos/** binary
+tools/** binary
 *.jar binary
 *.exe binary
 *.apk binary
 *.png binary
 *.jpg binary
+*.ttf binary
+
+# Help GitHub detect languages
+native/jni/external/** linguist-vendored
+native/jni/systemproperties/** linguist-language=C++

.gitignore

@@ -2,8 +2,8 @@ out
 *.zip
 *.jks
 *.apk
-config.prop
-update.sh
+/config.prop
+/update.sh
 
 # Built binaries
 native/out

.gitmodules

@@ -19,3 +19,12 @@
 [submodule "nanopb"]
 	path = native/jni/external/nanopb
 	url = https://github.com/nanopb/nanopb.git
+[submodule "mincrypt"]
+	path = native/jni/external/mincrypt
+	url = https://github.com/topjohnwu/mincrypt.git
+[submodule "pcre"]
+	path = native/jni/external/pcre
+	url = https://android.googlesource.com/platform/external/pcre
+[submodule "termux-elf-cleaner"]
+	path = tools/termux-elf-cleaner
+	url = https://github.com/termux/termux-elf-cleaner.git

README.MD

@@ -1,63 +1,77 @@
-# Magisk
+![](docs/images/logo.png)
 
-[Downloads](https://github.com/topjohnwu/Magisk/releases) \| [Documentation](https://topjohnwu.github.io/Magisk/) \| [XDA Thread](https://forum.xda-developers.com/apps/magisk/official-magisk-v7-universal-systemless-t3473445)
+![ZIP Downloads](https://img.shields.io/badge/dynamic/json?color=blue&label=ZIP%20Downloads&query=magisk&url=https%3A%2F%2Fraw.githubusercontent.com%2Ftopjohnwu%2Fmagisk_files%2Fcount%2Fcount.json&cacheSeconds=1800)
+![APK Downloads](https://img.shields.io/badge/dynamic/json?color=green&label=APK%20Downloads&query=manager&url=https%3A%2F%2Fraw.githubusercontent.com%2Ftopjohnwu%2Fmagisk_files%2Fcount%2Fcount.json&cacheSeconds=1800)
 
 ## Introduction
 
-Magisk is a suite of open source tools for customizing Android, supporting devices higher than Android 4.2 (API 17). It covers the fundamental parts for Android customization: root, boot scripts, SELinux patches, AVB2.0 / dm-verity / forceencrypt removals etc.
+Magisk is a suite of open source tools for customizing Android, supporting devices higher than Android 4.2. It covers fundamental parts of Android customization: root, boot scripts, SELinux patches, AVB2.0 / dm-verity / forceencrypt removals etc.
 
-Furthermore, Magisk provides a **Systemless Interface** to alter the system (or vendor) arbitrarily while the actual partitions stay completely intact. With its systemless nature along with several other hacks, Magisk can hide modifications from nearly any system integrity verifications used in banking apps, corporation monitoring apps, game cheat detections, and most importantly [Google's SafetyNet API](https://developer.android.com/training/safetynet/index.html).
+Here are some feature highlights:
+
+- **MagiskSU**: Provide root access to your device
+- **Magisk Modules**: Modify read-only partitions by installing modules
+- **MagiskHide**: Hide Magisk from root detections / system integrity checks
+
+## Downloads
+
+[![](https://img.shields.io/badge/Magisk%20Manager-v7.5.1-green)](https://github.com/topjohnwu/Magisk/releases/download/manager-v7.5.1/MagiskManager-v7.5.1.apk)
+[![](https://img.shields.io/badge/Magisk%20Manager-Canary-red)](https://raw.githubusercontent.com/topjohnwu/magisk_files/canary/app-debug.apk)
+<br>
+[![](https://img.shields.io/badge/Magisk-v20.4-blue)](https://github.com/topjohnwu/Magisk/releases/tag/v20.4)
+[![](https://img.shields.io/badge/Magisk%20Beta-v20.4-blue)](https://github.com/topjohnwu/Magisk/releases/tag/v20.4)
+
+## Useful Links
+
+- [Installation Instruction](https://topjohnwu.github.io/Magisk/install.html)
+- [Frequently Asked Questions](https://topjohnwu.github.io/Magisk/faq.html)
+- [Full Official Docs](https://topjohnwu.github.io/Magisk/)
+- [Magisk Troubleshoot Wiki](https://www.didgeridoohan.com/magisk/HomePage) (by [@Didgeridoohan](https://github.com/Didgeridoohan))
+
+## Android Version Support
+
+- Android 4.2+: MagiskSU and Magisk Modules Only
+- Android 4.4+: All core features available
+- Android 6.0+: Guaranteed MagiskHide support
+- Android 7.0+: Full MagiskHide protection
+- Android 9.0+: Magisk Manager stealth mode
 
 ## Bug Reports
 
-**Make sure to install the latest [Canary Build](https://forum.xda-developers.com/apps/magisk/dev-magisk-canary-channel-bleeding-edge-t3839337) before reporting any bugs!** **DO NOT** report bugs that is already fixed upstream. Follow the instructions in the [Canary Channel XDA Thread](https://forum.xda-developers.com/apps/magisk/dev-magisk-canary-channel-bleeding-edge-t3839337), and report a bug either by opening an issue on GitHub or directly in the thread.
+Canary Channels are cutting edge builds for those adventurous. To access canary builds, install the Canary Magisk Manager, switch to the Canary Channel in settings and upgrade.
 
-## Building Environment Requirements
+**Only bug reports from Canary builds will be accepted.**
 
--  Python 3: run `build.py` script
--  Java Development Kit (JDK) 8: Compile Magisk Manager and sign zips
--  Latest Android SDK: set `ANDROID_HOME` environment variable to the path to Android SDK
--  Android NDK: Install NDK along with SDK (`$ANDROID_HOME/ndk-bundle`), or optionally specify a custom path `ANDROID_NDK_HOME`
--  (Windows Only) Python package Colorama: Install with `pip install colorama`, used for ANSI color codes
+For installation issues, upload both boot image and install logs.<br>
+For Magisk issues, upload boot logcat or dmesg.<br>
+For Magisk Manager crashes, record and upload the logcat when the crash occurs.
 
-## Building Notes and Instructions
+## Building and Development
 
--  Clone sources with submodules: `git clone --recurse-submodules https://github.com/topjohnwu/Magisk.git`
--  Building is supported on macOS, Linux, and Windows. Official releases are built and tested with [FrankeNDK](https://github.com/topjohnwu/FrankeNDK); point `ANDROID_NDK_HOME` to FrankeNDK if you want to use it for compiling.
--  Set configurations in `config.prop`. A sample file `config.prop.sample` is provided as an example.
--  Run `build.py` with argument `-h` to see the built-in help message. The `-h` option also works for each supported actions, e.g. `./build.py binary -h`
--  By default, `build.py` build binaries and Magisk Manager in debug mode. If you want to build Magisk Manager in release mode (via the `-r, --release` flag), you need a Java Keystore file `release-key.jks` (only `JKS` format is supported) to sign APKs and zips. For more information, check out [Google's Official Documentation](https://developer.android.com/studio/publish/app-signing.html#signing-manually).
+- Magisk builds on any OS Android Studio supports. Install Android Studio and do the initial setups.
+- Clone sources: `git clone --recurse-submodules https://github.com/topjohnwu/Magisk.git`
+- Install Python 3.6+ \
+(Windows only: select **'Add Python to PATH'** in installer, and run `pip install colorama` after install)
+- Configure to use the JDK bundled in Android Studio:
+	- macOS: `export JAVA_HOME="/Applications/Android Studio.app/Contents/jre/jdk/Contents/Home"`
+	- Linux: `export PATH="/path/to/androidstudio/jre/bin:$PATH"`
+	- Windows: Add `C:\Path\To\Android Studio\jre\bin` to environment variable `PATH`
+- Set environment variable `ANDROID_HOME` to the Android SDK folder (can be found in Android Studio settings)
+- Run `./build.py ndk` to let the script download and install NDK for you
+- Set configurations in `config.prop`. A sample `config.prop.sample` is provided.
+- To start building, run `build.py` to see your options. \
+For each action, use `-h` to access help (e.g. `./build.py all -h`)
+- To start development, open the project in Android Studio. Both app (Kotlin/Java) and native (C++/C) source code can be properly developed using the IDE, but *always* use `build.py` for building.
+- `build.py` builds in debug mode by default. If you want release builds (with `-r, --release`), you need a Java Keystore to sign APKs and zips. For more information, check [Google's Documentation](https://developer.android.com/studio/publish/app-signing.html#generate-key).
 
-## Translations
+## Translation Contributions
 
-Default string resources for Magisk Manager are scattered throughout
+Default string resources for Magisk Manager and its stub APK are located here:
 
 - `app/src/main/res/values/strings.xml`
 - `stub/src/main/res/values/strings.xml`
-- `shared/src/main/res/values/strings.xml`
 
-Translate each and place them in the respective locations (`<module>/src/main/res/values-<lang>/strings.xml`).
-
-## Signature Verification
-
-Official release zips and APKs are signed with my personal private key. You can verify the key certificate to make sure the binaries you downloaded are not manipulated in anyway.
-
-``` bash
-# Use the keytool command from JDK to print certificates
-keytool -printcert -jarfile <APK or Magisk zip>
-
-# The output should contain the following signature
-Owner: CN=John Wu, L=Taipei, C=TW
-Issuer: CN=John Wu, L=Taipei, C=TW
-Serial number: 50514879
-Valid from: Sun Aug 14 13:23:44 EDT 2016 until: Tue Jul 21 13:23:44 EDT 2116
-Certificate fingerprints:
-	 MD5:  CE:DA:68:C1:E1:74:71:0A:EF:58:89:7D:AE:6E:AB:4F
-	 SHA1: DC:0F:2B:61:CB:D7:E9:D3:DB:BE:06:0B:2B:87:0D:46:BB:06:02:11
-	 SHA256: B4:CB:83:B4:DA:D9:9F:99:7D:BE:87:2F:01:3A:A1:6C:14:EE:C4:1D:16:70:21:F3:71:F7:E1:33:0F:27:3E:E6
-	 Signature algorithm name: SHA256withRSA
-	 Version: 3
-```
+Translate each and place them in the respective locations (`[module]/src/main/res/values-[lang]/strings.xml`).
 
 ## License
 

app/build.gradle

@@ -1,114 +0,0 @@
-apply plugin: 'com.android.application'
-apply plugin: 'kotlin-android'
-apply plugin: 'kotlin-android-extensions'
-apply plugin: 'kotlin-kapt'
-
-kapt {
-    correctErrorTypes = true
-    useBuildCache = true
-    mapDiagnosticLocations = true
-    javacOptions {
-        option("-Xmaxerrs", 1000)
-    }
-}
-
-android {
-    defaultConfig {
-        applicationId 'com.topjohnwu.magisk'
-        vectorDrawables.useSupportLibrary = true
-        multiDexEnabled true
-        versionName configProps['appVersion']
-        versionCode configProps['appVersionCode'] as Integer
-    }
-
-    buildTypes {
-        release {
-            minifyEnabled true
-            shrinkResources true
-            proguardFiles getDefaultProguardFile('proguard-android-optimize.txt'),
-                    'proguard-rules.pro', 'proguard-kotlin.pro'
-        }
-    }
-
-    dataBinding {
-        enabled = true
-    }
-
-    packagingOptions {
-        exclude '/META-INF/*.version'
-        exclude '/META-INF/*.kotlin_module'
-        exclude '/META-INF/rxkotlin.properties'
-        exclude '/androidsupportmultidexversion.txt'
-        exclude '/org/**'
-        exclude '/kotlin/**'
-        exclude '/kotlinx/**'
-    }
-
-    kotlinOptions {
-        jvmTarget = '1.8'
-    }
-}
-
-androidExtensions {
-    experimental = true
-}
-
-dependencies {
-    implementation fileTree(include: ['*.jar'], dir: 'libs')
-    implementation project(':net')
-    implementation project(':shared')
-    implementation project(':signing')
-
-    implementation 'com.github.topjohnwu:jtar:1.0.0'
-    implementation 'com.jakewharton.timber:timber:4.7.1'
-    implementation 'com.github.skoumalcz:teanity:0.3.3'
-    implementation 'com.ncapdevi:frag-nav:3.2.0'
-
-    def vMarkwon = '3.0.1'
-    implementation "ru.noties.markwon:core:${vMarkwon}"
-    implementation "ru.noties.markwon:html:${vMarkwon}"
-    implementation "ru.noties.markwon:image-svg:${vMarkwon}"
-
-    def vLibsu = '2.5.0'
-    implementation "com.github.topjohnwu.libsu:core:${vLibsu}"
-    implementation "com.github.topjohnwu.libsu:io:${vLibsu}"
-
-    def vKoin = "2.0.1"
-    implementation "org.koin:koin-core:${vKoin}"
-    implementation "org.koin:koin-android:${vKoin}"
-    implementation "org.koin:koin-androidx-viewmodel:${vKoin}"
-
-    def vRetrofit = "2.6.0"
-    implementation "com.squareup.retrofit2:retrofit:${vRetrofit}"
-    implementation "com.squareup.retrofit2:converter-moshi:${vRetrofit}"
-    implementation "com.squareup.retrofit2:adapter-rxjava2:${vRetrofit}"
-
-    def vOkHttp = "3.12.3"
-    implementation "com.squareup.okhttp3:okhttp:${vOkHttp}"
-    implementation "com.squareup.okhttp3:logging-interceptor:${vOkHttp}"
-
-    def vMoshi = "1.8.0"
-    implementation "com.squareup.moshi:moshi:${vMoshi}"
-
-    def vKotshi = "2.0.1"
-    implementation "se.ansman.kotshi:api:${vKotshi}"
-    kapt "se.ansman.kotshi:compiler:${vKotshi}"
-
-    modules {
-        module('androidx.room:room-runtime') {
-            replacedBy('com.github.topjohnwu:room-runtime')
-        }
-    }
-    def vRoom = "2.1.0"
-    implementation "com.github.topjohnwu:room-runtime:${vRoom}"
-
-    implementation 'androidx.constraintlayout:constraintlayout:1.1.3'
-    implementation 'androidx.browser:browser:1.0.0'
-    implementation 'androidx.preference:preference:1.0.0'
-    implementation 'androidx.recyclerview:recyclerview:1.1.0-alpha06'
-    implementation 'androidx.cardview:cardview:1.0.0'
-    implementation 'androidx.work:work-runtime:2.0.1'
-    implementation 'androidx.transition:transition:1.2.0-alpha01'
-    implementation 'androidx.multidex:multidex:2.0.1'
-    implementation 'com.google.android.material:material:1.1.0-alpha07'
-}

app/build.gradle.kts

@@ -0,0 +1,147 @@
+plugins {
+    id("com.android.application")
+    kotlin("android")
+    kotlin("android.extensions")
+    kotlin("kapt")
+    id("androidx.navigation.safeargs.kotlin")
+}
+
+kapt {
+    correctErrorTypes = true
+    useBuildCache = true
+    mapDiagnosticLocations = true
+    javacOptions {
+        option("-Xmaxerrs", 1000)
+    }
+}
+
+android {
+    defaultConfig {
+        applicationId = "com.topjohnwu.magisk"
+        vectorDrawables.useSupportLibrary = true
+        multiDexEnabled = true
+        versionName = Config["appVersion"]
+        versionCode = Config["appVersionCode"]?.toInt()
+        buildConfigField("int", "LATEST_MAGISK", Config["versionCode"] ?: "Integer.MAX_VALUE")
+
+        javaCompileOptions.annotationProcessorOptions.arguments(
+                mapOf("room.incremental" to "true")
+        )
+    }
+
+    buildTypes {
+        getByName("release") {
+            isMinifyEnabled = true
+            isShrinkResources = true
+            proguardFiles(
+                getDefaultProguardFile("proguard-android-optimize.txt"),
+                "proguard-rules.pro"
+            )
+        }
+    }
+
+    buildFeatures {
+        dataBinding = true
+    }
+
+    dependenciesInfo {
+        includeInApk = false
+        includeInBundle = false
+    }
+
+    packagingOptions {
+        exclude("/META-INF/**")
+        exclude("/androidsupportmultidexversion.txt")
+        exclude("/org/bouncycastle/**")
+        exclude("/kotlin/**")
+        exclude("/kotlinx/**")
+        exclude("/okhttp3/**")
+    }
+
+    kotlinOptions {
+        jvmTarget = "1.8"
+    }
+}
+
+androidExtensions {
+    isExperimental = true
+}
+
+val copyUtils = tasks.register("copyUtils", Copy::class) {
+    from(rootProject.file("scripts/util_functions.sh"))
+    into("src/main/res/raw")
+}
+
+tasks["preBuild"]?.dependsOn(copyUtils)
+
+dependencies {
+    implementation(fileTree(mapOf("dir" to "libs", "include" to listOf("*.jar"))))
+    implementation(kotlin("stdlib"))
+    implementation(project(":app:shared"))
+    implementation(project(":app:signing"))
+
+    implementation("com.github.topjohnwu:jtar:1.0.0")
+    implementation("com.github.topjohnwu:indeterminate-checkbox:1.0.7")
+    implementation("com.jakewharton.timber:timber:4.7.1")
+
+    val vBAdapt = "4.0.0"
+    val bindingAdapter = "me.tatarka.bindingcollectionadapter2:bindingcollectionadapter"
+    implementation("${bindingAdapter}:${vBAdapt}")
+    implementation("${bindingAdapter}-recyclerview:${vBAdapt}")
+
+    val vMarkwon = "4.6.0"
+    implementation("io.noties.markwon:core:${vMarkwon}")
+    implementation("io.noties.markwon:html:${vMarkwon}")
+    implementation("io.noties.markwon:image:${vMarkwon}")
+    implementation("com.caverock:androidsvg:1.4")
+
+    val vLibsu = "3.0.2"
+    implementation("com.github.topjohnwu.libsu:core:${vLibsu}")
+    implementation("com.github.topjohnwu.libsu:io:${vLibsu}")
+
+    val vKoin = "2.1.6"
+    implementation("org.koin:koin-core:${vKoin}")
+    implementation("org.koin:koin-android:${vKoin}")
+    implementation("org.koin:koin-androidx-viewmodel:${vKoin}")
+
+    val vRetrofit = "2.9.0"
+    implementation("com.squareup.retrofit2:retrofit:${vRetrofit}")
+    implementation("com.squareup.retrofit2:converter-moshi:${vRetrofit}")
+    implementation("com.squareup.retrofit2:converter-scalars:${vRetrofit}")
+
+    val vOkHttp = "3.12.12"
+    implementation("com.squareup.okhttp3:okhttp") {
+        version {
+            strictly(vOkHttp)
+        }
+    }
+    implementation("com.squareup.okhttp3:logging-interceptor:${vOkHttp}")
+    implementation("com.squareup.okhttp3:okhttp-dnsoverhttps:${vOkHttp}")
+
+    val vMoshi = "1.10.0"
+    implementation("com.squareup.moshi:moshi:${vMoshi}")
+    kapt("com.squareup.moshi:moshi-kotlin-codegen:${vMoshi}")
+
+    val vRoom = "2.2.5"
+    implementation("androidx.room:room-runtime:${vRoom}")
+    implementation("androidx.room:room-ktx:${vRoom}")
+    kapt("androidx.room:room-compiler:${vRoom}")
+
+    val vNav: String by rootProject.extra
+    implementation("androidx.navigation:navigation-fragment-ktx:${vNav}")
+    implementation("androidx.navigation:navigation-ui-ktx:${vNav}")
+
+    implementation("androidx.biometric:biometric:1.0.1")
+    implementation("androidx.constraintlayout:constraintlayout:2.0.1")
+    implementation("androidx.swiperefreshlayout:swiperefreshlayout:1.1.0")
+    implementation("androidx.browser:browser:1.2.0")
+    implementation("androidx.preference:preference:1.1.1")
+    implementation("androidx.recyclerview:recyclerview:1.1.0")
+    implementation("androidx.fragment:fragment-ktx:1.2.5")
+    implementation("androidx.work:work-runtime-ktx:2.4.0")
+    implementation("androidx.transition:transition:1.3.1")
+    implementation("androidx.multidex:multidex:2.0.1")
+    implementation("androidx.core:core-ktx:1.3.1")
+    implementation("androidx.localbroadcastmanager:localbroadcastmanager:1.0.0")
+    implementation("com.google.android.material:material:1.2.1")
+}

app/proguard-kotlin.pro

@@ -1,20 +0,0 @@
-## So every class is case insensitive to avoid some bizare problems
--dontusemixedcaseclassnames
-
-## If reflection issues come up uncomment this, that should temporarily fix it
-#-keep class kotlin.** { *; }
-#-keep class kotlin.Metadata { *; }
-#-keepclassmembers class kotlin.Metadata {
-#    public <methods>;
-#}
-
-## Never warn about Kotlin, it should work as-is
--dontwarn kotlin.**
-
-## Removes runtime null checks - doesn't really matter if it crashes on kotlin or java NPE
--assumenosideeffects class kotlin.jvm.internal.Intrinsics {
-    static void checkParameterIsNotNull(java.lang.Object, java.lang.String);
-}
-
-## Useless option for dex
--dontpreverify

app/proguard-rules.pro

@@ -16,32 +16,39 @@
 #   public *;
 #}
 
+# Kotlin
+-assumenosideeffects class kotlin.jvm.internal.Intrinsics {
+	public static void checkExpressionValueIsNotNull(...);
+	public static void checkNotNullExpressionValue(...);
+	public static void checkReturnedValueIsNotNull(...);
+	public static void checkFieldIsNotNull(...);
+	public static void checkParameterIsNotNull(...);
+}
+
+# Stubs
+-keep class a.* { *; }
+
 # Snet
--keepclassmembers class com.topjohnwu.magisk.utils.ISafetyNetHelper { *; }
--keep,allowobfuscation interface com.topjohnwu.magisk.utils.ISafetyNetHelper$Callback
--keepclassmembers class * implements com.topjohnwu.magisk.utils.ISafetyNetHelper$Callback {
-  void onResponse(int);
+-keepclassmembers class com.topjohnwu.magisk.ui.safetynet.SafetyNetHelper { *; }
+-keep,allowobfuscation interface com.topjohnwu.magisk.ui.safetynet.SafetyNetHelper$Callback
+-keepclassmembers class * implements com.topjohnwu.magisk.ui.safetynet.SafetyNetHelper$Callback {
+  void onResponse(org.json.JSONObject);
 }
 
-# Keep all fragment constructors
--keepclassmembers class * extends androidx.fragment.app.Fragment {
-  public <init>(...);
-}
+# Fragments
+# TODO: Remove when AGP 4.1 release
+# https://issuetracker.google.com/issues/142601969
+-keep,allowobfuscation class * extends androidx.fragment.app.Fragment
+-keepnames class androidx.navigation.fragment.NavHostFragment
 
-# DelegateWorker
--keep,allowobfuscation class * extends com.topjohnwu.magisk.model.worker.DelegateWorker
-
-# BootSigner
--keepclassmembers class com.topjohnwu.signing.BootSigner { *; }
-
-# Strip logging
--assumenosideeffects class timber.log.Timber.Tree { *; }
--assumenosideeffects class com.topjohnwu.magisk.utils.Logger {
-  public *** debug(...);
+# Strip Timber verbose and debug logging
+-assumenosideeffects class timber.log.Timber.Tree {
+  public void v(**);
+  public void d(**);
 }
 
 # Excessive obfuscation
--repackageclasses 'a'
+-repackageclasses
 -allowaccessmodification
 
 # QOL

app/shared/build.gradle.kts

@@ -0,0 +1,14 @@
+plugins {
+    id("com.android.library")
+}
+
+android {
+    defaultConfig {
+        vectorDrawables.useSupportLibrary = true
+        consumerProguardFiles("proguard-rules.pro")
+    }
+}
+
+dependencies {
+    implementation(fileTree(mapOf("dir" to "libs", "include" to listOf("*.jar"))))
+}

app/shared/proguard-rules.pro

@@ -19,3 +19,7 @@
 # If you keep the line number information, uncomment this to
 # hide the original source file name.
 #-renamesourcefileattribute SourceFile
+
+-keepclassmembers class * extends javax.net.ssl.SSLSocketFactory {
+    ** delegate;
+}

app/shared/src/main/AndroidManifest.xml

@@ -1,22 +1,23 @@
 <manifest xmlns:android="http://schemas.android.com/apk/res/android"
+    xmlns:tools="http://schemas.android.com/tools"
     package="com.topjohnwu.shared">
 
+    <uses-permission android:name="android.permission.ACCESS_NETWORK_STATE" />
     <uses-permission android:name="android.permission.REQUEST_INSTALL_PACKAGES" />
-    <uses-permission android:name="android.permission.WRITE_EXTERNAL_STORAGE" />
 
     <application
-        android:icon="@drawable/ic_launcher"
+        android:label="Magisk Manager"
         android:installLocation="internalOnly"
-        android:label="@string/app_name"
-        android:supportsRtl="true">
+        android:usesCleartextTraffic="true"
+        android:supportsRtl="true"
+        android:theme="@android:style/Theme.Translucent.NoTitleBar"
+        tools:ignore="UnusedAttribute">
+
         <provider
             android:name="a.p"
             android:authorities="${applicationId}.provider"
             android:exported="false"
             android:grantUriPermissions="true">
-            <meta-data
-                android:name="android.support.FILE_PROVIDER_PATHS"
-                android:resource="@xml/file_paths" />
         </provider>
     </application>
 </manifest>

app/shared/src/main/java/a/p.java

@@ -1,6 +1,6 @@
 package a;
 
-import com.topjohnwu.magisk.utils.FileProvider;
+import com.topjohnwu.magisk.FileProvider;
 
 public class p extends FileProvider {
     /* Stub */

app/shared/src/main/java/com/topjohnwu/magisk/DynAPK.java

@@ -0,0 +1,68 @@
+package com.topjohnwu.magisk;
+
+import android.content.Context;
+import android.content.res.AssetManager;
+
+import java.io.File;
+import java.lang.reflect.Method;
+import java.util.Map;
+
+import static android.os.Build.VERSION.SDK_INT;
+
+public class DynAPK {
+
+    // Indices of the object array
+    private static final int STUB_VERSION_ENTRY = 0;
+    private static final int CLASS_COMPONENT_MAP = 1;
+
+    private static File dynDir;
+    private static Method addAssetPath;
+
+    private static File getDynDir(Context c) {
+        if (dynDir == null) {
+            if (SDK_INT >= 24) {
+                // Use protected context to allow directBootAware
+                c = c.createDeviceProtectedStorageContext();
+            }
+            dynDir = new File(c.getFilesDir().getParent(), "dyn");
+            dynDir.mkdir();
+        }
+        return dynDir;
+    }
+
+    public static File current(Context c) {
+        return new File(getDynDir(c), "current.apk");
+    }
+
+    public static File update(Context c) {
+        return new File(getDynDir(c), "update.apk");
+    }
+
+    public static Data load(Object o) {
+        Object[] arr = (Object[]) o;
+        Data data = new Data();
+        data.version = (int) arr[STUB_VERSION_ENTRY];
+        data.classToComponent = (Map<String, String>) arr[CLASS_COMPONENT_MAP];
+        return data;
+    }
+
+    public static Object pack(Data data) {
+        Object[] arr = new Object[2];
+        arr[STUB_VERSION_ENTRY] = data.version;
+        arr[CLASS_COMPONENT_MAP] = data.classToComponent;
+        return arr;
+    }
+
+    public static void addAssetPath(AssetManager asset, String path) {
+        try {
+            if (addAssetPath == null)
+                addAssetPath = AssetManager.class.getMethod("addAssetPath", String.class);
+            addAssetPath.invoke(asset, path);
+        } catch (Exception ignored) {}
+    }
+
+    public static class Data {
+        public int version;
+        public Map<String, String> classToComponent;
+    }
+}

app/shared/src/main/java/com/topjohnwu/magisk/FileProvider.java

@@ -1,32 +1,26 @@
-package com.topjohnwu.magisk.utils;
+package com.topjohnwu.magisk;
 
 import android.content.ContentProvider;
 import android.content.ContentValues;
 import android.content.Context;
-import android.content.pm.PackageManager;
 import android.content.pm.ProviderInfo;
-import android.content.res.XmlResourceParser;
 import android.database.Cursor;
 import android.database.MatrixCursor;
 import android.net.Uri;
 import android.os.Build;
+import android.os.Bundle;
 import android.os.Environment;
 import android.os.ParcelFileDescriptor;
 import android.provider.OpenableColumns;
 import android.text.TextUtils;
 import android.webkit.MimeTypeMap;
 
-import org.xmlpull.v1.XmlPullParserException;
-
 import java.io.File;
 import java.io.FileNotFoundException;
 import java.io.IOException;
 import java.util.HashMap;
 import java.util.Map;
 
-import static org.xmlpull.v1.XmlPullParser.END_DOCUMENT;
-import static org.xmlpull.v1.XmlPullParser.START_TAG;
-
 /**
  * Modified from androidx.core.content.FileProvider
  */
@@ -34,33 +28,19 @@ public class FileProvider extends ContentProvider {
     private static final String[] COLUMNS = {
             OpenableColumns.DISPLAY_NAME, OpenableColumns.SIZE };
 
-    private static final String
-            META_DATA_FILE_PROVIDER_PATHS = "android.support.FILE_PROVIDER_PATHS";
-
-    private static final String TAG_ROOT_PATH = "root-path";
-    private static final String TAG_FILES_PATH = "files-path";
-    private static final String TAG_CACHE_PATH = "cache-path";
-    private static final String TAG_EXTERNAL = "external-path";
-    private static final String TAG_EXTERNAL_FILES = "external-files-path";
-    private static final String TAG_EXTERNAL_CACHE = "external-cache-path";
-    private static final String TAG_EXTERNAL_MEDIA = "external-media-path";
-
-    private static final String ATTR_NAME = "name";
-    private static final String ATTR_PATH = "path";
-
     private static final File DEVICE_ROOT = new File("/");
 
     private static HashMap<String, PathStrategy> sCache = new HashMap<>();
 
     private PathStrategy mStrategy;
 
-    
+    public static ProviderCallHandler callHandler;
+
     @Override
     public boolean onCreate() {
         return true;
     }
 
-    
     @Override
     public void attachInfo(Context context, ProviderInfo info) {
         super.attachInfo(context, info);
@@ -83,7 +63,6 @@ public class FileProvider extends ContentProvider {
         return strategy.getUriForFile(file);
     }
 
-    
     @Override
     public Cursor query(Uri uri, String[] projection, String selection,
                         String[] selectionArgs,
@@ -116,7 +95,6 @@ public class FileProvider extends ContentProvider {
         return cursor;
     }
 
-    
     @Override
     public String getType(Uri uri) {
         
@@ -134,20 +112,17 @@ public class FileProvider extends ContentProvider {
         return "application/octet-stream";
     }
 
-    
     @Override
     public Uri insert(Uri uri, ContentValues values) {
         throw new UnsupportedOperationException("No external inserts");
     }
 
-    
     @Override
     public int update(Uri uri, ContentValues values, String selection,
                       String[] selectionArgs) {
         throw new UnsupportedOperationException("No external updates");
     }
 
-    
     @Override
     public int delete(Uri uri, String selection,
                       String[] selectionArgs) {
@@ -156,7 +131,13 @@ public class FileProvider extends ContentProvider {
         return file.delete() ? 1 : 0;
     }
 
-    
+    @Override
+    public Bundle call(String method, String arg, Bundle extras) {
+        if (callHandler != null)
+            return callHandler.call(getContext(), method, arg, extras);
+        return Bundle.EMPTY;
+    }
+
     @Override
     public ParcelFileDescriptor openFile(Uri uri, String mode)
             throws FileNotFoundException {
@@ -166,95 +147,54 @@ public class FileProvider extends ContentProvider {
         return ParcelFileDescriptor.open(file, fileMode);
     }
 
-    
     private static PathStrategy getPathStrategy(Context context, String authority) {
         PathStrategy strat;
         synchronized (sCache) {
             strat = sCache.get(authority);
             if (strat == null) {
-                try {
-                    strat = parsePathStrategy(context, authority);
-                } catch (IOException e) {
-                    throw new IllegalArgumentException(
-                            "Failed to parse " + META_DATA_FILE_PROVIDER_PATHS + " meta-data", e);
-                } catch (XmlPullParserException e) {
-                    throw new IllegalArgumentException(
-                            "Failed to parse " + META_DATA_FILE_PROVIDER_PATHS + " meta-data", e);
-                }
+                strat = createPathStrategy(context, authority);
                 sCache.put(authority, strat);
             }
         }
         return strat;
     }
 
-    
-    private static PathStrategy parsePathStrategy(Context context, String authority)
-            throws IOException, XmlPullParserException {
+    private static PathStrategy createPathStrategy(Context context, String authority) {
         final SimplePathStrategy strat = new SimplePathStrategy(authority);
 
-        final ProviderInfo info = context.getPackageManager()
-                .resolveContentProvider(authority, PackageManager.GET_META_DATA);
-        final XmlResourceParser in = info.loadXmlMetaData(
-                context.getPackageManager(), META_DATA_FILE_PROVIDER_PATHS);
-        if (in == null) {
-            throw new IllegalArgumentException(
-                    "Missing " + META_DATA_FILE_PROVIDER_PATHS + " meta-data");
+        strat.addRoot("root_files", buildPath(DEVICE_ROOT, "."));
+        strat.addRoot("internal_files", buildPath(context.getFilesDir(), "."));
+        strat.addRoot("cache_files", buildPath(context.getCacheDir(), "."));
+        strat.addRoot("external_files", buildPath(Environment.getExternalStorageDirectory(), "."));
+        {
+            File[] externalFilesDirs = getExternalFilesDirs(context, null);
+            if (externalFilesDirs.length > 0) {
+                strat.addRoot("external_file_files", buildPath(externalFilesDirs[0], "."));
+            }
         }
-
-        int type;
-        while ((type = in.next()) != END_DOCUMENT) {
-            if (type == START_TAG) {
-                final String tag = in.getName();
-
-                final String name = in.getAttributeValue(null, ATTR_NAME);
-                String path = in.getAttributeValue(null, ATTR_PATH);
-
-                File target = null;
-                if (TAG_ROOT_PATH.equals(tag)) {
-                    target = DEVICE_ROOT;
-                } else if (TAG_FILES_PATH.equals(tag)) {
-                    target = context.getFilesDir();
-                } else if (TAG_CACHE_PATH.equals(tag)) {
-                    target = context.getCacheDir();
-                } else if (TAG_EXTERNAL.equals(tag)) {
-                    target = Environment.getExternalStorageDirectory();
-                } else if (TAG_EXTERNAL_FILES.equals(tag)) {
-                    File[] externalFilesDirs = getExternalFilesDirs(context, null);
-                    if (externalFilesDirs.length > 0) {
-                        target = externalFilesDirs[0];
-                    }
-                } else if (TAG_EXTERNAL_CACHE.equals(tag)) {
-                    File[] externalCacheDirs = getExternalCacheDirs(context);
-                    if (externalCacheDirs.length > 0) {
-                        target = externalCacheDirs[0];
-                    }
-                } else if (Build.VERSION.SDK_INT >= Build.VERSION_CODES.LOLLIPOP
-                        && TAG_EXTERNAL_MEDIA.equals(tag)) {
-                    File[] externalMediaDirs = context.getExternalMediaDirs();
-                    if (externalMediaDirs.length > 0) {
-                        target = externalMediaDirs[0];
-                    }
-                }
-
-                if (target != null) {
-                    strat.addRoot(name, buildPath(target, path));
-                }
+        {
+            File[] externalCacheDirs = getExternalCacheDirs(context);
+            if (externalCacheDirs.length > 0) {
+                strat.addRoot("external_cache_files", buildPath(externalCacheDirs[0], "."));
+            }
+        }
+        if (Build.VERSION.SDK_INT >= Build.VERSION_CODES.LOLLIPOP) {
+            File[] externalMediaDirs = context.getExternalMediaDirs();
+            if (externalMediaDirs.length > 0) {
+                strat.addRoot("external_media_files", buildPath(externalMediaDirs[0], "."));
             }
         }
 
         return strat;
     }
 
-    
     interface PathStrategy {
         
         Uri getUriForFile(File file);
 
-        
         File getFileForUri(Uri uri);
     }
 
-    
     static class SimplePathStrategy implements PathStrategy {
         private final String mAuthority;
         private final HashMap<String, File> mRoots = new HashMap<>();
@@ -263,7 +203,6 @@ public class FileProvider extends ContentProvider {
             mAuthority = authority;
         }
 
-        
         void addRoot(String name, File root) {
             if (TextUtils.isEmpty(name)) {
                 throw new IllegalArgumentException("Name must not be empty");

app/shared/src/main/java/com/topjohnwu/magisk/ProviderCallHandler.java

@@ -0,0 +1,8 @@
+package com.topjohnwu.magisk;
+
+import android.content.Context;
+import android.os.Bundle;
+
+public interface ProviderCallHandler {
+    Bundle call(Context context, String method, String arg, Bundle extras);
+}

app/shared/src/main/java/com/topjohnwu/magisk/net/BadRequest.java

@@ -1,4 +1,4 @@
-package com.topjohnwu.net;
+package com.topjohnwu.magisk.net;
 
 import org.json.JSONArray;
 import org.json.JSONObject;

app/shared/src/main/java/com/topjohnwu/magisk/net/ErrorHandler.java

@@ -1,4 +1,4 @@
-package com.topjohnwu.net;
+package com.topjohnwu.magisk.net;
 
 import java.net.HttpURLConnection;
 

app/shared/src/main/java/com/topjohnwu/magisk/net/Networking.java

@@ -1,4 +1,4 @@
-package com.topjohnwu.net;
+package com.topjohnwu.magisk.net;
 
 import android.content.Context;
 import android.net.ConnectivityManager;
@@ -13,7 +13,6 @@ import java.net.URL;
 
 import javax.net.ssl.HttpsURLConnection;
 
-@Deprecated
 public class Networking {
 
     private static final int READ_TIMEOUT = 15000;
@@ -36,7 +35,7 @@ public class Networking {
         return request(url, "GET");
     }
 
-    public static void init(Context context) {
+    public static boolean init(Context context) {
         try {
             // Try installing new SSL provider from Google Play Service
             Context gms = context.createPackageContext("com.google.android.gms",
@@ -46,10 +45,13 @@ public class Networking {
                     .getMethod("insertProvider", Context.class)
                     .invoke(null, gms);
         } catch (Exception e) {
-            // Failed to update SSL provider, use NoSSLv3SocketFactory on SDK < 21
-            if (Build.VERSION.SDK_INT < 21)
+            if (Build.VERSION.SDK_INT < 21) {
+                // Failed to update SSL provider, use NoSSLv3SocketFactory on SDK < 21
                 HttpsURLConnection.setDefaultSSLSocketFactory(new NoSSLv3SocketFactory());
+            }
+            return false;
         }
+        return true;
     }
 
     public static boolean checkNetworkStatus(Context context) {

app/shared/src/main/java/com/topjohnwu/magisk/net/NoSSLv3SocketFactory.java

@@ -1,4 +1,4 @@
-package com.topjohnwu.net;
+package com.topjohnwu.magisk.net;
 
 import java.io.IOException;
 import java.net.InetAddress;
@@ -11,18 +11,18 @@ import javax.net.ssl.HttpsURLConnection;
 import javax.net.ssl.SSLSocket;
 import javax.net.ssl.SSLSocketFactory;
 
-class NoSSLv3SocketFactory extends SSLSocketFactory {
+public class NoSSLv3SocketFactory extends SSLSocketFactory {
 
-    private final static SSLSocketFactory base = HttpsURLConnection.getDefaultSSLSocketFactory();
+    private final static SSLSocketFactory delegate = HttpsURLConnection.getDefaultSSLSocketFactory();
 
     @Override
     public String[] getDefaultCipherSuites() {
-        return base.getDefaultCipherSuites();
+        return delegate.getDefaultCipherSuites();
     }
 
     @Override
     public String[] getSupportedCipherSuites() {
-        return base.getSupportedCipherSuites();
+        return delegate.getSupportedCipherSuites();
     }
 
     private Socket createSafeSocket(Socket socket) {
@@ -40,31 +40,31 @@ class NoSSLv3SocketFactory extends SSLSocketFactory {
 
     @Override
     public Socket createSocket(Socket s, String host, int port, boolean autoClose) throws IOException {
-        return createSafeSocket(base.createSocket(s, host, port, autoClose));
+        return createSafeSocket(delegate.createSocket(s, host, port, autoClose));
     }
 
     @Override
     public Socket createSocket() throws IOException {
-        return createSafeSocket(base.createSocket());
+        return createSafeSocket(delegate.createSocket());
     }
 
     @Override
     public Socket createSocket(String host, int port) throws IOException {
-        return createSafeSocket(base.createSocket(host, port));
+        return createSafeSocket(delegate.createSocket(host, port));
     }
 
     @Override
     public Socket createSocket(String host, int port, InetAddress localHost, int localPort) throws IOException {
-        return createSafeSocket(base.createSocket(host, port, localHost, localPort));
+        return createSafeSocket(delegate.createSocket(host, port, localHost, localPort));
     }
 
     @Override
     public Socket createSocket(InetAddress host, int port) throws IOException {
-        return createSafeSocket(base.createSocket(host, port));
+        return createSafeSocket(delegate.createSocket(host, port));
     }
 
     @Override
     public Socket createSocket(InetAddress address, int port, InetAddress localAddress, int localPort) throws IOException {
-        return createSafeSocket(base.createSocket(address, port, localAddress, localPort));
+        return createSafeSocket(delegate.createSocket(address, port, localAddress, localPort));
     }
 }

app/shared/src/main/java/com/topjohnwu/magisk/net/Request.java

@@ -1,4 +1,4 @@
-package com.topjohnwu.net;
+package com.topjohnwu.magisk.net;
 
 import android.os.AsyncTask;
 
@@ -23,7 +23,6 @@ import java.util.concurrent.Executor;
 public class Request implements Closeable {
     private HttpURLConnection conn;
     private Executor executor = null;
-    private DownloadProgressListener progress = null;
     private int code = -1;
 
     ErrorHandler err = null;
@@ -66,11 +65,6 @@ public class Request implements Closeable {
         return this;
     }
 
-    public Request setDownloadProgressListener(DownloadProgressListener listener) {
-        progress = listener;
-        return this;
-    }
-
     public Request setErrorHandler(ErrorHandler handler) {
         err = handler;
         return this;
@@ -169,24 +163,13 @@ public class Request implements Closeable {
 
     private BufferedInputStream getInputStream() throws IOException {
         connect0();
-        InputStream in = conn.getInputStream();
-        if (progress != null) {
-            in = new ProgressInputStream(in, conn.getContentLength(), progress) {
-                @Override
-                public void close() throws IOException {
-                    super.close();
-                    conn.disconnect();
-                }
-            };
-        } else {
-            in = new FilterInputStream(in) {
-                @Override
-                public void close() throws IOException {
-                    super.close();
-                    conn.disconnect();
-                }
-            };
-        }
+        InputStream in = new FilterInputStream(conn.getInputStream()) {
+            @Override
+            public void close() throws IOException {
+                super.close();
+                conn.disconnect();
+            }
+        };
         return new BufferedInputStream(in);
     }
 

app/shared/src/main/java/com/topjohnwu/magisk/net/ResponseListener.java

@@ -1,4 +1,4 @@
-package com.topjohnwu.net;
+package com.topjohnwu.magisk.net;
 
 public interface ResponseListener<T> {
     void onResponse(T response);

app/shared/src/main/java/com/topjohnwu/magisk/net/SSLSocketWrapper.java

@@ -1,4 +1,4 @@
-package com.topjohnwu.net;
+package com.topjohnwu.magisk.net;
 
 import java.io.IOException;
 import java.io.InputStream;

app/shared/src/main/java/com/topjohnwu/magisk/utils/APKInstall.java

@@ -5,10 +5,16 @@ import android.content.Intent;
 import android.net.Uri;
 import android.os.Build;
 
+import com.topjohnwu.magisk.FileProvider;
+
 import java.io.File;
 
 public class APKInstall {
     public static void install(Context c, File apk) {
+        c.startActivity(installIntent(c, apk));
+    }
+
+    public static Intent installIntent(Context c, File apk) {
         Intent install = new Intent(Intent.ACTION_INSTALL_PACKAGE);
         install.addFlags(Intent.FLAG_GRANT_READ_URI_PERMISSION);
         install.addFlags(Intent.FLAG_ACTIVITY_NEW_TASK);
@@ -18,6 +24,6 @@ public class APKInstall {
             apk.setReadable(true, false);
             install.setData(Uri.fromFile(apk));
         }
-        c.startActivity(install);
+        return install;
     }
 }

app/shared/src/main/java/com/topjohnwu/magisk/utils/CompoundEnumeration.java

@@ -0,0 +1,35 @@
+package com.topjohnwu.magisk.utils;
+
+import java.util.Enumeration;
+import java.util.NoSuchElementException;
+
+public class CompoundEnumeration<E> implements Enumeration<E> {
+    private Enumeration<E>[] enums;
+    private int index = 0;
+
+    @SafeVarargs
+    public CompoundEnumeration(Enumeration<E> ...enums) {
+        this.enums = enums;
+    }
+
+    private boolean next() {
+        while (index < enums.length) {
+            if (enums[index] != null && enums[index].hasMoreElements()) {
+                return true;
+            }
+            index++;
+        }
+        return false;
+    }
+
+    public boolean hasMoreElements() {
+        return next();
+    }
+
+    public E nextElement() {
+        if (!next()) {
+            throw new NoSuchElementException();
+        }
+        return enums[index].nextElement();
+    }
+}

app/shared/src/main/java/com/topjohnwu/magisk/utils/DynamicClassLoader.java

@@ -0,0 +1,60 @@
+package com.topjohnwu.magisk.utils;
+
+import java.io.File;
+import java.io.IOException;
+import java.net.URL;
+import java.util.Enumeration;
+
+import dalvik.system.DexClassLoader;
+
+public class DynamicClassLoader extends DexClassLoader {
+
+    private ClassLoader base = Object.class.getClassLoader();
+
+    public DynamicClassLoader(File apk, ClassLoader parent) {
+        super(apk.getPath(), apk.getParent(), null, parent);
+    }
+
+    @Override
+    protected Class<?> loadClass(String name, boolean resolve) throws ClassNotFoundException {
+        // First check if already loaded
+        Class cls = findLoadedClass(name);
+        if (cls != null)
+            return cls;
+
+        try {
+            // Then check boot classpath
+            return base.loadClass(name);
+        } catch (ClassNotFoundException ignored) {
+            try {
+                // Next try current dex
+                return findClass(name);
+            } catch (ClassNotFoundException fromSuper) {
+                try {
+                    // Finally try parent
+                    return getParent().loadClass(name);
+                } catch (ClassNotFoundException e) {
+                    throw fromSuper;
+                }
+            }
+        }
+    }
+
+    @Override
+    public URL getResource(String name) {
+        URL resource = base.getResource(name);
+        if (resource != null)
+            return resource;
+        resource = findResource(name);
+        if (resource != null)
+            return resource;
+        resource = getParent().getResource(name);
+        return resource;
+    }
+
+    @Override
+    public Enumeration<URL> getResources(String name) throws IOException {
+        return new CompoundEnumeration<>(base.getResources(name),
+                findResources(name), getParent().getResources(name));
+    }
+}

app/signing/build.gradle.kts

@@ -0,0 +1,35 @@
+import com.github.jengelman.gradle.plugins.shadow.tasks.ShadowJar
+
+plugins {
+    id("java-library")
+    id("java")
+    id("com.github.johnrengelman.shadow") version "6.0.0"
+}
+
+java {
+    sourceCompatibility = JavaVersion.VERSION_1_8
+    targetCompatibility = JavaVersion.VERSION_1_8
+}
+
+val jar by tasks.getting(Jar::class) {
+    manifest {
+        attributes["Main-Class"] = "com.topjohnwu.signing.ZipSigner"
+    }
+}
+
+val shadowJar by tasks.getting(ShadowJar::class) {
+    archiveBaseName.set("zipsigner")
+    archiveClassifier.set(null as String?)
+    archiveVersion.set("4.0")
+}
+
+repositories {
+    jcenter()
+}
+
+dependencies {
+    implementation(fileTree(mapOf("dir" to "libs", "include" to listOf("*.jar"))))
+
+    api("org.bouncycastle:bcprov-jdk15on:1.66")
+    api("org.bouncycastle:bcpkix-jdk15on:1.66")
+}

app/signing/src/main/java/com/topjohnwu/signing/ApkSignerV2.java

@@ -0,0 +1,772 @@
+package com.topjohnwu.signing;
+
+import java.nio.BufferUnderflowException;
+import java.nio.ByteBuffer;
+import java.nio.ByteOrder;
+import java.security.DigestException;
+import java.security.InvalidAlgorithmParameterException;
+import java.security.InvalidKeyException;
+import java.security.KeyFactory;
+import java.security.MessageDigest;
+import java.security.NoSuchAlgorithmException;
+import java.security.PrivateKey;
+import java.security.PublicKey;
+import java.security.Signature;
+import java.security.SignatureException;
+import java.security.cert.CertificateEncodingException;
+import java.security.cert.X509Certificate;
+import java.security.spec.AlgorithmParameterSpec;
+import java.security.spec.InvalidKeySpecException;
+import java.security.spec.MGF1ParameterSpec;
+import java.security.spec.PSSParameterSpec;
+import java.security.spec.X509EncodedKeySpec;
+import java.util.ArrayList;
+import java.util.HashMap;
+import java.util.HashSet;
+import java.util.List;
+import java.util.Map;
+import java.util.Set;
+
+/**
+ * APK Signature Scheme v2 signer.
+ *
+ * <p>APK Signature Scheme v2 is a whole-file signature scheme which aims to protect every single
+ * bit of the APK, as opposed to the JAR Signature Scheme which protects only the names and
+ * uncompressed contents of ZIP entries.
+ */
+public abstract class ApkSignerV2 {
+    /*
+     * The two main goals of APK Signature Scheme v2 are:
+     * 1. Detect any unauthorized modifications to the APK. This is achieved by making the signature
+     *    cover every byte of the APK being signed.
+     * 2. Enable much faster signature and integrity verification. This is achieved by requiring
+     *    only a minimal amount of APK parsing before the signature is verified, thus completely
+     *    bypassing ZIP entry decompression and by making integrity verification parallelizable by
+     *    employing a hash tree.
+     *
+     * The generated signature block is wrapped into an APK Signing Block and inserted into the
+     * original APK immediately before the start of ZIP Central Directory. This is to ensure that
+     * JAR and ZIP parsers continue to work on the signed APK. The APK Signing Block is designed for
+     * extensibility. For example, a future signature scheme could insert its signatures there as
+     * well. The contract of the APK Signing Block is that all contents outside of the block must be
+     * protected by signatures inside the block.
+     */
+
+    public static final int SIGNATURE_RSA_PSS_WITH_SHA256 = 0x0101;
+    public static final int SIGNATURE_RSA_PSS_WITH_SHA512 = 0x0102;
+    public static final int SIGNATURE_RSA_PKCS1_V1_5_WITH_SHA256 = 0x0103;
+    public static final int SIGNATURE_RSA_PKCS1_V1_5_WITH_SHA512 = 0x0104;
+    public static final int SIGNATURE_ECDSA_WITH_SHA256 = 0x0201;
+    public static final int SIGNATURE_ECDSA_WITH_SHA512 = 0x0202;
+    public static final int SIGNATURE_DSA_WITH_SHA256 = 0x0301;
+    public static final int SIGNATURE_DSA_WITH_SHA512 = 0x0302;
+
+    /**
+     * {@code .SF} file header section attribute indicating that the APK is signed not just with
+     * JAR signature scheme but also with APK Signature Scheme v2 or newer. This attribute
+     * facilitates v2 signature stripping detection.
+     *
+     * <p>The attribute contains a comma-separated set of signature scheme IDs.
+     */
+    public static final String SF_ATTRIBUTE_ANDROID_APK_SIGNED_NAME = "X-Android-APK-Signed";
+    public static final String SF_ATTRIBUTE_ANDROID_APK_SIGNED_VALUE = "2";
+
+    private static final int CONTENT_DIGEST_CHUNKED_SHA256 = 0;
+    private static final int CONTENT_DIGEST_CHUNKED_SHA512 = 1;
+
+    private static final int CONTENT_DIGESTED_CHUNK_MAX_SIZE_BYTES = 1024 * 1024;
+
+    private static final byte[] APK_SIGNING_BLOCK_MAGIC =
+          new byte[] {
+              0x41, 0x50, 0x4b, 0x20, 0x53, 0x69, 0x67, 0x20,
+              0x42, 0x6c, 0x6f, 0x63, 0x6b, 0x20, 0x34, 0x32,
+          };
+    private static final int APK_SIGNATURE_SCHEME_V2_BLOCK_ID = 0x7109871a;
+
+    private ApkSignerV2() {}
+
+    /**
+     * Signer configuration.
+     */
+    public static final class SignerConfig {
+        /** Private key. */
+        public PrivateKey privateKey;
+
+        /**
+         * Certificates, with the first certificate containing the public key corresponding to
+         * {@link #privateKey}.
+         */
+        public List<X509Certificate> certificates;
+
+        /**
+         * List of signature algorithms with which to sign (see {@code SIGNATURE_...} constants).
+         */
+        public List<Integer> signatureAlgorithms;
+    }
+
+    /**
+     * Signs the provided APK using APK Signature Scheme v2 and returns the signed APK as a list of
+     * consecutive chunks.
+     *
+     * <p>NOTE: To enable APK signature verifier to detect v2 signature stripping, header sections
+     * of META-INF/*.SF files of APK being signed must contain the
+     * {@code X-Android-APK-Signed: true} attribute.
+     *
+     * @param inputApk contents of the APK to be signed. The APK starts at the current position
+     *        of the buffer and ends at the limit of the buffer.
+     * @param signerConfigs signer configurations, one for each signer.
+     *
+     * @throws ApkParseException if the APK cannot be parsed.
+     * @throws InvalidKeyException if a signing key is not suitable for this signature scheme or
+     *         cannot be used in general.
+     * @throws SignatureException if an error occurs when computing digests of generating
+     *         signatures.
+     */
+    public static ByteBuffer[] sign(
+            ByteBuffer inputApk,
+            List<SignerConfig> signerConfigs)
+                    throws ApkParseException, InvalidKeyException, SignatureException {
+        // Slice/create a view in the inputApk to make sure that:
+        // 1. inputApk is what's between position and limit of the original inputApk, and
+        // 2. changes to position, limit, and byte order are not reflected in the original.
+        ByteBuffer originalInputApk = inputApk;
+        inputApk = originalInputApk.slice();
+        inputApk.order(ByteOrder.LITTLE_ENDIAN);
+
+        // Locate ZIP End of Central Directory (EoCD), Central Directory, and check that Central
+        // Directory is immediately followed by the ZIP End of Central Directory.
+        int eocdOffset = ZipUtils.findZipEndOfCentralDirectoryRecord(inputApk);
+        if (eocdOffset == -1) {
+            throw new ApkParseException("Failed to locate ZIP End of Central Directory");
+        }
+        if (ZipUtils.isZip64EndOfCentralDirectoryLocatorPresent(inputApk, eocdOffset)) {
+            throw new ApkParseException("ZIP64 format not supported");
+        }
+        inputApk.position(eocdOffset);
+        long centralDirSizeLong = ZipUtils.getZipEocdCentralDirectorySizeBytes(inputApk);
+        if (centralDirSizeLong > Integer.MAX_VALUE) {
+            throw new ApkParseException(
+                    "ZIP Central Directory size out of range: " + centralDirSizeLong);
+        }
+        int centralDirSize = (int) centralDirSizeLong;
+        long centralDirOffsetLong = ZipUtils.getZipEocdCentralDirectoryOffset(inputApk);
+        if (centralDirOffsetLong > Integer.MAX_VALUE) {
+            throw new ApkParseException(
+                    "ZIP Central Directory offset in file out of range: " + centralDirOffsetLong);
+        }
+        int centralDirOffset = (int) centralDirOffsetLong;
+        int expectedEocdOffset = centralDirOffset + centralDirSize;
+        if (expectedEocdOffset < centralDirOffset) {
+            throw new ApkParseException(
+                    "ZIP Central Directory extent too large. Offset: " + centralDirOffset
+                            + ", size: " + centralDirSize);
+        }
+        if (eocdOffset != expectedEocdOffset) {
+            throw new ApkParseException(
+                    "ZIP Central Directory not immeiately followed by ZIP End of"
+                            + " Central Directory. CD end: " + expectedEocdOffset
+                            + ", EoCD start: " + eocdOffset);
+        }
+
+        // Create ByteBuffers holding the contents of everything before ZIP Central Directory,
+        // ZIP Central Directory, and ZIP End of Central Directory.
+        inputApk.clear();
+        ByteBuffer beforeCentralDir = getByteBuffer(inputApk, centralDirOffset);
+        ByteBuffer centralDir = getByteBuffer(inputApk, eocdOffset - centralDirOffset);
+        // Create a copy of End of Central Directory because we'll need modify its contents later.
+        byte[] eocdBytes = new byte[inputApk.remaining()];
+        inputApk.get(eocdBytes);
+        ByteBuffer eocd = ByteBuffer.wrap(eocdBytes);
+        eocd.order(inputApk.order());
+
+        // Figure which which digests to use for APK contents.
+        Set<Integer> contentDigestAlgorithms = new HashSet<>();
+        for (SignerConfig signerConfig : signerConfigs) {
+            for (int signatureAlgorithm : signerConfig.signatureAlgorithms) {
+                contentDigestAlgorithms.add(
+                        getSignatureAlgorithmContentDigestAlgorithm(signatureAlgorithm));
+            }
+        }
+
+        // Compute digests of APK contents.
+        Map<Integer, byte[]> contentDigests; // digest algorithm ID -> digest
+        try {
+            contentDigests =
+                    computeContentDigests(
+                            contentDigestAlgorithms,
+                            new ByteBuffer[] {beforeCentralDir, centralDir, eocd});
+        } catch (DigestException e) {
+            throw new SignatureException("Failed to compute digests of APK", e);
+        }
+
+        // Sign the digests and wrap the signatures and signer info into an APK Signing Block.
+        ByteBuffer apkSigningBlock =
+                ByteBuffer.wrap(generateApkSigningBlock(signerConfigs, contentDigests));
+
+        // Update Central Directory Offset in End of Central Directory Record. Central Directory
+        // follows the APK Signing Block and thus is shifted by the size of the APK Signing Block.
+        centralDirOffset += apkSigningBlock.remaining();
+        eocd.clear();
+        ZipUtils.setZipEocdCentralDirectoryOffset(eocd, centralDirOffset);
+
+        // Follow the Java NIO pattern for ByteBuffer whose contents have been consumed.
+        originalInputApk.position(originalInputApk.limit());
+
+        // Reset positions (to 0) and limits (to capacity) in the ByteBuffers below to follow the
+        // Java NIO pattern for ByteBuffers which are ready for their contents to be read by caller.
+        // Contrary to the name, this does not clear the contents of these ByteBuffer.
+        beforeCentralDir.clear();
+        centralDir.clear();
+        eocd.clear();
+
+        // Insert APK Signing Block immediately before the ZIP Central Directory.
+        return new ByteBuffer[] {
+            beforeCentralDir,
+            apkSigningBlock,
+            centralDir,
+            eocd,
+        };
+    }
+
+    private static Map<Integer, byte[]> computeContentDigests(
+            Set<Integer> digestAlgorithms,
+            ByteBuffer[] contents) throws DigestException {
+        // For each digest algorithm the result is computed as follows:
+        // 1. Each segment of contents is split into consecutive chunks of 1 MB in size.
+        //    The final chunk will be shorter iff the length of segment is not a multiple of 1 MB.
+        //    No chunks are produced for empty (zero length) segments.
+        // 2. The digest of each chunk is computed over the concatenation of byte 0xa5, the chunk's
+        //    length in bytes (uint32 little-endian) and the chunk's contents.
+        // 3. The output digest is computed over the concatenation of the byte 0x5a, the number of
+        //    chunks (uint32 little-endian) and the concatenation of digests of chunks of all
+        //    segments in-order.
+
+        int chunkCount = 0;
+        for (ByteBuffer input : contents) {
+            chunkCount += getChunkCount(input.remaining(), CONTENT_DIGESTED_CHUNK_MAX_SIZE_BYTES);
+        }
+
+        final Map<Integer, byte[]> digestsOfChunks = new HashMap<>(digestAlgorithms.size());
+        for (int digestAlgorithm : digestAlgorithms) {
+            int digestOutputSizeBytes = getContentDigestAlgorithmOutputSizeBytes(digestAlgorithm);
+            byte[] concatenationOfChunkCountAndChunkDigests =
+                    new byte[5 + chunkCount * digestOutputSizeBytes];
+            concatenationOfChunkCountAndChunkDigests[0] = 0x5a;
+            setUnsignedInt32LittleEngian(
+                    chunkCount, concatenationOfChunkCountAndChunkDigests, 1);
+            digestsOfChunks.put(digestAlgorithm, concatenationOfChunkCountAndChunkDigests);
+        }
+
+        int chunkIndex = 0;
+        byte[] chunkContentPrefix = new byte[5];
+        chunkContentPrefix[0] = (byte) 0xa5;
+        // Optimization opportunity: digests of chunks can be computed in parallel.
+        for (ByteBuffer input : contents) {
+            while (input.hasRemaining()) {
+                int chunkSize =
+                        Math.min(input.remaining(), CONTENT_DIGESTED_CHUNK_MAX_SIZE_BYTES);
+                final ByteBuffer chunk = getByteBuffer(input, chunkSize);
+                for (int digestAlgorithm : digestAlgorithms) {
+                    String jcaAlgorithmName =
+                            getContentDigestAlgorithmJcaDigestAlgorithm(digestAlgorithm);
+                    MessageDigest md;
+                    try {
+                        md = MessageDigest.getInstance(jcaAlgorithmName);
+                    } catch (NoSuchAlgorithmException e) {
+                        throw new DigestException(
+                                jcaAlgorithmName + " MessageDigest not supported", e);
+                    }
+                    // Reset position to 0 and limit to capacity. Position would've been modified
+                    // by the preceding iteration of this loop. NOTE: Contrary to the method name,
+                    // this does not modify the contents of the chunk.
+                    chunk.clear();
+                    setUnsignedInt32LittleEngian(chunk.remaining(), chunkContentPrefix, 1);
+                    md.update(chunkContentPrefix);
+                    md.update(chunk);
+                    byte[] concatenationOfChunkCountAndChunkDigests =
+                            digestsOfChunks.get(digestAlgorithm);
+                    int expectedDigestSizeBytes =
+                            getContentDigestAlgorithmOutputSizeBytes(digestAlgorithm);
+                    int actualDigestSizeBytes =
+                            md.digest(
+                                    concatenationOfChunkCountAndChunkDigests,
+                                    5 + chunkIndex * expectedDigestSizeBytes,
+                                    expectedDigestSizeBytes);
+                    if (actualDigestSizeBytes != expectedDigestSizeBytes) {
+                        throw new DigestException(
+                                "Unexpected output size of " + md.getAlgorithm()
+                                        + " digest: " + actualDigestSizeBytes);
+                    }
+                }
+                chunkIndex++;
+            }
+        }
+
+        Map<Integer, byte[]> result = new HashMap<>(digestAlgorithms.size());
+        for (Map.Entry<Integer, byte[]> entry : digestsOfChunks.entrySet()) {
+            int digestAlgorithm = entry.getKey();
+            byte[] concatenationOfChunkCountAndChunkDigests = entry.getValue();
+            String jcaAlgorithmName = getContentDigestAlgorithmJcaDigestAlgorithm(digestAlgorithm);
+            MessageDigest md;
+            try {
+                md = MessageDigest.getInstance(jcaAlgorithmName);
+            } catch (NoSuchAlgorithmException e) {
+                throw new DigestException(jcaAlgorithmName + " MessageDigest not supported", e);
+            }
+            result.put(digestAlgorithm, md.digest(concatenationOfChunkCountAndChunkDigests));
+        }
+        return result;
+    }
+
+    private static int getChunkCount(int inputSize, int chunkSize) {
+        return (inputSize + chunkSize - 1) / chunkSize;
+    }
+
+    private static void setUnsignedInt32LittleEngian(int value, byte[] result, int offset) {
+        result[offset] = (byte) (value & 0xff);
+        result[offset + 1] = (byte) ((value >> 8) & 0xff);
+        result[offset + 2] = (byte) ((value >> 16) & 0xff);
+        result[offset + 3] = (byte) ((value >> 24) & 0xff);
+    }
+
+    private static byte[] generateApkSigningBlock(
+            List<SignerConfig> signerConfigs,
+            Map<Integer, byte[]> contentDigests) throws InvalidKeyException, SignatureException {
+        byte[] apkSignatureSchemeV2Block =
+                generateApkSignatureSchemeV2Block(signerConfigs, contentDigests);
+        return generateApkSigningBlock(apkSignatureSchemeV2Block);
+    }
+
+    private static byte[] generateApkSigningBlock(byte[] apkSignatureSchemeV2Block) {
+        // FORMAT:
+        // uint64:  size (excluding this field)
+        // repeated ID-value pairs:
+        //     uint64:           size (excluding this field)
+        //     uint32:           ID
+        //     (size - 4) bytes: value
+        // uint64:  size (same as the one above)
+        // uint128: magic
+
+        int resultSize =
+                8 // size
+                + 8 + 4 + apkSignatureSchemeV2Block.length // v2Block as ID-value pair
+                + 8 // size
+                + 16 // magic
+                ;
+        ByteBuffer result = ByteBuffer.allocate(resultSize);
+        result.order(ByteOrder.LITTLE_ENDIAN);
+        long blockSizeFieldValue = resultSize - 8;
+        result.putLong(blockSizeFieldValue);
+
+        long pairSizeFieldValue = 4 + apkSignatureSchemeV2Block.length;
+        result.putLong(pairSizeFieldValue);
+        result.putInt(APK_SIGNATURE_SCHEME_V2_BLOCK_ID);
+        result.put(apkSignatureSchemeV2Block);
+
+        result.putLong(blockSizeFieldValue);
+        result.put(APK_SIGNING_BLOCK_MAGIC);
+
+        return result.array();
+    }
+
+    private static byte[] generateApkSignatureSchemeV2Block(
+            List<SignerConfig> signerConfigs,
+            Map<Integer, byte[]> contentDigests) throws InvalidKeyException, SignatureException {
+        // FORMAT:
+        // * length-prefixed sequence of length-prefixed signer blocks.
+
+        List<byte[]> signerBlocks = new ArrayList<>(signerConfigs.size());
+        int signerNumber = 0;
+        for (SignerConfig signerConfig : signerConfigs) {
+            signerNumber++;
+            byte[] signerBlock;
+            try {
+                signerBlock = generateSignerBlock(signerConfig, contentDigests);
+            } catch (InvalidKeyException e) {
+                throw new InvalidKeyException("Signer #" + signerNumber + " failed", e);
+            } catch (SignatureException e) {
+                throw new SignatureException("Signer #" + signerNumber + " failed", e);
+            }
+            signerBlocks.add(signerBlock);
+        }
+
+        return encodeAsSequenceOfLengthPrefixedElements(
+                new byte[][] {
+                    encodeAsSequenceOfLengthPrefixedElements(signerBlocks),
+                });
+    }
+
+    private static byte[] generateSignerBlock(
+            SignerConfig signerConfig,
+            Map<Integer, byte[]> contentDigests) throws InvalidKeyException, SignatureException {
+        if (signerConfig.certificates.isEmpty()) {
+            throw new SignatureException("No certificates configured for signer");
+        }
+        PublicKey publicKey = signerConfig.certificates.get(0).getPublicKey();
+
+        byte[] encodedPublicKey = encodePublicKey(publicKey);
+
+        V2SignatureSchemeBlock.SignedData signedData = new V2SignatureSchemeBlock.SignedData();
+        try {
+            signedData.certificates = encodeCertificates(signerConfig.certificates);
+        } catch (CertificateEncodingException e) {
+            throw new SignatureException("Failed to encode certificates", e);
+        }
+
+        List<Pair<Integer, byte[]>> digests =
+                new ArrayList<>(signerConfig.signatureAlgorithms.size());
+        for (int signatureAlgorithm : signerConfig.signatureAlgorithms) {
+            int contentDigestAlgorithm =
+                    getSignatureAlgorithmContentDigestAlgorithm(signatureAlgorithm);
+            byte[] contentDigest = contentDigests.get(contentDigestAlgorithm);
+            if (contentDigest == null) {
+                throw new RuntimeException(
+                        getContentDigestAlgorithmJcaDigestAlgorithm(contentDigestAlgorithm)
+                        + " content digest for "
+                        + getSignatureAlgorithmJcaSignatureAlgorithm(signatureAlgorithm)
+                        + " not computed");
+            }
+            digests.add(Pair.create(signatureAlgorithm, contentDigest));
+        }
+        signedData.digests = digests;
+
+        V2SignatureSchemeBlock.Signer signer = new V2SignatureSchemeBlock.Signer();
+        // FORMAT:
+        // * length-prefixed sequence of length-prefixed digests:
+        //   * uint32: signature algorithm ID
+        //   * length-prefixed bytes: digest of contents
+        // * length-prefixed sequence of certificates:
+        //   * length-prefixed bytes: X.509 certificate (ASN.1 DER encoded).
+        // * length-prefixed sequence of length-prefixed additional attributes:
+        //   * uint32: ID
+        //   * (length - 4) bytes: value
+        signer.signedData = encodeAsSequenceOfLengthPrefixedElements(new byte[][] {
+            encodeAsSequenceOfLengthPrefixedPairsOfIntAndLengthPrefixedBytes(signedData.digests),
+            encodeAsSequenceOfLengthPrefixedElements(signedData.certificates),
+            // additional attributes
+            new byte[0],
+        });
+        signer.publicKey = encodedPublicKey;
+        signer.signatures = new ArrayList<>();
+        for (int signatureAlgorithm : signerConfig.signatureAlgorithms) {
+            Pair<String, ? extends AlgorithmParameterSpec> signatureParams =
+                    getSignatureAlgorithmJcaSignatureAlgorithm(signatureAlgorithm);
+            String jcaSignatureAlgorithm = signatureParams.getFirst();
+            AlgorithmParameterSpec jcaSignatureAlgorithmParams = signatureParams.getSecond();
+            byte[] signatureBytes;
+            try {
+                Signature signature = Signature.getInstance(jcaSignatureAlgorithm);
+                signature.initSign(signerConfig.privateKey);
+                if (jcaSignatureAlgorithmParams != null) {
+                    signature.setParameter(jcaSignatureAlgorithmParams);
+                }
+                signature.update(signer.signedData);
+                signatureBytes = signature.sign();
+            } catch (InvalidKeyException e) {
+                throw new InvalidKeyException("Failed sign using " + jcaSignatureAlgorithm, e);
+            } catch (NoSuchAlgorithmException | InvalidAlgorithmParameterException
+                    | SignatureException e) {
+                throw new SignatureException("Failed sign using " + jcaSignatureAlgorithm, e);
+            }
+
+            try {
+                Signature signature = Signature.getInstance(jcaSignatureAlgorithm);
+                signature.initVerify(publicKey);
+                if (jcaSignatureAlgorithmParams != null) {
+                    signature.setParameter(jcaSignatureAlgorithmParams);
+                }
+                signature.update(signer.signedData);
+                if (!signature.verify(signatureBytes)) {
+                    throw new SignatureException("Signature did not verify");
+                }
+            } catch (InvalidKeyException e) {
+                throw new InvalidKeyException("Failed to verify generated " + jcaSignatureAlgorithm
+                        + " signature using public key from certificate", e);
+            } catch (NoSuchAlgorithmException | InvalidAlgorithmParameterException
+                    | SignatureException e) {
+                throw new SignatureException("Failed to verify generated " + jcaSignatureAlgorithm
+                        + " signature using public key from certificate", e);
+            }
+
+            signer.signatures.add(Pair.create(signatureAlgorithm, signatureBytes));
+        }
+
+        // FORMAT:
+        // * length-prefixed signed data
+        // * length-prefixed sequence of length-prefixed signatures:
+        //   * uint32: signature algorithm ID
+        //   * length-prefixed bytes: signature of signed data
+        // * length-prefixed bytes: public key (X.509 SubjectPublicKeyInfo, ASN.1 DER encoded)
+        return encodeAsSequenceOfLengthPrefixedElements(
+                new byte[][] {
+                    signer.signedData,
+                    encodeAsSequenceOfLengthPrefixedPairsOfIntAndLengthPrefixedBytes(
+                            signer.signatures),
+                    signer.publicKey,
+                });
+    }
+
+    private static final class V2SignatureSchemeBlock {
+        private static final class Signer {
+            public byte[] signedData;
+            public List<Pair<Integer, byte[]>> signatures;
+            public byte[] publicKey;
+        }
+
+        private static final class SignedData {
+            public List<Pair<Integer, byte[]>> digests;
+            public List<byte[]> certificates;
+        }
+    }
+
+    private static byte[] encodePublicKey(PublicKey publicKey) throws InvalidKeyException {
+        byte[] encodedPublicKey = null;
+        if ("X.509".equals(publicKey.getFormat())) {
+            encodedPublicKey = publicKey.getEncoded();
+        }
+        if (encodedPublicKey == null) {
+            try {
+                encodedPublicKey =
+                        KeyFactory.getInstance(publicKey.getAlgorithm())
+                                .getKeySpec(publicKey, X509EncodedKeySpec.class)
+                                .getEncoded();
+            } catch (NoSuchAlgorithmException | InvalidKeySpecException e) {
+                throw new InvalidKeyException(
+                        "Failed to obtain X.509 encoded form of public key " + publicKey
+                                + " of class " + publicKey.getClass().getName(),
+                        e);
+            }
+        }
+        if ((encodedPublicKey == null) || (encodedPublicKey.length == 0)) {
+            throw new InvalidKeyException(
+                    "Failed to obtain X.509 encoded form of public key " + publicKey
+                            + " of class " + publicKey.getClass().getName());
+        }
+        return encodedPublicKey;
+    }
+
+    public static List<byte[]> encodeCertificates(List<X509Certificate> certificates)
+            throws CertificateEncodingException {
+        List<byte[]> result = new ArrayList<>();
+        for (X509Certificate certificate : certificates) {
+            result.add(certificate.getEncoded());
+        }
+        return result;
+    }
+
+    private static byte[] encodeAsSequenceOfLengthPrefixedElements(List<byte[]> sequence) {
+        return encodeAsSequenceOfLengthPrefixedElements(
+                sequence.toArray(new byte[sequence.size()][]));
+    }
+
+    private static byte[] encodeAsSequenceOfLengthPrefixedElements(byte[][] sequence) {
+        int payloadSize = 0;
+        for (byte[] element : sequence) {
+            payloadSize += 4 + element.length;
+        }
+        ByteBuffer result = ByteBuffer.allocate(payloadSize);
+        result.order(ByteOrder.LITTLE_ENDIAN);
+        for (byte[] element : sequence) {
+            result.putInt(element.length);
+            result.put(element);
+        }
+        return result.array();
+      }
+
+    private static byte[] encodeAsSequenceOfLengthPrefixedPairsOfIntAndLengthPrefixedBytes(
+            List<Pair<Integer, byte[]>> sequence) {
+        int resultSize = 0;
+        for (Pair<Integer, byte[]> element : sequence) {
+            resultSize += 12 + element.getSecond().length;
+        }
+        ByteBuffer result = ByteBuffer.allocate(resultSize);
+        result.order(ByteOrder.LITTLE_ENDIAN);
+        for (Pair<Integer, byte[]> element : sequence) {
+            byte[] second = element.getSecond();
+            result.putInt(8 + second.length);
+            result.putInt(element.getFirst());
+            result.putInt(second.length);
+            result.put(second);
+        }
+        return result.array();
+    }
+
+    /**
+     * Relative <em>get</em> method for reading {@code size} number of bytes from the current
+     * position of this buffer.
+     *
+     * <p>This method reads the next {@code size} bytes at this buffer's current position,
+     * returning them as a {@code ByteBuffer} with start set to 0, limit and capacity set to
+     * {@code size}, byte order set to this buffer's byte order; and then increments the position by
+     * {@code size}.
+     */
+    private static ByteBuffer getByteBuffer(ByteBuffer source, int size) {
+        if (size < 0) {
+            throw new IllegalArgumentException("size: " + size);
+        }
+        int originalLimit = source.limit();
+        int position = source.position();
+        int limit = position + size;
+        if ((limit < position) || (limit > originalLimit)) {
+            throw new BufferUnderflowException();
+        }
+        source.limit(limit);
+        try {
+            ByteBuffer result = source.slice();
+            result.order(source.order());
+            source.position(limit);
+            return result;
+        } finally {
+            source.limit(originalLimit);
+        }
+    }
+
+    private static Pair<String, ? extends AlgorithmParameterSpec>
+            getSignatureAlgorithmJcaSignatureAlgorithm(int sigAlgorithm) {
+        switch (sigAlgorithm) {
+            case SIGNATURE_RSA_PSS_WITH_SHA256:
+                return Pair.create(
+                        "SHA256withRSA/PSS",
+                        new PSSParameterSpec(
+                                "SHA-256", "MGF1", MGF1ParameterSpec.SHA256, 256 / 8, 1));
+            case SIGNATURE_RSA_PSS_WITH_SHA512:
+                return Pair.create(
+                        "SHA512withRSA/PSS",
+                        new PSSParameterSpec(
+                                "SHA-512", "MGF1", MGF1ParameterSpec.SHA512, 512 / 8, 1));
+            case SIGNATURE_RSA_PKCS1_V1_5_WITH_SHA256:
+                return Pair.create("SHA256withRSA", null);
+            case SIGNATURE_RSA_PKCS1_V1_5_WITH_SHA512:
+                return Pair.create("SHA512withRSA", null);
+            case SIGNATURE_ECDSA_WITH_SHA256:
+                return Pair.create("SHA256withECDSA", null);
+            case SIGNATURE_ECDSA_WITH_SHA512:
+                return Pair.create("SHA512withECDSA", null);
+            case SIGNATURE_DSA_WITH_SHA256:
+                return Pair.create("SHA256withDSA", null);
+            case SIGNATURE_DSA_WITH_SHA512:
+                return Pair.create("SHA512withDSA", null);
+            default:
+                throw new IllegalArgumentException(
+                        "Unknown signature algorithm: 0x"
+                                + Long.toHexString(sigAlgorithm & 0xffffffff));
+        }
+    }
+
+    private static int getSignatureAlgorithmContentDigestAlgorithm(int sigAlgorithm) {
+        switch (sigAlgorithm) {
+            case SIGNATURE_RSA_PSS_WITH_SHA256:
+            case SIGNATURE_RSA_PKCS1_V1_5_WITH_SHA256:
+            case SIGNATURE_ECDSA_WITH_SHA256:
+            case SIGNATURE_DSA_WITH_SHA256:
+                return CONTENT_DIGEST_CHUNKED_SHA256;
+            case SIGNATURE_RSA_PSS_WITH_SHA512:
+            case SIGNATURE_RSA_PKCS1_V1_5_WITH_SHA512:
+            case SIGNATURE_ECDSA_WITH_SHA512:
+            case SIGNATURE_DSA_WITH_SHA512:
+                return CONTENT_DIGEST_CHUNKED_SHA512;
+            default:
+                throw new IllegalArgumentException(
+                        "Unknown signature algorithm: 0x"
+                                + Long.toHexString(sigAlgorithm & 0xffffffff));
+        }
+    }
+
+    private static String getContentDigestAlgorithmJcaDigestAlgorithm(int digestAlgorithm) {
+        switch (digestAlgorithm) {
+            case CONTENT_DIGEST_CHUNKED_SHA256:
+                return "SHA-256";
+            case CONTENT_DIGEST_CHUNKED_SHA512:
+                return "SHA-512";
+            default:
+                throw new IllegalArgumentException(
+                        "Unknown content digest algorthm: " + digestAlgorithm);
+        }
+    }
+
+    private static int getContentDigestAlgorithmOutputSizeBytes(int digestAlgorithm) {
+        switch (digestAlgorithm) {
+            case CONTENT_DIGEST_CHUNKED_SHA256:
+                return 256 / 8;
+            case CONTENT_DIGEST_CHUNKED_SHA512:
+                return 512 / 8;
+            default:
+                throw new IllegalArgumentException(
+                        "Unknown content digest algorthm: " + digestAlgorithm);
+        }
+    }
+
+    /**
+     * Indicates that APK file could not be parsed.
+     */
+    public static class ApkParseException extends Exception {
+        private static final long serialVersionUID = 1L;
+
+        public ApkParseException(String message) {
+            super(message);
+        }
+
+        public ApkParseException(String message, Throwable cause) {
+            super(message, cause);
+        }
+    }
+
+    /**
+     * Pair of two elements.
+     */
+    private static class Pair<A, B> {
+        private final A mFirst;
+        private final B mSecond;
+
+        private Pair(A first, B second) {
+            mFirst = first;
+            mSecond = second;
+        }
+
+        public static <A, B> Pair<A, B> create(A first, B second) {
+            return new Pair<>(first, second);
+        }
+
+        public A getFirst() {
+            return mFirst;
+        }
+
+        public B getSecond() {
+            return mSecond;
+        }
+
+        @Override
+        public int hashCode() {
+            final int prime = 31;
+            int result = 1;
+            result = prime * result + ((mFirst == null) ? 0 : mFirst.hashCode());
+            result = prime * result + ((mSecond == null) ? 0 : mSecond.hashCode());
+            return result;
+        }
+
+        @Override
+        public boolean equals(Object obj) {
+            if (this == obj) {
+                return true;
+            }
+            if (obj == null) {
+                return false;
+            }
+            if (getClass() != obj.getClass()) {
+                return false;
+            }
+            @SuppressWarnings("rawtypes")
+            Pair other = (Pair) obj;
+            if (mFirst == null) {
+                if (other.mFirst != null) {
+                    return false;
+                }
+            } else if (!mFirst.equals(other.mFirst)) {
+                return false;
+            }
+            if (mSecond == null) {
+                return other.mSecond == null;
+            } else return mSecond.equals(other.mSecond);
+        }
+    }
+}

app/signing/src/main/java/com/topjohnwu/signing/BootSigner.java

@@ -18,13 +18,19 @@ public class BootSigner {
         } else if (args.length > 0 && "-sign".equals(args[0])) {
             InputStream cert = null;
             InputStream key = null;
+            String name = "/boot";
 
             if (args.length >= 3) {
                 cert = new FileInputStream(args[1]);
                 key = new FileInputStream(args[2]);
             }
+            if (args.length == 2) {
+                name = args[1];
+            } else if (args.length >= 4) {
+                name = args[3];
+            }
 
-            boolean success = SignBoot.doSignature("/boot", System.in, System.out, cert, key);
+            boolean success = SignBoot.doSignature(name, System.in, System.out, cert, key);
             System.exit(success ? 0 : 1);
         } else {
             System.err.println(
@@ -34,8 +40,9 @@ public class BootSigner {
                     "Actions:\n" +
                     "   -verify [x509.pem]\n" +
                     "      verify image, cert is optional\n" +
-                    "   -sign [x509.pem] [pk8]\n" +
-                    "      sign image, cert and key pair is optional\n"
+                    "   -sign [x509.pem] [pk8] [name]\n" +
+                    "      sign image, name, cert and key pair are optional\n" +
+                    "      name should be /boot (default) or /recovery\n"
             );
         }
     }

app/signing/src/main/java/com/topjohnwu/signing/CryptoUtils.java

@@ -24,7 +24,7 @@ import java.security.spec.PKCS8EncodedKeySpec;
 import java.util.HashMap;
 import java.util.Map;
 
-class CryptoUtils {
+public class CryptoUtils {
 
     static final Map<String, String> ID_TO_ALG;
     static final Map<String, String> ALG_TO_ID;
@@ -81,7 +81,7 @@ class CryptoUtils {
         return new AlgorithmIdentifier(new ASN1ObjectIdentifier(id));
     }
 
-    static X509Certificate readCertificate(InputStream input)
+    public static X509Certificate readCertificate(InputStream input)
             throws IOException, GeneralSecurityException {
         try {
             CertificateFactory cf = CertificateFactory.getInstance("X.509");
@@ -92,7 +92,7 @@ class CryptoUtils {
     }
 
     /** Read a PKCS#8 format private key. */
-    static PrivateKey readPrivateKey(InputStream input)
+    public static PrivateKey readPrivateKey(InputStream input)
             throws IOException, GeneralSecurityException {
         try {
             ByteArrayStream buf = new ByteArrayStream();

app/signing/src/main/java/com/topjohnwu/signing/JarMap.java

@@ -0,0 +1,174 @@
+package com.topjohnwu.signing;
+
+import java.io.Closeable;
+import java.io.File;
+import java.io.IOException;
+import java.io.InputStream;
+import java.io.OutputStream;
+import java.util.Collections;
+import java.util.Enumeration;
+import java.util.LinkedHashMap;
+import java.util.jar.JarEntry;
+import java.util.jar.JarFile;
+import java.util.jar.JarInputStream;
+import java.util.jar.Manifest;
+import java.util.zip.ZipEntry;
+import java.util.zip.ZipFile;
+
+public abstract class JarMap implements Closeable {
+
+    LinkedHashMap<String, JarEntry> entryMap;
+
+    public static JarMap open(String file) throws IOException {
+        return new FileMap(new File(file), true, ZipFile.OPEN_READ);
+    }
+
+    public static JarMap open(File file, boolean verify) throws IOException {
+        return new FileMap(file, verify, ZipFile.OPEN_READ);
+    }
+
+    public static JarMap open(String file, boolean verify) throws IOException {
+        return new FileMap(new File(file), verify, ZipFile.OPEN_READ);
+    }
+
+    public static JarMap open(InputStream is, boolean verify) throws IOException {
+        return new StreamMap(is, verify);
+    }
+
+    public File getFile() {
+        return null;
+    }
+
+    public abstract Manifest getManifest() throws IOException;
+
+    public InputStream getInputStream(ZipEntry ze) throws IOException {
+        JarMapEntry e = getMapEntry(ze.getName());
+        return e != null ? e.data.getInputStream() : null;
+    }
+
+    public OutputStream getOutputStream(ZipEntry ze) {
+        if (entryMap == null)
+            entryMap = new LinkedHashMap<>();
+        JarMapEntry e = new JarMapEntry(ze.getName());
+        entryMap.put(ze.getName(), e);
+        return e.data;
+    }
+
+    public byte[] getRawData(ZipEntry ze) throws IOException {
+        JarMapEntry e = getMapEntry(ze.getName());
+        return e != null ? e.data.toByteArray() : null;
+    }
+
+    public abstract Enumeration<JarEntry> entries();
+
+    public final ZipEntry getEntry(String name) {
+        return getJarEntry(name);
+    }
+
+    public JarEntry getJarEntry(String name) {
+        return getMapEntry(name);
+    }
+
+    JarMapEntry getMapEntry(String name) {
+        JarMapEntry e = null;
+        if (entryMap != null)
+            e = (JarMapEntry) entryMap.get(name);
+        return e;
+    }
+
+    private static class FileMap extends JarMap {
+
+        private JarFile jarFile;
+
+        FileMap(File file, boolean verify, int mode) throws IOException {
+            jarFile = new JarFile(file, verify, mode);
+        }
+
+        @Override
+        public File getFile() {
+            return new File(jarFile.getName());
+        }
+
+        @Override
+        public Manifest getManifest() throws IOException {
+            return jarFile.getManifest();
+        }
+
+        @Override
+        public InputStream getInputStream(ZipEntry ze) throws IOException {
+            InputStream is = super.getInputStream(ze);
+            return is != null ? is : jarFile.getInputStream(ze);
+        }
+
+        @Override
+        public byte[] getRawData(ZipEntry ze) throws IOException {
+            byte[] b = super.getRawData(ze);
+            if (b != null)
+                return b;
+            ByteArrayStream bytes = new ByteArrayStream();
+            bytes.readFrom(jarFile.getInputStream(ze));
+            return bytes.toByteArray();
+        }
+
+        @Override
+        public Enumeration<JarEntry> entries() {
+            return jarFile.entries();
+        }
+
+        @Override
+        public JarEntry getJarEntry(String name) {
+            JarEntry e = getMapEntry(name);
+            return e != null ? e : jarFile.getJarEntry(name);
+        }
+
+        @Override
+        public void close() throws IOException {
+            jarFile.close();
+        }
+    }
+
+    private static class StreamMap extends JarMap {
+
+        private JarInputStream jis;
+
+        StreamMap(InputStream is, boolean verify) throws IOException {
+            jis = new JarInputStream(is, verify);
+            entryMap = new LinkedHashMap<>();
+            JarEntry entry;
+            while ((entry = jis.getNextJarEntry()) != null) {
+                entryMap.put(entry.getName(), new JarMapEntry(entry, jis));
+            }
+        }
+
+        @Override
+        public Manifest getManifest() {
+            return jis.getManifest();
+        }
+
+        @Override
+        public Enumeration<JarEntry> entries() {
+            return Collections.enumeration(entryMap.values());
+        }
+
+        @Override
+        public void close() throws IOException {
+            jis.close();
+        }
+    }
+
+    private static class JarMapEntry extends JarEntry {
+
+        ByteArrayStream data;
+
+        JarMapEntry(JarEntry je, InputStream is) {
+            super(je);
+            data = new ByteArrayStream();
+            data.readFrom(is);
+        }
+
+        JarMapEntry(String s) {
+            super(s);
+            data = new ByteArrayStream();
+        }
+    }
+}

app/signing/src/main/java/com/topjohnwu/signing/SignApk.java

@@ -1,9 +1,8 @@
 package com.topjohnwu.signing;
 
+import org.bouncycastle.asn1.ASN1Encoding;
 import org.bouncycastle.asn1.ASN1InputStream;
-import org.bouncycastle.asn1.ASN1ObjectIdentifier;
-import org.bouncycastle.asn1.DEROutputStream;
-import org.bouncycastle.asn1.cms.CMSObjectIdentifiers;
+import org.bouncycastle.asn1.ASN1OutputStream;
 import org.bouncycastle.cert.jcajce.JcaCertStore;
 import org.bouncycastle.cms.CMSException;
 import org.bouncycastle.cms.CMSProcessableByteArray;
@@ -11,35 +10,38 @@ import org.bouncycastle.cms.CMSSignedData;
 import org.bouncycastle.cms.CMSSignedDataGenerator;
 import org.bouncycastle.cms.CMSTypedData;
 import org.bouncycastle.cms.jcajce.JcaSignerInfoGeneratorBuilder;
+import org.bouncycastle.jce.provider.BouncyCastleProvider;
 import org.bouncycastle.operator.ContentSigner;
 import org.bouncycastle.operator.OperatorCreationException;
 import org.bouncycastle.operator.jcajce.JcaContentSignerBuilder;
 import org.bouncycastle.operator.jcajce.JcaDigestCalculatorProviderBuilder;
 import org.bouncycastle.util.encoders.Base64;
 
-import java.io.BufferedOutputStream;
 import java.io.ByteArrayOutputStream;
-import java.io.File;
-import java.io.FileNotFoundException;
 import java.io.FileOutputStream;
 import java.io.FilterOutputStream;
 import java.io.IOException;
 import java.io.InputStream;
 import java.io.OutputStream;
 import java.io.PrintStream;
-import java.io.RandomAccessFile;
+import java.nio.ByteBuffer;
 import java.security.DigestOutputStream;
 import java.security.GeneralSecurityException;
-import java.security.KeyStore;
+import java.security.InvalidKeyException;
 import java.security.MessageDigest;
 import java.security.PrivateKey;
+import java.security.PublicKey;
+import java.security.Security;
 import java.security.cert.CertificateEncodingException;
 import java.security.cert.X509Certificate;
 import java.util.ArrayList;
 import java.util.Collections;
 import java.util.Enumeration;
+import java.util.Iterator;
+import java.util.List;
 import java.util.Locale;
 import java.util.Map;
+import java.util.TimeZone;
 import java.util.TreeMap;
 import java.util.jar.Attributes;
 import java.util.jar.JarEntry;
@@ -49,87 +51,28 @@ import java.util.jar.Manifest;
 import java.util.regex.Pattern;
 
 /*
-* Modified from from AOSP(Marshmallow) SignAPK.java
-* */
-
-public class SignAPK {
+ * Modified from from AOSP
+ * https://android.googlesource.com/platform/build/+/refs/tags/android-7.1.2_r39/tools/signapk/src/com/android/signapk/SignApk.java
+ * */
 
+public class SignApk {
     private static final String CERT_SF_NAME = "META-INF/CERT.SF";
     private static final String CERT_SIG_NAME = "META-INF/CERT.%s";
+    private static final String CERT_SF_MULTI_NAME = "META-INF/CERT%d.SF";
+    private static final String CERT_SIG_MULTI_NAME = "META-INF/CERT%d.%s";
 
     // bitmasks for which hash algorithms we need the manifest to include.
     private static final int USE_SHA1 = 1;
     private static final int USE_SHA256 = 2;
 
-    public static void sign(JarMap input, OutputStream output) throws Exception {
-        sign(SignAPK.class.getResourceAsStream("/keys/testkey.x509.pem"),
-             SignAPK.class.getResourceAsStream("/keys/testkey.pk8"), input, output);
-    }
-
-    public static void sign(InputStream certIs, InputStream keyIs,
-                            JarMap input, OutputStream output) throws Exception {
-        X509Certificate cert = CryptoUtils.readCertificate(certIs);
-        PrivateKey key = CryptoUtils.readPrivateKey(keyIs);
-        sign(cert, key, input, output);
-    }
-
-    public static void sign(InputStream jks, String keyStorePass, String alias, String keyPass,
-                            JarMap input, OutputStream output) throws Exception {
-        KeyStore ks = KeyStore.getInstance("JKS");
-        ks.load(jks, keyStorePass.toCharArray());
-        X509Certificate cert = (X509Certificate) ks.getCertificate(alias);
-        PrivateKey key = (PrivateKey) ks.getKey(alias, keyPass.toCharArray());
-        sign(cert, key, input, output);
-    }
-
-    private static void sign(X509Certificate cert, PrivateKey key,
-                             JarMap input, OutputStream output) throws Exception {
-        File temp1 = File.createTempFile("signAPK", null);
-        File temp2 = File.createTempFile("signAPK", null);
-
-        try {
-            try (OutputStream out = new BufferedOutputStream(new FileOutputStream(temp1))) {
-                sign(cert, key, input, out, false);
-            }
-
-            ZipAdjust.adjust(temp1, temp2);
-
-            try (JarMap map = new JarMap(temp2, false)) {
-                sign(cert, key, map, output, true);
-            }
-        } finally {
-            temp1.delete();
-            temp2.delete();
-        }
-    }
-
-    private static void sign(X509Certificate cert, PrivateKey key,
-                             JarMap input, OutputStream output, boolean minSign) throws Exception {
-        int hashes = 0;
-        hashes |= getDigestAlgorithm(cert);
-
-        // Set the ZIP file timestamp to the starting valid time
-        // of the 0th certificate plus one hour (to match what
-        // we've historically done).
-        long timestamp = cert.getNotBefore().getTime() + 3600L * 1000;
-
-        if (minSign) {
-            signWholeFile(input.getFile(), cert, key, output);
-        } else {
-            JarOutputStream outputJar = new JarOutputStream(output);
-            // For signing .apks, use the maximum compression to make
-            // them as small as possible (since they live forever on
-            // the system partition).  For OTA packages, use the
-            // default compression level, which is much much faster
-            // and produces output that is only a tiny bit larger
-            // (~0.1% on full OTA packages I tested).
-            outputJar.setLevel(9);
-            Manifest manifest = addDigestsToManifest(input, hashes);
-            copyFiles(manifest, input, outputJar, timestamp, 4);
-            signFile(manifest, input, cert, key, outputJar);
-            outputJar.close();
-        }
-    }
+    /**
+     * Digest algorithm used when signing the APK using APK Signature Scheme v2.
+     */
+    private static final String APK_SIG_SCHEME_V2_DIGEST_ALGORITHM = "SHA-256";
+    // Files matching this pattern are not copied to the output.
+    private static final Pattern stripPattern =
+            Pattern.compile("^(META-INF/((.*)[.](SF|RSA|DSA|EC)|com/android/otacert))|(" +
+                    Pattern.quote(JarFile.MANIFEST_NAME) + ")$");
 
     /**
      * Return one of USE_SHA1 or USE_SHA256 according to the signature
@@ -137,7 +80,7 @@ public class SignAPK {
      */
     private static int getDigestAlgorithm(X509Certificate cert) {
         String sigAlg = cert.getSigAlgName().toUpperCase(Locale.US);
-        if (sigAlg.startsWith("SHA1WITHRSA") || sigAlg.startsWith("MD5WITHRSA")) {
+        if ("SHA1WITHRSA".equals(sigAlg) || "MD5WITHRSA".equals(sigAlg)) {
             return USE_SHA1;
         } else if (sigAlg.startsWith("SHA256WITH")) {
             return USE_SHA256;
@@ -146,9 +89,11 @@ public class SignAPK {
                     "\" in cert [" + cert.getSubjectDN());
         }
     }
-    /** Returns the expected signature algorithm for this key type. */
+
+    /**
+     * Returns the expected signature algorithm for this key type.
+     */
     private static String getSignatureAlgorithm(X509Certificate cert) {
-        String sigAlg = cert.getSigAlgName().toUpperCase(Locale.US);
         String keyType = cert.getPublicKey().getAlgorithm().toUpperCase(Locale.US);
         if ("RSA".equalsIgnoreCase(keyType)) {
             if (getDigestAlgorithm(cert) == USE_SHA256) {
@@ -162,10 +107,6 @@ public class SignAPK {
             throw new IllegalArgumentException("unsupported key type: " + keyType);
         }
     }
-    // Files matching this pattern are not copied to the output.
-    private static Pattern stripPattern =
-            Pattern.compile("^(META-INF/((.*)[.](SF|RSA|DSA|EC)|com/android/otacert))|(" +
-                    Pattern.quote(JarFile.MANIFEST_NAME) + ")$");
 
     /**
      * Add the hash(es) of every file to the manifest, creating it if
@@ -182,6 +123,7 @@ public class SignAPK {
             main.putValue("Manifest-Version", "1.0");
             main.putValue("Created-By", "1.0 (Android SignApk)");
         }
+
         MessageDigest md_sha1 = null;
         MessageDigest md_sha256 = null;
         if ((hashes & USE_SHA1) != 0) {
@@ -190,32 +132,51 @@ public class SignAPK {
         if ((hashes & USE_SHA256) != 0) {
             md_sha256 = MessageDigest.getInstance("SHA256");
         }
+
         byte[] buffer = new byte[4096];
         int num;
+
         // We sort the input entries by name, and add them to the
         // output manifest in sorted order.  We expect that the output
         // map will be deterministic.
-        TreeMap<String, JarEntry> byName = new TreeMap<String, JarEntry>();
+
+        TreeMap<String, JarEntry> byName = new TreeMap<>();
+
         for (Enumeration<JarEntry> e = jar.entries(); e.hasMoreElements(); ) {
             JarEntry entry = e.nextElement();
             byName.put(entry.getName(), entry);
         }
-        for (JarEntry entry: byName.values()) {
+
+        for (JarEntry entry : byName.values()) {
             String name = entry.getName();
-            if (!entry.isDirectory() &&
-                    (stripPattern == null || !stripPattern.matcher(name).matches())) {
+            if (!entry.isDirectory() && !stripPattern.matcher(name).matches()) {
                 InputStream data = jar.getInputStream(entry);
                 while ((num = data.read(buffer)) > 0) {
                     if (md_sha1 != null) md_sha1.update(buffer, 0, num);
                     if (md_sha256 != null) md_sha256.update(buffer, 0, num);
                 }
+
                 Attributes attr = null;
                 if (input != null) attr = input.getAttributes(name);
                 attr = attr != null ? new Attributes(attr) : new Attributes();
+                // Remove any previously computed digests from this entry's attributes.
+                for (Iterator<Object> i = attr.keySet().iterator(); i.hasNext(); ) {
+                    Object key = i.next();
+                    if (!(key instanceof Attributes.Name)) {
+                        continue;
+                    }
+                    String attributeNameLowerCase =
+                            key.toString().toLowerCase(Locale.US);
+                    if (attributeNameLowerCase.endsWith("-digest")) {
+                        i.remove();
+                    }
+                }
+                // Add SHA-1 digest if requested
                 if (md_sha1 != null) {
                     attr.putValue("SHA1-Digest",
                             new String(Base64.encode(md_sha1.digest()), "ASCII"));
                 }
+                // Add SHA-256 digest if requested
                 if (md_sha256 != null) {
                     attr.putValue("SHA-256-Digest",
                             new String(Base64.encode(md_sha256.digest()), "ASCII"));
@@ -223,33 +184,13 @@ public class SignAPK {
                 output.getEntries().put(name, attr);
             }
         }
+
         return output;
     }
 
-    /** Write to another stream and track how many bytes have been
-     *  written.
+    /**
+     * Write a .SF file with a digest of the specified manifest.
      */
-    private static class CountOutputStream extends FilterOutputStream {
-        private int mCount;
-        public CountOutputStream(OutputStream out) {
-            super(out);
-            mCount = 0;
-        }
-        @Override
-        public void write(int b) throws IOException {
-            super.write(b);
-            mCount++;
-        }
-        @Override
-        public void write(byte[] b, int off, int len) throws IOException {
-            super.write(b, off, len);
-            mCount += len;
-        }
-        public int size() {
-            return mCount;
-        }
-    }
-    /** Write a .SF file with a digest of the specified manifest. */
     private static void writeSignatureFile(Manifest manifest, OutputStream out,
                                            int hash)
             throws IOException, GeneralSecurityException {
@@ -257,16 +198,25 @@ public class SignAPK {
         Attributes main = sf.getMainAttributes();
         main.putValue("Signature-Version", "1.0");
         main.putValue("Created-By", "1.0 (Android SignApk)");
-        MessageDigest md = MessageDigest.getInstance(
-                hash == USE_SHA256 ? "SHA256" : "SHA1");
-        PrintStream print = new PrintStream(
-                new DigestOutputStream(new ByteArrayOutputStream(), md),
+        // Add APK Signature Scheme v2 signature stripping protection.
+        // This attribute indicates that this APK is supposed to have been signed using one or
+        // more APK-specific signature schemes in addition to the standard JAR signature scheme
+        // used by this code. APK signature verifier should reject the APK if it does not
+        // contain a signature for the signature scheme the verifier prefers out of this set.
+        main.putValue(
+                ApkSignerV2.SF_ATTRIBUTE_ANDROID_APK_SIGNED_NAME,
+                ApkSignerV2.SF_ATTRIBUTE_ANDROID_APK_SIGNED_VALUE);
+
+        MessageDigest md = MessageDigest.getInstance(hash == USE_SHA256 ? "SHA256" : "SHA1");
+        PrintStream print = new PrintStream(new DigestOutputStream(new ByteArrayOutputStream(), md),
                 true, "UTF-8");
+
         // Digest of the entire manifest
         manifest.write(print);
         print.flush();
         main.putValue(hash == USE_SHA256 ? "SHA-256-Digest-Manifest" : "SHA1-Digest-Manifest",
                 new String(Base64.encode(md.digest()), "ASCII"));
+
         Map<String, Attributes> entries = manifest.getEntries();
         for (Map.Entry<String, Attributes> entry : entries.entrySet()) {
             // Digest of the manifest stanza for this entry.
@@ -276,13 +226,16 @@ public class SignAPK {
             }
             print.print("\r\n");
             print.flush();
+
             Attributes sfAttr = new Attributes();
-            sfAttr.putValue(hash == USE_SHA256 ? "SHA-256-Digest" : "SHA1-Digest-Manifest",
+            sfAttr.putValue(hash == USE_SHA256 ? "SHA-256-Digest" : "SHA1-Digest",
                     new String(Base64.encode(md.digest()), "ASCII"));
             sf.getEntries().put(entry.getKey(), sfAttr);
         }
+
         CountOutputStream cout = new CountOutputStream(out);
         sf.write(cout);
+
         // A bug in the java.util.jar implementation of Android platforms
         // up to version 1.6 will cause a spurious IOException to be thrown
         // if the length of the signature file is a multiple of 1024 bytes.
@@ -292,10 +245,12 @@ public class SignAPK {
             cout.write('\n');
         }
     }
-    /** Sign data and write the digital signature to 'out'. */
+
+    /**
+     * Sign data and write the digital signature to 'out'.
+     */
     private static void writeSignatureBlock(
-            CMSTypedData data, X509Certificate publicKey, PrivateKey privateKey,
-            OutputStream out)
+            CMSTypedData data, X509Certificate publicKey, PrivateKey privateKey, OutputStream out)
             throws IOException,
             CertificateEncodingException,
             OperatorCreationException,
@@ -303,20 +258,24 @@ public class SignAPK {
         ArrayList<X509Certificate> certList = new ArrayList<>(1);
         certList.add(publicKey);
         JcaCertStore certs = new JcaCertStore(certList);
+
         CMSSignedDataGenerator gen = new CMSSignedDataGenerator();
         ContentSigner signer = new JcaContentSignerBuilder(getSignatureAlgorithm(publicKey))
                 .build(privateKey);
         gen.addSignerInfoGenerator(
-                new JcaSignerInfoGeneratorBuilder(
-                        new JcaDigestCalculatorProviderBuilder().build())
+                new JcaSignerInfoGeneratorBuilder(new JcaDigestCalculatorProviderBuilder().build())
                         .setDirectSignature(true)
-                        .build(signer, publicKey));
+                        .build(signer, publicKey)
+        );
         gen.addCertificates(certs);
         CMSSignedData sigData = gen.generate(data, false);
-        ASN1InputStream asn1 = new ASN1InputStream(sigData.getEncoded());
-        DEROutputStream dos = new DEROutputStream(out);
-        dos.writeObject(asn1.readObject());
+
+        try (ASN1InputStream asn1 = new ASN1InputStream(sigData.getEncoded())) {
+            ASN1OutputStream dos = ASN1OutputStream.create(out, ASN1Encoding.DER);
+            dos.writeObject(asn1.readObject());
+        }
     }
+
     /**
      * Copy all the files in a manifest from input to output.  We set
      * the modification times in the output to a fixed time, so as to
@@ -324,27 +283,37 @@ public class SignAPK {
      * more efficient.
      */
     private static void copyFiles(Manifest manifest, JarMap in, JarOutputStream out,
-                                  long timestamp, int alignment) throws IOException {
+                                  long timestamp, int defaultAlignment) throws IOException {
         byte[] buffer = new byte[4096];
         int num;
+
         Map<String, Attributes> entries = manifest.getEntries();
         ArrayList<String> names = new ArrayList<>(entries.keySet());
         Collections.sort(names);
+
         boolean firstEntry = true;
         long offset = 0L;
+
         // We do the copy in two passes -- first copying all the
         // entries that are STORED, then copying all the entries that
         // have any other compression flag (which in practice means
         // DEFLATED).  This groups all the stored entries together at
         // the start of the file and makes it easier to do alignment
         // on them (since only stored entries are aligned).
+
         for (String name : names) {
             JarEntry inEntry = in.getJarEntry(name);
-            JarEntry outEntry = null;
+            JarEntry outEntry;
             if (inEntry.getMethod() != JarEntry.STORED) continue;
             // Preserve the STORED method of the input entry.
             outEntry = new JarEntry(inEntry);
             outEntry.setTime(timestamp);
+            // Discard comment and extra fields of this entry to
+            // simplify alignment logic below and for consistency with
+            // how compressed entries are handled later.
+            outEntry.setComment(null);
+            outEntry.setExtra(null);
+
             // 'offset' is the offset into the file at which we expect
             // the file data to begin.  This is the value we need to
             // make a multiple of 'alignement'.
@@ -358,15 +327,18 @@ public class SignAPK {
                 offset += 4;
                 firstEntry = false;
             }
+            int alignment = getStoredEntryDataAlignment(name, defaultAlignment);
             if (alignment > 0 && (offset % alignment != 0)) {
                 // Set the "extra data" of the entry to between 1 and
                 // alignment-1 bytes, to make the file data begin at
                 // an aligned offset.
-                int needed = alignment - (int)(offset % alignment);
+                int needed = alignment - (int) (offset % alignment);
                 outEntry.setExtra(new byte[needed]);
                 offset += needed;
             }
+
             out.putNextEntry(outEntry);
+
             InputStream data = in.getInputStream(inEntry);
             while ((num = data.read(buffer)) > 0) {
                 out.write(buffer, 0, num);
@@ -374,17 +346,20 @@ public class SignAPK {
             }
             out.flush();
         }
+
         // Copy all the non-STORED entries.  We don't attempt to
         // maintain the 'offset' variable past this point; we don't do
         // alignment on these entries.
+
         for (String name : names) {
             JarEntry inEntry = in.getJarEntry(name);
-            JarEntry outEntry = null;
+            JarEntry outEntry;
             if (inEntry.getMethod() == JarEntry.STORED) continue;
             // Create a new entry so that the compressed len is recomputed.
             outEntry = new JarEntry(name);
             outEntry.setTime(timestamp);
             out.putNextEntry(outEntry);
+
             InputStream data = in.getInputStream(inEntry);
             while ((num = data.read(buffer)) > 0) {
                 out.write(buffer, 0, num);
@@ -393,134 +368,203 @@ public class SignAPK {
         }
     }
 
-    // This class is to provide a file's content, but trimming out the last two bytes
-    // Used for signWholeFile
-    private static class CMSProcessableFile implements CMSTypedData {
-
-        private ASN1ObjectIdentifier type;
-        private RandomAccessFile file;
-
-        CMSProcessableFile(File file) throws FileNotFoundException {
-            this.file = new RandomAccessFile(file, "r");
-            type = new ASN1ObjectIdentifier(CMSObjectIdentifiers.data.getId());
+    /**
+     * Returns the multiple (in bytes) at which the provided {@code STORED} entry's data must start
+     * relative to start of file or {@code 0} if alignment of this entry's data is not important.
+     */
+    private static int getStoredEntryDataAlignment(String entryName, int defaultAlignment) {
+        if (defaultAlignment <= 0) {
+            return 0;
         }
 
-        @Override
-        public ASN1ObjectIdentifier getContentType() {
-            return type;
-        }
-
-        @Override
-        public void write(OutputStream out) throws IOException, CMSException {
-            file.seek(0);
-            int read;
-            byte buffer[] = new byte[4096];
-            int len = (int) file.length() - 2;
-            while ((read = file.read(buffer, 0, len < buffer.length ? len : buffer.length)) > 0) {
-                out.write(buffer, 0, read);
-                len -= read;
-            }
-        }
-
-        @Override
-        public Object getContent() {
-            return file;
-        }
-
-        byte[] getTail() throws IOException {
-            byte tail[] = new byte[22];
-            file.seek(file.length() - 22);
-            file.readFully(tail);
-            return tail;
+        if (entryName.endsWith(".so")) {
+            // Align .so contents to memory page boundary to enable memory-mapped
+            // execution.
+            return 4096;
+        } else {
+            return defaultAlignment;
         }
     }
 
-    private static void signWholeFile(File input, X509Certificate publicKey,
-                                      PrivateKey privateKey, OutputStream outputStream)
-            throws Exception {
-        ByteArrayOutputStream temp = new ByteArrayOutputStream();
-        // put a readable message and a null char at the start of the
-        // archive comment, so that tools that display the comment
-        // (hopefully) show something sensible.
-        // TODO: anything more useful we can put in this message?
-        byte[] message = "signed by SignApk".getBytes("UTF-8");
-        temp.write(message);
-        temp.write(0);
-
-        CMSProcessableFile cmsFile = new CMSProcessableFile(input);
-        writeSignatureBlock(cmsFile, publicKey, privateKey, temp);
-
-        // For a zip with no archive comment, the
-        // end-of-central-directory record will be 22 bytes long, so
-        // we expect to find the EOCD marker 22 bytes from the end.
-        byte[] zipData = cmsFile.getTail();
-        if (zipData[zipData.length-22] != 0x50 ||
-                zipData[zipData.length-21] != 0x4b ||
-                zipData[zipData.length-20] != 0x05 ||
-                zipData[zipData.length-19] != 0x06) {
-            throw new IllegalArgumentException("zip data already has an archive comment");
-        }
-        int total_size = temp.size() + 6;
-        if (total_size > 0xffff) {
-            throw new IllegalArgumentException("signature is too big for ZIP file comment");
-        }
-        // signature starts this many bytes from the end of the file
-        int signature_start = total_size - message.length - 1;
-        temp.write(signature_start & 0xff);
-        temp.write((signature_start >> 8) & 0xff);
-        // Why the 0xff bytes?  In a zip file with no archive comment,
-        // bytes [-6:-2] of the file are the little-endian offset from
-        // the start of the file to the central directory.  So for the
-        // two high bytes to be 0xff 0xff, the archive would have to
-        // be nearly 4GB in size.  So it's unlikely that a real
-        // commentless archive would have 0xffs here, and lets us tell
-        // an old signed archive from a new one.
-        temp.write(0xff);
-        temp.write(0xff);
-        temp.write(total_size & 0xff);
-        temp.write((total_size >> 8) & 0xff);
-        temp.flush();
-        // Signature verification checks that the EOCD header is the
-        // last such sequence in the file (to avoid minzip finding a
-        // fake EOCD appended after the signature in its scan).  The
-        // odds of producing this sequence by chance are very low, but
-        // let's catch it here if it does.
-        byte[] b = temp.toByteArray();
-        for (int i = 0; i < b.length-3; ++i) {
-            if (b[i] == 0x50 && b[i+1] == 0x4b && b[i+2] == 0x05 && b[i+3] == 0x06) {
-                throw new IllegalArgumentException("found spurious EOCD header at " + i);
-            }
-        }
-        cmsFile.write(outputStream);
-        outputStream.write(total_size & 0xff);
-        outputStream.write((total_size >> 8) & 0xff);
-        temp.writeTo(outputStream);
-        outputStream.close();
-    }
-    private static void signFile(Manifest manifest, JarMap inputJar,
-                                 X509Certificate publicKey, PrivateKey privateKey,
-                                 JarOutputStream outputJar)
-            throws Exception {
-        // Assume the certificate is valid for at least an hour.
-        long timestamp = publicKey.getNotBefore().getTime() + 3600L * 1000;
+    private static void signFile(Manifest manifest,
+                                 X509Certificate[] publicKey, PrivateKey[] privateKey,
+                                 long timestamp, JarOutputStream outputJar) throws Exception {
         // MANIFEST.MF
         JarEntry je = new JarEntry(JarFile.MANIFEST_NAME);
         je.setTime(timestamp);
         outputJar.putNextEntry(je);
         manifest.write(outputJar);
-        je = new JarEntry(CERT_SF_NAME);
-        je.setTime(timestamp);
-        outputJar.putNextEntry(je);
-        ByteArrayOutputStream baos = new ByteArrayOutputStream();
-        writeSignatureFile(manifest, baos, getDigestAlgorithm(publicKey));
-        byte[] signedData = baos.toByteArray();
-        outputJar.write(signedData);
-        // CERT.{EC,RSA} / CERT#.{EC,RSA}
-        final String keyType = publicKey.getPublicKey().getAlgorithm();
-        je = new JarEntry(String.format(CERT_SIG_NAME, keyType));
-        je.setTime(timestamp);
-        outputJar.putNextEntry(je);
-        writeSignatureBlock(new CMSProcessableByteArray(signedData),
-                publicKey, privateKey, outputJar);
+
+        int numKeys = publicKey.length;
+        for (int k = 0; k < numKeys; ++k) {
+            // CERT.SF / CERT#.SF
+            je = new JarEntry(numKeys == 1 ? CERT_SF_NAME :
+                    (String.format(Locale.US, CERT_SF_MULTI_NAME, k)));
+            je.setTime(timestamp);
+            outputJar.putNextEntry(je);
+            ByteArrayOutputStream baos = new ByteArrayOutputStream();
+            writeSignatureFile(manifest, baos, getDigestAlgorithm(publicKey[k]));
+            byte[] signedData = baos.toByteArray();
+            outputJar.write(signedData);
+
+            // CERT.{EC,RSA} / CERT#.{EC,RSA}
+            final String keyType = publicKey[k].getPublicKey().getAlgorithm();
+            je = new JarEntry(numKeys == 1 ? (String.format(CERT_SIG_NAME, keyType)) :
+                    (String.format(Locale.US, CERT_SIG_MULTI_NAME, k, keyType)));
+            je.setTime(timestamp);
+            outputJar.putNextEntry(je);
+            writeSignatureBlock(new CMSProcessableByteArray(signedData),
+                    publicKey[k], privateKey[k], outputJar);
+        }
+    }
+
+    /**
+     * Converts the provided lists of private keys, their X.509 certificates, and digest algorithms
+     * into a list of APK Signature Scheme v2 {@code SignerConfig} instances.
+     */
+    private static List<ApkSignerV2.SignerConfig> createV2SignerConfigs(
+            PrivateKey[] privateKeys, X509Certificate[] certificates, String[] digestAlgorithms)
+            throws InvalidKeyException {
+        if (privateKeys.length != certificates.length) {
+            throw new IllegalArgumentException(
+                    "The number of private keys must match the number of certificates: "
+                            + privateKeys.length + " vs" + certificates.length);
+        }
+        List<ApkSignerV2.SignerConfig> result = new ArrayList<>(privateKeys.length);
+        for (int i = 0; i < privateKeys.length; i++) {
+            PrivateKey privateKey = privateKeys[i];
+            X509Certificate certificate = certificates[i];
+            PublicKey publicKey = certificate.getPublicKey();
+            String keyAlgorithm = privateKey.getAlgorithm();
+            if (!keyAlgorithm.equalsIgnoreCase(publicKey.getAlgorithm())) {
+                throw new InvalidKeyException(
+                        "Key algorithm of private key #" + (i + 1) + " does not match key"
+                                + " algorithm of public key #" + (i + 1) + ": " + keyAlgorithm
+                                + " vs " + publicKey.getAlgorithm());
+            }
+            ApkSignerV2.SignerConfig signerConfig = new ApkSignerV2.SignerConfig();
+            signerConfig.privateKey = privateKey;
+            signerConfig.certificates = Collections.singletonList(certificate);
+            List<Integer> signatureAlgorithms = new ArrayList<>(digestAlgorithms.length);
+            for (String digestAlgorithm : digestAlgorithms) {
+                try {
+                    signatureAlgorithms.add(getV2SignatureAlgorithm(keyAlgorithm, digestAlgorithm));
+                } catch (IllegalArgumentException e) {
+                    throw new InvalidKeyException(
+                            "Unsupported key and digest algorithm combination for signer #"
+                                    + (i + 1), e);
+                }
+            }
+            signerConfig.signatureAlgorithms = signatureAlgorithms;
+            result.add(signerConfig);
+        }
+        return result;
+    }
+
+    private static int getV2SignatureAlgorithm(String keyAlgorithm, String digestAlgorithm) {
+        if ("SHA-256".equalsIgnoreCase(digestAlgorithm)) {
+            if ("RSA".equalsIgnoreCase(keyAlgorithm)) {
+                // Use RSASSA-PKCS1-v1_5 signature scheme instead of RSASSA-PSS to guarantee
+                // deterministic signatures which make life easier for OTA updates (fewer files
+                // changed when deterministic signature schemes are used).
+                return ApkSignerV2.SIGNATURE_RSA_PKCS1_V1_5_WITH_SHA256;
+            } else if ("EC".equalsIgnoreCase(keyAlgorithm)) {
+                return ApkSignerV2.SIGNATURE_ECDSA_WITH_SHA256;
+            } else if ("DSA".equalsIgnoreCase(keyAlgorithm)) {
+                return ApkSignerV2.SIGNATURE_DSA_WITH_SHA256;
+            } else {
+                throw new IllegalArgumentException("Unsupported key algorithm: " + keyAlgorithm);
+            }
+        } else if ("SHA-512".equalsIgnoreCase(digestAlgorithm)) {
+            if ("RSA".equalsIgnoreCase(keyAlgorithm)) {
+                // Use RSASSA-PKCS1-v1_5 signature scheme instead of RSASSA-PSS to guarantee
+                // deterministic signatures which make life easier for OTA updates (fewer files
+                // changed when deterministic signature schemes are used).
+                return ApkSignerV2.SIGNATURE_RSA_PKCS1_V1_5_WITH_SHA512;
+            } else if ("EC".equalsIgnoreCase(keyAlgorithm)) {
+                return ApkSignerV2.SIGNATURE_ECDSA_WITH_SHA512;
+            } else if ("DSA".equalsIgnoreCase(keyAlgorithm)) {
+                return ApkSignerV2.SIGNATURE_DSA_WITH_SHA512;
+            } else {
+                throw new IllegalArgumentException("Unsupported key algorithm: " + keyAlgorithm);
+            }
+        } else {
+            throw new IllegalArgumentException("Unsupported digest algorithm: " + digestAlgorithm);
+        }
+    }
+
+    public static void sign(X509Certificate cert, PrivateKey key,
+                            JarMap inputJar, FileOutputStream outputFile) throws Exception {
+        int alignment = 4;
+        int hashes = 0;
+
+        X509Certificate[] publicKey = new X509Certificate[1];
+        publicKey[0] = cert;
+        hashes |= getDigestAlgorithm(publicKey[0]);
+
+        // Set all ZIP file timestamps to Jan 1 2009 00:00:00.
+        long timestamp = 1230768000000L;
+        // The Java ZipEntry API we're using converts milliseconds since epoch into MS-DOS
+        // timestamp using the current timezone. We thus adjust the milliseconds since epoch
+        // value to end up with MS-DOS timestamp of Jan 1 2009 00:00:00.
+        timestamp -= TimeZone.getDefault().getOffset(timestamp);
+
+        PrivateKey[] privateKey = new PrivateKey[1];
+        privateKey[0] = key;
+
+        // Generate, in memory, an APK signed using standard JAR Signature Scheme.
+        ByteArrayOutputStream v1SignedApkBuf = new ByteArrayOutputStream();
+        JarOutputStream outputJar = new JarOutputStream(v1SignedApkBuf);
+        // Use maximum compression for compressed entries because the APK lives forever on
+        // the system partition.
+        outputJar.setLevel(9);
+        Manifest manifest = addDigestsToManifest(inputJar, hashes);
+        copyFiles(manifest, inputJar, outputJar, timestamp, alignment);
+        signFile(manifest, publicKey, privateKey, timestamp, outputJar);
+        outputJar.close();
+        ByteBuffer v1SignedApk = ByteBuffer.wrap(v1SignedApkBuf.toByteArray());
+        v1SignedApkBuf.reset();
+
+        ByteBuffer[] outputChunks;
+        List<ApkSignerV2.SignerConfig> signerConfigs = createV2SignerConfigs(privateKey, publicKey,
+                new String[]{APK_SIG_SCHEME_V2_DIGEST_ALGORITHM});
+        outputChunks = ApkSignerV2.sign(v1SignedApk, signerConfigs);
+
+        // This assumes outputChunks are array-backed. To avoid this assumption, the
+        // code could be rewritten to use FileChannel.
+        for (ByteBuffer outputChunk : outputChunks) {
+            outputFile.write(outputChunk.array(),
+                    outputChunk.arrayOffset() + outputChunk.position(), outputChunk.remaining());
+            outputChunk.position(outputChunk.limit());
+        }
+    }
+
+    /**
+     * Write to another stream and track how many bytes have been
+     * written.
+     */
+    private static class CountOutputStream extends FilterOutputStream {
+        private int mCount;
+
+        public CountOutputStream(OutputStream out) {
+            super(out);
+            mCount = 0;
+        }
+
+        @Override
+        public void write(int b) throws IOException {
+            super.write(b);
+            mCount++;
+        }
+
+        @Override
+        public void write(byte[] b, int off, int len) throws IOException {
+            super.write(b, off, len);
+            mCount += len;
+        }
+
+        public int size() {
+            return mCount;
+        }
     }
 }

app/signing/src/main/java/com/topjohnwu/signing/SignBoot.java

@@ -30,6 +30,15 @@ import java.util.Arrays;
 
 public class SignBoot {
 
+    private static final int BOOT_IMAGE_HEADER_V1_RECOVERY_DTBO_SIZE_OFFSET = 1632;
+    private static final int BOOT_IMAGE_HEADER_V2_DTB_SIZE_OFFSET = 1648;
+
+    // Arbitrary maximum header version value; when greater assume the field is dt/extra size
+    private static final int BOOT_IMAGE_HEADER_VERSION_MAXIMUM = 8;
+
+    // Maximum header size byte value to read (currently the bootimg minimum page size)
+    private static final int BOOT_IMAGE_HEADER_SIZE_MAXIMUM = 2048;
+
     private static class PushBackRWStream extends FilterInputStream {
         private OutputStream out;
         private int pos = 0;
@@ -79,7 +88,7 @@ public class SignBoot {
                                       InputStream cert, InputStream key) {
         try {
             PushBackRWStream in = new PushBackRWStream(imgIn, imgOut);
-            byte[] hdr = new byte[1024];
+            byte[] hdr = new byte[BOOT_IMAGE_HEADER_SIZE_MAXIMUM];
             // First read the header
             in.read(hdr);
             int signableSize = getSignableImageSize(hdr);
@@ -87,12 +96,12 @@ public class SignBoot {
             in.unread(hdr);
             BootSignature bootsig = new BootSignature(target, signableSize);
             if (cert == null) {
-                cert = SignBoot.class.getResourceAsStream("/keys/testkey.x509.pem");
+                cert = SignBoot.class.getResourceAsStream("/keys/verity.x509.pem");
             }
             X509Certificate certificate = CryptoUtils.readCertificate(cert);
             bootsig.setCertificate(certificate);
             if (key == null) {
-                key = SignBoot.class.getResourceAsStream("/keys/testkey.pk8");
+                key = SignBoot.class.getResourceAsStream("/keys/verity.pk8");
             }
             PrivateKey privateKey = CryptoUtils.readPrivateKey(key);
             byte[] sig = bootsig.sign(privateKey, in, signableSize);
@@ -110,22 +119,27 @@ public class SignBoot {
     public static boolean verifySignature(InputStream imgIn, InputStream certIn) {
         try {
             // Read the header for size
-            byte[] hdr = new byte[1024];
-            if (imgIn.read(hdr) != hdr.length)
+            byte[] hdr = new byte[BOOT_IMAGE_HEADER_SIZE_MAXIMUM];
+            if (imgIn.read(hdr) != hdr.length) {
+                System.err.println("Unable to read image header");
                 return false;
+            }
             int signableSize = getSignableImageSize(hdr);
 
             // Read the rest of the image
             byte[] rawImg = Arrays.copyOf(hdr, signableSize);
             int remain = signableSize - hdr.length;
             if (imgIn.read(rawImg, hdr.length, remain) != remain) {
-                System.err.println("Invalid image: not signed");
+                System.err.println("Unable to read image");
                 return false;
             }
 
             // Read footer, which contains the signature
             byte[] signature = new byte[4096];
-            imgIn.read(signature);
+            if (imgIn.read(signature) == -1 || Arrays.equals(signature, new byte [signature.length])) {
+                System.err.println("Invalid image: not signed");
+                return false;
+            }
 
             BootSignature bootsig = new BootSignature(signature);
             if (certIn != null) {
@@ -138,7 +152,8 @@ public class SignBoot {
                 System.err.println("Signature is INVALID");
             }
         } catch (Exception e) {
-            System.err.println("Invalid image: not signed");
+            e.printStackTrace();
+            return false;
         }
         return false;
     }
@@ -162,6 +177,27 @@ public class SignBoot {
                 + ((kernelSize + pageSize - 1) / pageSize) * pageSize
                 + ((ramdskSize + pageSize - 1) / pageSize) * pageSize
                 + ((secondSize + pageSize - 1) / pageSize) * pageSize;
+        int headerVersion = image.getInt(); // boot image header version or dt/extra size
+        if (headerVersion > 0 && headerVersion < BOOT_IMAGE_HEADER_VERSION_MAXIMUM) {
+            image.position(BOOT_IMAGE_HEADER_V1_RECOVERY_DTBO_SIZE_OFFSET);
+            int recoveryDtboLength = image.getInt();
+            length += ((recoveryDtboLength + pageSize - 1) / pageSize) * pageSize;
+            image.getLong(); // recovery_dtbo address
+            int headerSize = image.getInt();
+            if (headerVersion == 2) {
+                image.position(BOOT_IMAGE_HEADER_V2_DTB_SIZE_OFFSET);
+                int dtbLength = image.getInt();
+                length += ((dtbLength + pageSize - 1) / pageSize) * pageSize;
+                image.getLong(); // dtb address
+            }
+            if (image.position() != headerSize) {
+                throw new IllegalArgumentException(
+                        "Invalid image header: invalid header length");
+            }
+        } else {
+            // headerVersion is 0 or actually dt/extra size in this case
+            length += ((headerVersion + pageSize - 1) / pageSize) * pageSize;
+        }
         length = ((length + pageSize - 1) / pageSize) * pageSize;
         if (length <= 0) {
             throw new IllegalArgumentException("Invalid image header: invalid length");

app/signing/src/main/java/com/topjohnwu/signing/ZipSigner.java

@@ -0,0 +1,81 @@
+package com.topjohnwu.signing;
+
+import org.bouncycastle.jce.provider.BouncyCastleProvider;
+
+import java.io.FileInputStream;
+import java.io.FileOutputStream;
+import java.io.IOException;
+import java.io.InputStream;
+import java.security.KeyStore;
+import java.security.KeyStoreException;
+import java.security.NoSuchAlgorithmException;
+import java.security.PrivateKey;
+import java.security.Security;
+import java.security.cert.CertificateException;
+import java.security.cert.X509Certificate;
+
+public class ZipSigner {
+
+    private static void usage() {
+        System.err.println("ZipSigner usage:");
+        System.err.println("  zipsigner.jar input.jar output.jar");
+        System.err.println("    sign jar with AOSP test keys");
+        System.err.println("  zipsigner.jar x509.pem pk8 input.jar output.jar");
+        System.err.println("    sign jar with certificate / private key pair");
+        System.err.println("  zipsigner.jar keyStore keyStorePass alias keyPass input.jar output.jar");
+        System.err.println("    sign jar with Java KeyStore");
+        System.exit(2);
+    }
+
+    private static void sign(JarMap input, FileOutputStream output) throws Exception {
+        sign(SignApk.class.getResourceAsStream("/keys/testkey.x509.pem"),
+                SignApk.class.getResourceAsStream("/keys/testkey.pk8"), input, output);
+    }
+
+    private static void sign(InputStream certIs, InputStream keyIs,
+                             JarMap input, FileOutputStream output) throws Exception {
+        X509Certificate cert = CryptoUtils.readCertificate(certIs);
+        PrivateKey key = CryptoUtils.readPrivateKey(keyIs);
+        SignApk.sign(cert, key, input, output);
+    }
+
+    private static void sign(String keyStore, String keyStorePass, String alias, String keyPass,
+                             JarMap in, FileOutputStream out) throws Exception {
+        KeyStore ks;
+        try {
+            ks = KeyStore.getInstance("JKS");
+            try (InputStream is = new FileInputStream(keyStore)) {
+                ks.load(is, keyStorePass.toCharArray());
+            }
+        } catch (KeyStoreException|IOException|CertificateException|NoSuchAlgorithmException e) {
+            ks = KeyStore.getInstance("PKCS12");
+            try (InputStream is = new FileInputStream(keyStore)) {
+                ks.load(is, keyStorePass.toCharArray());
+            }
+        }
+        X509Certificate cert = (X509Certificate) ks.getCertificate(alias);
+        PrivateKey key = (PrivateKey) ks.getKey(alias, keyPass.toCharArray());
+        SignApk.sign(cert, key, in, out);
+    }
+
+    public static void main(String[] args) throws Exception {
+        if (args.length != 2 && args.length != 4 && args.length != 6)
+            usage();
+
+        Security.insertProviderAt(new BouncyCastleProvider(), 1);
+
+        try (JarMap in = JarMap.open(args[args.length - 2], false);
+             FileOutputStream out = new FileOutputStream(args[args.length - 1])) {
+            if (args.length == 2) {
+                sign(in, out);
+            } else if (args.length == 4) {
+                try (InputStream cert = new FileInputStream(args[0]);
+                     InputStream key = new FileInputStream(args[1])) {
+                    sign(cert, key, in, out);
+                }
+            } else if (args.length == 6) {
+                sign(args[0], args[1], args[2], args[3], in, out);
+            }
+        }
+    }
+}

app/signing/src/main/java/com/topjohnwu/signing/ZipUtils.java

@@ -0,0 +1,136 @@
+package com.topjohnwu.signing;
+
+import java.nio.ByteBuffer;
+import java.nio.ByteOrder;
+
+/**
+ * Assorted ZIP format helpers.
+ *
+ * <p>NOTE: Most helper methods operating on {@code ByteBuffer} instances expect that the byte
+ * order of these buffers is little-endian.
+ */
+public abstract class ZipUtils {
+
+    private static final int ZIP_EOCD_REC_MIN_SIZE = 22;
+    private static final int ZIP_EOCD_REC_SIG = 0x06054b50;
+    private static final int ZIP_EOCD_CENTRAL_DIR_SIZE_FIELD_OFFSET = 12;
+    private static final int ZIP_EOCD_CENTRAL_DIR_OFFSET_FIELD_OFFSET = 16;
+    private static final int ZIP_EOCD_COMMENT_LENGTH_FIELD_OFFSET = 20;
+
+    private static final int ZIP64_EOCD_LOCATOR_SIZE = 20;
+    private static final int ZIP64_EOCD_LOCATOR_SIG = 0x07064b50;
+
+    private static final int UINT16_MAX_VALUE = 0xffff;
+
+    private ZipUtils() {
+    }
+
+    /**
+     * Returns the position at which ZIP End of Central Directory record starts in the provided
+     * buffer or {@code -1} if the record is not present.
+     *
+     * <p>NOTE: Byte order of {@code zipContents} must be little-endian.
+     */
+    public static int findZipEndOfCentralDirectoryRecord(ByteBuffer zipContents) {
+        assertByteOrderLittleEndian(zipContents);
+
+        // ZIP End of Central Directory (EOCD) record is located at the very end of the ZIP archive.
+        // The record can be identified by its 4-byte signature/magic which is located at the very
+        // beginning of the record. A complication is that the record is variable-length because of
+        // the comment field.
+        // The algorithm for locating the ZIP EOCD record is as follows. We search backwards from
+        // end of the buffer for the EOCD record signature. Whenever we find a signature, we check
+        // the candidate record's comment length is such that the remainder of the record takes up
+        // exactly the remaining bytes in the buffer. The search is bounded because the maximum
+        // size of the comment field is 65535 bytes because the field is an unsigned 16-bit number.
+
+        int archiveSize = zipContents.capacity();
+        if (archiveSize < ZIP_EOCD_REC_MIN_SIZE) {
+            return -1;
+        }
+        int maxCommentLength = Math.min(archiveSize - ZIP_EOCD_REC_MIN_SIZE, UINT16_MAX_VALUE);
+        int eocdWithEmptyCommentStartPosition = archiveSize - ZIP_EOCD_REC_MIN_SIZE;
+        for (int expectedCommentLength = 0; expectedCommentLength < maxCommentLength; expectedCommentLength++) {
+            int eocdStartPos = eocdWithEmptyCommentStartPosition - expectedCommentLength;
+            if (zipContents.getInt(eocdStartPos) == ZIP_EOCD_REC_SIG) {
+                int actualCommentLength = getUnsignedInt16(zipContents, eocdStartPos + ZIP_EOCD_COMMENT_LENGTH_FIELD_OFFSET);
+                if (actualCommentLength == expectedCommentLength) {
+                    return eocdStartPos;
+                }
+            }
+        }
+
+        return -1;
+    }
+
+    /**
+     * Returns {@code true} if the provided buffer contains a ZIP64 End of Central Directory
+     * Locator.
+     *
+     * <p>NOTE: Byte order of {@code zipContents} must be little-endian.
+     */
+    public static boolean isZip64EndOfCentralDirectoryLocatorPresent(ByteBuffer zipContents, int zipEndOfCentralDirectoryPosition) {
+        assertByteOrderLittleEndian(zipContents);
+
+        // ZIP64 End of Central Directory Locator immediately precedes the ZIP End of Central
+        // Directory Record.
+
+        int locatorPosition = zipEndOfCentralDirectoryPosition - ZIP64_EOCD_LOCATOR_SIZE;
+        if (locatorPosition < 0) {
+            return false;
+        }
+
+        return zipContents.getInt(locatorPosition) == ZIP64_EOCD_LOCATOR_SIG;
+    }
+
+    /**
+     * Returns the offset of the start of the ZIP Central Directory in the archive.
+     *
+     * <p>NOTE: Byte order of {@code zipEndOfCentralDirectory} must be little-endian.
+     */
+    public static long getZipEocdCentralDirectoryOffset(ByteBuffer zipEndOfCentralDirectory) {
+        assertByteOrderLittleEndian(zipEndOfCentralDirectory);
+        return getUnsignedInt32(zipEndOfCentralDirectory, zipEndOfCentralDirectory.position() + ZIP_EOCD_CENTRAL_DIR_OFFSET_FIELD_OFFSET);
+    }
+
+    /**
+     * Sets the offset of the start of the ZIP Central Directory in the archive.
+     *
+     * <p>NOTE: Byte order of {@code zipEndOfCentralDirectory} must be little-endian.
+     */
+    public static void setZipEocdCentralDirectoryOffset(ByteBuffer zipEndOfCentralDirectory, long offset) {
+        assertByteOrderLittleEndian(zipEndOfCentralDirectory);
+        setUnsignedInt32(zipEndOfCentralDirectory, zipEndOfCentralDirectory.position() + ZIP_EOCD_CENTRAL_DIR_OFFSET_FIELD_OFFSET, offset);
+    }
+
+    /**
+     * Returns the size (in bytes) of the ZIP Central Directory.
+     *
+     * <p>NOTE: Byte order of {@code zipEndOfCentralDirectory} must be little-endian.
+     */
+    public static long getZipEocdCentralDirectorySizeBytes(ByteBuffer zipEndOfCentralDirectory) {
+        assertByteOrderLittleEndian(zipEndOfCentralDirectory);
+        return getUnsignedInt32(zipEndOfCentralDirectory, zipEndOfCentralDirectory.position() + ZIP_EOCD_CENTRAL_DIR_SIZE_FIELD_OFFSET);
+    }
+
+    private static void assertByteOrderLittleEndian(ByteBuffer buffer) {
+        if (buffer.order() != ByteOrder.LITTLE_ENDIAN) {
+            throw new IllegalArgumentException("ByteBuffer byte order must be little endian");
+        }
+    }
+
+    private static int getUnsignedInt16(ByteBuffer buffer, int offset) {
+        return buffer.getShort(offset) & 0xffff;
+    }
+
+    private static long getUnsignedInt32(ByteBuffer buffer, int offset) {
+        return buffer.getInt(offset) & 0xffffffffL;
+    }
+
+    private static void setUnsignedInt32(ByteBuffer buffer, int offset, long value) {
+        if ((value < 0) || (value > 0xffffffffL)) {
+            throw new IllegalArgumentException("uint32 value of out range: " + value);
+        }
+        buffer.putInt(buffer.position() + offset, (int) value);
+    }
+}

app/signing/src/main/resources/keys/verity.x509.pem

@@ -0,0 +1,24 @@
+-----BEGIN CERTIFICATE-----
+MIID/TCCAuWgAwIBAgIJAJcPmDkJqolJMA0GCSqGSIb3DQEBBQUAMIGUMQswCQYD
+VQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNTW91bnRhaW4g
+VmlldzEQMA4GA1UECgwHQW5kcm9pZDEQMA4GA1UECwwHQW5kcm9pZDEQMA4GA1UE
+AwwHQW5kcm9pZDEiMCAGCSqGSIb3DQEJARYTYW5kcm9pZEBhbmRyb2lkLmNvbTAe
+Fw0xNDExMDYxOTA3NDBaFw00MjAzMjQxOTA3NDBaMIGUMQswCQYDVQQGEwJVUzET
+MBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNTW91bnRhaW4gVmlldzEQMA4G
+A1UECgwHQW5kcm9pZDEQMA4GA1UECwwHQW5kcm9pZDEQMA4GA1UEAwwHQW5kcm9p
+ZDEiMCAGCSqGSIb3DQEJARYTYW5kcm9pZEBhbmRyb2lkLmNvbTCCASIwDQYJKoZI
+hvcNAQEBBQADggEPADCCAQoCggEBAOjreE0vTVSRenuzO9vnaWfk0eQzYab0gqpi
+6xAzi6dmD+ugoEKJmbPiuE5Dwf21isZ9uhUUu0dQM46dK4ocKxMRrcnmGxydFn6o
+fs3ODJMXOkv2gKXL/FdbEPdDbxzdu8z3yk+W67udM/fW7WbaQ3DO0knu+izKak/3
+T41c5uoXmQ81UNtAzRGzGchNVXMmWuTGOkg6U+0I2Td7K8yvUMWhAWPPpKLtVH9r
+AL5TzjYNR92izdKcz3AjRsI3CTjtpiVABGeX0TcjRSuZB7K9EK56HV+OFNS6I1NP
+jdD7FIShyGlqqZdUOkAUZYanbpgeT5N7QL6uuqcGpoTOkalu6kkCAwEAAaNQME4w
+HQYDVR0OBBYEFH5DM/m7oArf4O3peeKO0ZIEkrQPMB8GA1UdIwQYMBaAFH5DM/m7
+oArf4O3peeKO0ZIEkrQPMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADggEB
+AHO3NSvDE5jFvMehGGtS8BnFYdFKRIglDMc4niWSzhzOVYRH4WajxdtBWc5fx0ix
+NF/+hVKVhP6AIOQa+++sk+HIi7RvioPPbhjcsVlZe7cUEGrLSSveGouQyc+j0+m6
+JF84kszIl5GGNMTnx0XRPO+g8t6h5LWfnVydgZfpGRRg+WHewk1U2HlvTjIceb0N
+dcoJ8WKJAFWdcuE7VIm4w+vF/DYX/A2Oyzr2+QRhmYSv1cusgAeC1tvH4ap+J1Lg
+UnOu5Kh/FqPLLSwNVQp4Bu7b9QFfqK8Moj84bj88NqRGZgDyqzuTrFxn6FW7dmyA
+yttuAJAEAymk1mipd9+zp38=
+-----END CERTIFICATE-----

app/src/main/AndroidManifest.xml

@@ -3,56 +3,55 @@
     xmlns:tools="http://schemas.android.com/tools"
     package="com.topjohnwu.magisk">
 
+    <uses-permission android:name="android.permission.INTERNET"/>
     <uses-permission android:name="android.permission.VIBRATE" />
-    <uses-permission android:name="android.permission.RECEIVE_BOOT_COMPLETED" />
     <uses-permission android:name="android.permission.FOREGROUND_SERVICE" />
-    <uses-permission android:name="android.permission.USE_FINGERPRINT" />
+    <uses-permission
+        android:name="android.permission.WRITE_EXTERNAL_STORAGE"
+        android:maxSdkVersion="28" />
 
     <application
-        android:allowBackup="true"
+        android:icon="@drawable/ic_launcher"
         android:name="a.e"
-        android:theme="@style/MagiskTheme"
-        android:usesCleartextTraffic="true"
+        android:allowBackup="true"
         tools:ignore="UnusedAttribute,GoogleAppIndexingWarning">
 
-        <!-- Activities -->
-
-        <activity
-            android:name="a.b"
-            android:configChanges="orientation|screenSize"
-            android:exported="true" />
+        <!-- Splash -->
         <activity
             android:name="a.c"
-            android:configChanges="orientation|screenSize"
-            android:exported="true"
             android:theme="@style/SplashTheme">
             <intent-filter>
                 <action android:name="android.intent.action.MAIN" />
                 <category android:name="android.intent.category.LAUNCHER" />
             </intent-filter>
+            <intent-filter>
+                <action android:name="android.intent.action.APPLICATION_PREFERENCES" />
+                <category android:name="android.intent.category.DEFAULT" />
+            </intent-filter>
         </activity>
-        <activity
-            android:name="a.f"
-            android:configChanges="keyboardHidden|orientation|screenSize"
-            android:screenOrientation="nosensor"
-            android:theme="@style/MagiskTheme.Flashing" />
+
+        <!-- Main -->
+        <activity android:name="a.b" />
 
         <!-- Superuser -->
-
         <activity
             android:name="a.m"
-            android:exported="false"
             android:directBootAware="true"
             android:excludeFromRecents="true"
-            android:theme="@style/MagiskTheme.SU" />
+            android:exported="false"
+            tools:ignore="AppLinkUrlError">
+            <intent-filter>
+                <action android:name="android.intent.action.VIEW"/>
+                <category android:name="android.intent.category.DEFAULT"/>
+            </intent-filter>
+        </activity>
 
         <!-- Receiver -->
-
         <receiver
             android:name="a.h"
             android:directBootAware="true">
             <intent-filter>
-                <action android:name="android.intent.action.BOOT_COMPLETED" />
+                <action android:name="android.intent.action.REBOOT" />
                 <action android:name="android.intent.action.LOCALE_CHANGED" />
             </intent-filter>
             <intent-filter>
@@ -63,8 +62,7 @@
             </intent-filter>
         </receiver>
 
-        <!-- Service -->
-
+        <!-- DownloadService -->
         <service android:name="a.j" />
 
         <!-- Hardcode GMS version -->
@@ -72,6 +70,22 @@
             android:name="com.google.android.gms.version"
             android:value="12451000" />
 
+        <!-- Initialize WorkManager on-demand -->
+        <provider
+            android:name="androidx.work.impl.WorkManagerInitializer"
+            android:authorities="${applicationId}.workmanager-init"
+            tools:node="remove" />
+
+        <!-- We don't invalidate Room -->
+        <service
+            android:name="androidx.room.MultiInstanceInvalidationService"
+            tools:node="remove"/>
+
+        <!-- We don't use Device Credentials -->
+        <activity
+            android:name="androidx.biometric.DeviceCredentialHandlerActivity"
+            tools:node="remove" />
+
     </application>
 
 </manifest>

app/src/main/java/a/a.java

@@ -1,13 +0,0 @@
-package a;
-
-import com.topjohnwu.magisk.utils.PatchAPK;
-import com.topjohnwu.signing.BootSigner;
-
-import androidx.annotation.Keep;
-
-@Keep
-public class a extends BootSigner {
-    public static boolean patchAPK(String in, String out, String pkg) {
-        return PatchAPK.patch(in, out, pkg);
-    }
-}

app/src/main/java/a/b.java

@@ -1,7 +0,0 @@
-package a;
-
-import com.topjohnwu.magisk.ui.MainActivity;
-
-public class b extends MainActivity {
-    /* stub */
-}

app/src/main/java/a/c.java

@@ -1,7 +0,0 @@
-package a;
-
-import com.topjohnwu.magisk.ui.SplashActivity;
-
-public class c extends SplashActivity {
-    /* stub */
-}

app/src/main/java/a/e.java

@@ -1,7 +0,0 @@
-package a;
-
-import com.topjohnwu.magisk.App;
-
-public class e extends App {
-    /* stub */
-}

app/src/main/java/a/f.java

@@ -1,7 +0,0 @@
-package a;
-
-import com.topjohnwu.magisk.ui.flash.FlashActivity;
-
-public class f extends FlashActivity {
-    /* stub */
-}

app/src/main/java/a/g.java

@@ -1,15 +0,0 @@
-package a;
-
-import android.content.Context;
-
-import com.topjohnwu.magisk.model.update.UpdateCheckService;
-
-import androidx.annotation.NonNull;
-import androidx.work.WorkerParameters;
-
-public class g extends w<UpdateCheckService> {
-    /* Stub */
-    public g(@NonNull Context context, @NonNull WorkerParameters workerParams) {
-        super(context, workerParams);
-    }
-}

app/src/main/java/a/h.java

@@ -1,7 +0,0 @@
-package a;
-
-import com.topjohnwu.magisk.model.receiver.GeneralReceiver;
-
-public class h extends GeneralReceiver {
-    /* stub */
-}

app/src/main/java/a/j.java

@@ -1,7 +0,0 @@
-package a;
-
-import com.topjohnwu.magisk.model.download.DownloadModuleService;
-
-public class j extends DownloadModuleService {
-    /* stub */
-}

app/src/main/java/a/m.java

@@ -1,7 +0,0 @@
-package a;
-
-import com.topjohnwu.magisk.ui.surequest.SuRequestActivity;
-
-public class m extends SuRequestActivity {
-    /* stub */
-}

app/src/main/java/a/stubs.kt

@@ -0,0 +1,29 @@
+@file:JvmName("a")
+package a
+
+import com.topjohnwu.magisk.core.App
+import com.topjohnwu.magisk.core.GeneralReceiver
+import com.topjohnwu.magisk.core.SplashActivity
+import com.topjohnwu.magisk.core.download.DownloadService
+import com.topjohnwu.magisk.ui.MainActivity
+import com.topjohnwu.magisk.ui.surequest.SuRequestActivity
+import com.topjohnwu.signing.BootSigner
+
+fun main(args: Array<String>) {
+    BootSigner.main(args)
+}
+
+class b : MainActivity()
+
+class c : SplashActivity()
+
+class e : App {
+    constructor() : super()
+    constructor(o: Any) : super(o)
+}
+
+class h : GeneralReceiver()
+
+class j : DownloadService()
+
+class m : SuRequestActivity()

app/src/main/java/a/w.java

@@ -1,42 +0,0 @@
-package a;
-
-import android.content.Context;
-
-import com.topjohnwu.magisk.model.worker.DelegateWorker;
-
-import java.lang.reflect.ParameterizedType;
-
-import androidx.annotation.NonNull;
-import androidx.work.Worker;
-import androidx.work.WorkerParameters;
-
-public abstract class w<T extends DelegateWorker> extends Worker {
-
-    /* Wrapper class to workaround Proguard -keep class * extends Worker */
-
-    private T base;
-
-    @SuppressWarnings("unchecked")
-    w(@NonNull Context context, @NonNull WorkerParameters workerParams) {
-        super(context, workerParams);
-        try {
-            base = ((Class<T>) ((ParameterizedType) getClass().getGenericSuperclass())
-                    .getActualTypeArguments()[0]).newInstance();
-            base.setActualWorker(this);
-        } catch (Exception ignored) {}
-    }
-
-    @NonNull
-    @Override
-    public Result doWork() {
-        if (base == null)
-            return Result.failure();
-        return base.doWork();
-    }
-
-    @Override
-    public void onStopped() {
-        if (base != null)
-            base.onStopped();
-    }
-}

app/src/main/java/com/topjohnwu/magisk/App.kt

@@ -1,128 +0,0 @@
-package com.topjohnwu.magisk
-
-import android.annotation.SuppressLint
-import android.app.Activity
-import android.app.Application
-import android.content.Context
-import android.content.res.Configuration
-import android.os.AsyncTask
-import android.os.Build
-import android.os.Bundle
-import androidx.appcompat.app.AppCompatDelegate
-import androidx.multidex.MultiDex
-import androidx.room.Room
-import androidx.work.impl.WorkDatabase
-import androidx.work.impl.WorkDatabase_Impl
-import com.topjohnwu.magisk.di.koinModules
-import com.topjohnwu.magisk.utils.LocaleManager
-import com.topjohnwu.magisk.utils.RootUtils
-import com.topjohnwu.magisk.utils.inject
-import com.topjohnwu.net.Networking
-import com.topjohnwu.superuser.Shell
-import org.koin.android.ext.koin.androidContext
-import org.koin.core.context.startKoin
-import timber.log.Timber
-import java.util.concurrent.ThreadPoolExecutor
-
-open class App : Application(), Application.ActivityLifecycleCallbacks {
-
-    lateinit var protectedContext: Context
-
-    @Volatile
-    private var foreground: Activity? = null
-
-    override fun attachBaseContext(base: Context) {
-        super.attachBaseContext(base)
-        if (BuildConfig.DEBUG)
-            MultiDex.install(base)
-        Timber.plant(Timber.DebugTree())
-
-        startKoin {
-            androidContext(this@App)
-            modules(koinModules)
-        }
-
-        protectedContext = baseContext
-        self = this
-        deContext = base
-
-        if (Build.VERSION.SDK_INT >= 24) {
-            protectedContext = base.createDeviceProtectedStorageContext()
-            deContext = protectedContext
-            deContext.moveSharedPreferencesFrom(base, base.defaultPrefsName)
-        }
-
-        registerActivityLifecycleCallbacks(this)
-
-        Networking.init(base)
-        LocaleManager.setLocale(this)
-    }
-
-    override fun onConfigurationChanged(newConfig: Configuration) {
-        super.onConfigurationChanged(newConfig)
-        LocaleManager.setLocale(this)
-    }
-
-    //region ActivityLifecycleCallbacks
-    override fun onActivityCreated(activity: Activity, bundle: Bundle?) {}
-
-    override fun onActivityStarted(activity: Activity) {}
-
-    @Synchronized
-    override fun onActivityResumed(activity: Activity) {
-        foreground = activity
-    }
-
-    @Synchronized
-    override fun onActivityPaused(activity: Activity) {
-        foreground = null
-    }
-
-    override fun onActivityStopped(activity: Activity) {}
-
-    override fun onActivitySaveInstanceState(activity: Activity, bundle: Bundle) {}
-
-    override fun onActivityDestroyed(activity: Activity) {}
-    //endregion
-
-    private val Context.defaultPrefsName get() = "${packageName}_preferences"
-
-    companion object {
-
-        @SuppressLint("StaticFieldLeak")
-        @Deprecated("Use dependency injection")
-        @JvmStatic
-        lateinit var self: App
-
-        @SuppressLint("StaticFieldLeak")
-        @Deprecated("Use dependency injection; replace with protectedContext")
-        @JvmStatic
-        lateinit var deContext: Context
-
-        @Deprecated("Use Rx or similar")
-        @JvmField
-        var THREAD_POOL: ThreadPoolExecutor
-
-        init {
-            AppCompatDelegate.setCompatVectorFromResourcesEnabled(true)
-            Shell.Config.setFlags(Shell.FLAG_MOUNT_MASTER or Shell.FLAG_USE_MAGISK_BUSYBOX)
-            Shell.Config.verboseLogging(BuildConfig.DEBUG)
-            Shell.Config.addInitializers(RootUtils::class.java)
-            Shell.Config.setTimeout(2)
-            THREAD_POOL = AsyncTask.THREAD_POOL_EXECUTOR as ThreadPoolExecutor
-            Room.setFactory {
-                when (it) {
-                    WorkDatabase::class.java -> WorkDatabase_Impl()
-                    else -> null
-                }
-            }
-        }
-
-        @Deprecated("")
-        @JvmStatic
-        fun foreground(): Activity? {
-            val app: App by inject()
-            return app.foreground
-        }
-    }
-}

app/src/main/java/com/topjohnwu/magisk/ClassMap.kt

@@ -1,27 +0,0 @@
-package com.topjohnwu.magisk
-
-import com.topjohnwu.magisk.model.download.DownloadModuleService
-import com.topjohnwu.magisk.model.receiver.GeneralReceiver
-import com.topjohnwu.magisk.model.update.UpdateCheckService
-import com.topjohnwu.magisk.ui.MainActivity
-import com.topjohnwu.magisk.ui.SplashActivity
-import com.topjohnwu.magisk.ui.flash.FlashActivity
-import com.topjohnwu.magisk.ui.surequest.SuRequestActivity
-
-object ClassMap {
-    private val map = mapOf(
-        App::class.java to a.e::class.java,
-        MainActivity::class.java to a.b::class.java,
-        SplashActivity::class.java to a.c::class.java,
-        FlashActivity::class.java to a.f::class.java,
-        UpdateCheckService::class.java to a.g::class.java,
-        GeneralReceiver::class.java to a.h::class.java,
-        DownloadModuleService::class.java to a.j::class.java,
-        SuRequestActivity::class.java to a.m::class.java
-    )
-
-    @JvmStatic
-    operator fun <T : Class<*>>get(c: Class<*>): T {
-        return map.getOrElse(c) { throw IllegalArgumentException() } as T
-    }
-}

app/src/main/java/com/topjohnwu/magisk/Const.kt

@@ -1,98 +0,0 @@
-package com.topjohnwu.magisk
-
-import android.os.Environment
-import android.os.Process
-
-import java.io.File
-
-object Const {
-
-    const val DEBUG_TAG = "MagiskManager"
-
-    // Paths
-    const val MAGISK_PATH = "/sbin/.magisk/img"
-    @JvmField
-    val EXTERNAL_PATH = Environment.getExternalStoragePublicDirectory(Environment.DIRECTORY_DOWNLOADS)!!
-    @JvmField
-    var MAGISK_DISABLE_FILE = File("xxx")
-    const val TMP_FOLDER_PATH = "/dev/tmp"
-    const val MAGISK_LOG = "/cache/magisk.log"
-
-    // Versions
-    const val SNET_EXT_VER = 12
-    const val SNET_REVISION = "b66b1a914978e5f4c4bbfd74a59f4ad371bac107"
-    const val BOOTCTL_REVISION = "9c5dfc1b8245c0b5b524901ef0ff0f8335757b77"
-
-    // Misc
-    const val ANDROID_MANIFEST = "AndroidManifest.xml"
-    const val MAGISK_INSTALL_LOG_FILENAME = "magisk_install_log_%s.log"
-    const val MANAGER_CONFIGS = ".tmp.magisk.config"
-    @JvmField
-    val USER_ID = Process.myUid() / 100000
-
-    init {
-        EXTERNAL_PATH.mkdirs()
-    }
-
-    object MagiskVersion {
-        const val MIN_SUPPORT = 18000
-    }
-
-    object ID {
-        const val FETCH_ZIP = 2
-        const val SELECT_BOOT = 3
-
-        // notifications
-        const val MAGISK_UPDATE_NOTIFICATION_ID = 4
-        const val APK_UPDATE_NOTIFICATION_ID = 5
-        const val DTBO_NOTIFICATION_ID = 7
-        const val HIDE_MANAGER_NOTIFICATION_ID = 8
-        const val UPDATE_NOTIFICATION_CHANNEL = "update"
-        const val PROGRESS_NOTIFICATION_CHANNEL = "progress"
-        const val CHECK_MAGISK_UPDATE_WORKER_ID = "magisk_update"
-    }
-
-    object Url {
-        @Deprecated("This shouldn't be used. There's literally no need for it")
-        const val REPO_URL =
-            "https://api.github.com/users/Magisk-Modules-Repo/repos?per_page=100&sort=pushed&page=%d"
-        const val FILE_URL = "https://raw.githubusercontent.com/Magisk-Modules-Repo/%s/master/%s"
-        const val ZIP_URL = "https://github.com/Magisk-Modules-Repo/%s/archive/master.zip"
-        const val MODULE_INSTALLER =
-            "https://raw.githubusercontent.com/topjohnwu/Magisk/master/scripts/module_installer.sh"
-        const val PAYPAL_URL = "https://www.paypal.me/topjohnwu"
-        const val PATREON_URL = "https://www.patreon.com/topjohnwu"
-        const val TWITTER_URL = "https://twitter.com/topjohnwu"
-        const val XDA_THREAD = "http://forum.xda-developers.com/showthread.php?t=3432382"
-        const val SOURCE_CODE_URL = "https://github.com/topjohnwu/Magisk"
-        @JvmField
-        val BOOTCTL_URL = getRaw("9c5dfc1b8245c0b5b524901ef0ff0f8335757b77", "bootctl")
-        const val GITHUB_RAW_API_URL = "https://raw.githubusercontent.com/"
-
-        private fun getRaw(where: String, name: String) =
-            "${GITHUB_RAW_API_URL}topjohnwu/magisk_files/$where/$name"
-    }
-
-    object Key {
-        // others
-        const val LINK_KEY = "Link"
-        const val IF_NONE_MATCH = "If-None-Match"
-        // intents
-        const val OPEN_SECTION = "section"
-        const val INTENT_SET_NAME = "filename"
-        const val INTENT_SET_LINK = "link"
-        const val FLASH_ACTION = "action"
-        const val BROADCAST_MANAGER_UPDATE = "manager_update"
-        const val BROADCAST_REBOOT = "reboot"
-    }
-
-    object Value {
-        const val FLASH_ZIP = "flash"
-        const val PATCH_FILE = "patch"
-        const val FLASH_MAGISK = "magisk"
-        const val FLASH_INACTIVE_SLOT = "slot"
-        const val UNINSTALL = "uninstall"
-    }
-
-
-}

app/src/main/java/com/topjohnwu/magisk/Info.java

@@ -1,30 +0,0 @@
-package com.topjohnwu.magisk;
-
-import androidx.annotation.NonNull;
-
-import com.topjohnwu.magisk.model.entity.UpdateInfo;
-import com.topjohnwu.superuser.Shell;
-import com.topjohnwu.superuser.ShellUtils;
-
-public final class Info {
-
-    public static int magiskVersionCode = -1;
-
-    @NonNull
-    public static String magiskVersionString = "";
-
-    public static UpdateInfo remote = new UpdateInfo();
-
-    public static boolean keepVerity = false;
-    public static boolean keepEnc = false;
-    public static boolean recovery = false;
-
-    public static void loadMagiskInfo() {
-        try {
-            magiskVersionString = ShellUtils.fastCmd("magisk -v").split(":")[0];
-            magiskVersionCode = Integer.parseInt(ShellUtils.fastCmd("magisk -V"));
-            Config.setMagiskHide(Shell.su("magiskhide --status").exec().isSuccess());
-        } catch (NumberFormatException ignored) {
-        }
-    }
-}

app/src/main/java/com/topjohnwu/magisk/arch/BaseUIActivity.kt

@@ -0,0 +1,113 @@
+package com.topjohnwu.magisk.arch
+
+import android.content.Intent
+import android.os.Bundle
+import android.view.KeyEvent
+import android.view.View
+import androidx.appcompat.app.AppCompatDelegate
+import androidx.core.content.res.use
+import androidx.databinding.DataBindingUtil
+import androidx.databinding.ViewDataBinding
+import androidx.lifecycle.MutableLiveData
+import androidx.navigation.NavController
+import androidx.navigation.NavDirections
+import androidx.navigation.fragment.NavHostFragment
+import com.topjohnwu.magisk.BR
+import com.topjohnwu.magisk.core.Config
+import com.topjohnwu.magisk.core.base.BaseActivity
+import com.topjohnwu.magisk.ui.theme.Theme
+
+abstract class BaseUIActivity<VM : BaseViewModel, Binding : ViewDataBinding> :
+    BaseActivity(), BaseUIComponent<VM> {
+
+    protected lateinit var binding: Binding
+    protected abstract val layoutRes: Int
+    protected open val themeRes: Int = Theme.selected.themeRes
+
+    private val navHostFragment by lazy {
+        supportFragmentManager.findFragmentById(navHost) as? NavHostFragment
+    }
+    private val topFragment get() = navHostFragment?.childFragmentManager?.fragments?.getOrNull(0)
+    protected val currentFragment get() = topFragment as? BaseUIFragment<*, *>
+
+    override val viewRoot: View get() = binding.root
+    open val navigation: NavController? get() = navHostFragment?.navController
+
+    open val navHost: Int = 0
+    open val snackbarView get() = binding.root
+
+    init {
+        val theme = Config.darkTheme
+        AppCompatDelegate.setDefaultNightMode(theme)
+    }
+
+    override fun onActivityResult(requestCode: Int, resultCode: Int, data: Intent?) {
+        super.onActivityResult(requestCode, resultCode, data)
+        currentFragment?.onActivityResult(requestCode, resultCode, data)
+    }
+
+    override fun onCreate(savedInstanceState: Bundle?) {
+        setTheme(themeRes)
+        super.onCreate(savedInstanceState)
+
+        startObserveEvents()
+
+        // We need to set the window background explicitly since for whatever reason it's not
+        // propagated upstream
+        obtainStyledAttributes(intArrayOf(android.R.attr.windowBackground))
+            .use { it.getDrawable(0) }
+            .also { window.setBackgroundDrawable(it) }
+
+        directionsDispatcher.observe(this) {
+            it?.navigate()
+            // we don't want the directions to be re-dispatched, so we preemptively set them to null
+            if (it != null) {
+                directionsDispatcher.value = null
+            }
+        }
+    }
+
+    fun setContentView() {
+        binding = DataBindingUtil.setContentView<Binding>(this, layoutRes).also {
+            it.setVariable(BR.viewModel, viewModel)
+            it.lifecycleOwner = this
+        }
+
+        ensureInsets()
+    }
+
+    override fun onResume() {
+        super.onResume()
+        viewModel.requestRefresh()
+    }
+
+    override fun dispatchKeyEvent(event: KeyEvent): Boolean {
+        return currentFragment?.onKeyEvent(event) == true || super.dispatchKeyEvent(event)
+    }
+
+    override fun onEventDispatched(event: ViewEvent) = when(event) {
+        is ContextExecutor -> event(this)
+        is ActivityExecutor -> event(this)
+        else -> Unit
+    }
+
+    override fun onBackPressed() {
+        if (navigation == null || currentFragment?.onBackPressed()?.not() == true) {
+            super.onBackPressed()
+        }
+    }
+
+    fun NavDirections.navigate() {
+        navigation?.navigate(this)
+    }
+
+    companion object {
+
+        private val directionsDispatcher = MutableLiveData<NavDirections?>()
+
+        fun postDirections(navDirections: NavDirections) =
+            directionsDispatcher.postValue(navDirections)
+
+    }
+
+}

app/src/main/java/com/topjohnwu/magisk/arch/BaseUIComponent.kt

@@ -0,0 +1,63 @@
+package com.topjohnwu.magisk.arch
+
+import android.view.View
+import androidx.core.graphics.Insets
+import androidx.core.view.ViewCompat
+import androidx.core.view.WindowInsetsCompat
+import androidx.lifecycle.LifecycleOwner
+
+interface BaseUIComponent<VM : BaseViewModel>: LifecycleOwner {
+
+    val viewRoot: View
+    val viewModel: VM
+
+    fun startObserveEvents() {
+        viewModel.viewEvents.observe(this) {
+            onEventDispatched(it)
+        }
+    }
+
+    fun consumeSystemWindowInsets(insets: Insets): Insets? = null
+
+    /**
+     * Called for all [ViewEvent]s published by associated viewModel.
+     */
+    fun onEventDispatched(event: ViewEvent) {}
+
+    fun ensureInsets() {
+        ViewCompat.setOnApplyWindowInsetsListener(viewRoot) { _, insets ->
+            insets.asInsets()
+                .also { viewModel.insets = it }
+                .let { consumeSystemWindowInsets(it) }
+                ?.subtractBy(insets) ?: insets
+        }
+        if (ViewCompat.isAttachedToWindow(viewRoot)) {
+            ViewCompat.requestApplyInsets(viewRoot)
+        } else {
+            viewRoot.addOnAttachStateChangeListener(object : View.OnAttachStateChangeListener {
+                override fun onViewDetachedFromWindow(v: View) = Unit
+                override fun onViewAttachedToWindow(v: View) {
+                    ViewCompat.requestApplyInsets(v)
+                }
+            })
+        }
+    }
+
+    private fun WindowInsetsCompat.asInsets() = Insets.of(
+        systemWindowInsetLeft,
+        systemWindowInsetTop,
+        systemWindowInsetRight,
+        systemWindowInsetBottom
+    )
+
+    private fun Insets.subtractBy(insets: WindowInsetsCompat) =
+        WindowInsetsCompat.Builder(insets).setSystemWindowInsets(
+            Insets.of(
+                insets.systemWindowInsetLeft - left,
+                insets.systemWindowInsetTop - top,
+                insets.systemWindowInsetRight - right,
+                insets.systemWindowInsetBottom - bottom
+            )
+        ).build()
+
+}

app/src/main/java/com/topjohnwu/magisk/arch/BaseUIFragment.kt

@@ -0,0 +1,90 @@
+package com.topjohnwu.magisk.arch
+
+import android.os.Bundle
+import android.view.KeyEvent
+import android.view.LayoutInflater
+import android.view.View
+import android.view.ViewGroup
+import androidx.core.graphics.Insets
+import androidx.databinding.DataBindingUtil
+import androidx.databinding.OnRebindCallback
+import androidx.databinding.ViewDataBinding
+import androidx.fragment.app.Fragment
+import androidx.navigation.NavDirections
+import com.topjohnwu.magisk.BR
+import com.topjohnwu.magisk.ktx.startAnimations
+
+abstract class BaseUIFragment<VM : BaseViewModel, Binding : ViewDataBinding> :
+    Fragment(), BaseUIComponent<VM> {
+
+    protected val activity get() = requireActivity() as BaseUIActivity<*, *>
+    protected lateinit var binding: Binding
+    protected abstract val layoutRes: Int
+
+    override val viewRoot: View get() = binding.root
+    private val navigation get() = activity.navigation
+
+    override fun consumeSystemWindowInsets(insets: Insets) = insets
+
+    override fun onCreate(savedInstanceState: Bundle?) {
+        super.onCreate(savedInstanceState)
+        startObserveEvents()
+    }
+
+    override fun onCreateView(
+        inflater: LayoutInflater,
+        container: ViewGroup?,
+        savedInstanceState: Bundle?
+    ): View? {
+        binding = DataBindingUtil.inflate<Binding>(inflater, layoutRes, container, false).also {
+            it.setVariable(BR.viewModel, viewModel)
+            it.lifecycleOwner = this
+        }
+        return binding.root
+    }
+
+    override fun onEventDispatched(event: ViewEvent) = when(event) {
+        is ContextExecutor -> event(requireContext())
+        is ActivityExecutor -> event(activity)
+        is FragmentExecutor -> event(this)
+        else -> Unit
+    }
+
+    open fun onKeyEvent(event: KeyEvent): Boolean {
+        return false
+    }
+
+    open fun onBackPressed(): Boolean = false
+
+
+    override fun onViewCreated(view: View, savedInstanceState: Bundle?) {
+        super.onViewCreated(view, savedInstanceState)
+        binding.addOnRebindCallback(object : OnRebindCallback<Binding>() {
+            override fun onPreBind(binding: Binding): Boolean {
+                this@BaseUIFragment.onPreBind(binding)
+                return true
+            }
+        })
+        ensureInsets()
+    }
+
+    override fun onResume() {
+        super.onResume()
+        viewModel.requestRefresh()
+    }
+
+    protected open fun onPreBind(binding: Binding) {
+        (binding.root as? ViewGroup)?.startAnimations()
+    }
+
+    fun NavDirections.navigate() {
+        navigation?.navigate(this)
+    }
+
+}
+
+interface ReselectionTarget {
+
+    fun onReselected()
+
+}

app/src/main/java/com/topjohnwu/magisk/arch/BaseViewModel.kt

@@ -0,0 +1,114 @@
+package com.topjohnwu.magisk.arch
+
+import android.Manifest
+import android.os.Build
+import androidx.annotation.CallSuper
+import androidx.core.graphics.Insets
+import androidx.databinding.Bindable
+import androidx.databinding.Observable
+import androidx.databinding.PropertyChangeRegistry
+import androidx.lifecycle.LiveData
+import androidx.lifecycle.MutableLiveData
+import androidx.lifecycle.ViewModel
+import androidx.lifecycle.viewModelScope
+import androidx.navigation.NavDirections
+import com.topjohnwu.magisk.BR
+import com.topjohnwu.magisk.R
+import com.topjohnwu.magisk.core.Info
+import com.topjohnwu.magisk.core.base.BaseActivity
+import com.topjohnwu.magisk.events.*
+import com.topjohnwu.magisk.utils.ObservableHost
+import com.topjohnwu.magisk.utils.set
+import kotlinx.coroutines.Job
+import org.koin.core.KoinComponent
+
+abstract class BaseViewModel(
+    initialState: State = State.LOADING
+) : ViewModel(), ObservableHost, KoinComponent {
+
+    override var callbacks: PropertyChangeRegistry? = null
+
+    enum class State {
+        LOADED, LOADING, LOADING_FAILED
+    }
+
+    @get:Bindable
+    val loading get() = state == State.LOADING
+    @get:Bindable
+    val loaded get() = state == State.LOADED
+    @get:Bindable
+    val loadFailed get() = state == State.LOADING_FAILED
+
+    val isConnected get() = Info.isConnected
+    val viewEvents: LiveData<ViewEvent> get() = _viewEvents
+
+    @get:Bindable
+    var insets = Insets.NONE
+        set(value) = set(value, field, { field = it }, BR.insets)
+
+    var state= initialState
+        set(value) = set(value, field, { field = it }, BR.loading, BR.loaded, BR.loadFailed)
+
+    private val _viewEvents = MutableLiveData<ViewEvent>()
+    private var runningJob: Job? = null
+    private val refreshCallback = object : Observable.OnPropertyChangedCallback() {
+        override fun onPropertyChanged(sender: Observable?, propertyId: Int) {
+            requestRefresh()
+        }
+    }
+
+    init {
+        isConnected.addOnPropertyChangedCallback(refreshCallback)
+    }
+
+    /** This should probably never be called manually, it's called manually via delegate. */
+    @Synchronized
+    fun requestRefresh() {
+        if (runningJob?.isActive == true) {
+            return
+        }
+        runningJob = refresh()
+    }
+
+    protected open fun refresh(): Job? = null
+
+    @CallSuper
+    override fun onCleared() {
+        isConnected.removeOnPropertyChangedCallback(refreshCallback)
+        super.onCleared()
+    }
+
+    fun withView(action: BaseActivity.() -> Unit) {
+        ViewActionEvent(action).publish()
+    }
+
+    fun withPermission(permission: String, callback: (Boolean) -> Unit) {
+        PermissionEvent(permission, callback).publish()
+    }
+
+    fun withExternalRW(callback: () -> Unit) {
+        withPermission(Manifest.permission.WRITE_EXTERNAL_STORAGE) {
+            if (!it) {
+                SnackbarEvent(R.string.external_rw_permission_denied).publish()
+            } else {
+                callback()
+            }
+        }
+    }
+
+    fun back() = BackPressEvent().publish()
+
+    fun <Event : ViewEvent> Event.publish() {
+        _viewEvents.postValue(this)
+    }
+
+    fun <Event : ViewEventWithScope> Event.publish() {
+        scope = viewModelScope
+        _viewEvents.postValue(this)
+    }
+
+    fun NavDirections.publish() {
+        _viewEvents.postValue(NavigationEvent(this))
+    }
+
+}

app/src/main/java/com/topjohnwu/magisk/arch/Helpers.kt

@@ -0,0 +1,48 @@
+package com.topjohnwu.magisk.arch
+
+import androidx.databinding.ViewDataBinding
+import com.topjohnwu.magisk.databinding.ComparableRvItem
+import com.topjohnwu.magisk.databinding.RvItem
+import com.topjohnwu.magisk.utils.DiffObservableList
+import com.topjohnwu.magisk.utils.FilterableDiffObservableList
+import me.tatarka.bindingcollectionadapter2.BindingRecyclerViewAdapter
+import me.tatarka.bindingcollectionadapter2.ItemBinding
+import me.tatarka.bindingcollectionadapter2.OnItemBind
+
+inline fun <T : ComparableRvItem<*>> diffListOf(
+    vararg newItems: T
+) = diffListOf(newItems.toList())
+
+inline fun <T : ComparableRvItem<*>> diffListOf(
+    newItems: List<T>
+) = DiffObservableList(object : DiffObservableList.Callback<T> {
+    override fun areItemsTheSame(oldItem: T, newItem: T) = oldItem.genericItemSameAs(newItem)
+    override fun areContentsTheSame(oldItem: T, newItem: T) = oldItem.genericContentSameAs(newItem)
+}).also { it.update(newItems) }
+
+inline fun <T : ComparableRvItem<*>> filterableListOf(
+    vararg newItems: T
+) = FilterableDiffObservableList(object : DiffObservableList.Callback<T> {
+    override fun areItemsTheSame(oldItem: T, newItem: T) = oldItem.genericItemSameAs(newItem)
+    override fun areContentsTheSame(oldItem: T, newItem: T) = oldItem.genericContentSameAs(newItem)
+}).also { it.update(newItems.toList()) }
+
+fun <T : RvItem> adapterOf() = object : BindingRecyclerViewAdapter<T>() {
+    override fun onBindBinding(
+        binding: ViewDataBinding,
+        variableId: Int,
+        layoutRes: Int,
+        position: Int,
+        item: T
+    ) {
+        super.onBindBinding(binding, variableId, layoutRes, position, item)
+        item.onBindingBound(binding)
+    }
+}
+
+inline fun <T : RvItem> itemBindingOf(
+    crossinline body: (ItemBinding<*>) -> Unit = {}
+) = OnItemBind<T> { itemBinding, _, item ->
+    item.bind(itemBinding)
+    body(itemBinding)
+}

app/src/main/java/com/topjohnwu/magisk/arch/Queryable.kt

@@ -0,0 +1,17 @@
+package com.topjohnwu.magisk.arch
+
+import android.os.Handler
+import androidx.core.os.postDelayed
+import com.topjohnwu.superuser.internal.UiThreadHandler
+
+interface Queryable {
+
+    val queryDelay: Long
+    val queryHandler: Handler get() = UiThreadHandler.handler
+
+    fun submitQuery() {
+        queryHandler.postDelayed(queryDelay) { query() }
+    }
+
+    fun query()
+}

app/src/main/java/com/topjohnwu/magisk/arch/ViewEvent.kt

@@ -0,0 +1,27 @@
+package com.topjohnwu.magisk.arch
+
+import android.content.Context
+import androidx.fragment.app.Fragment
+import kotlinx.coroutines.CoroutineScope
+
+/**
+ * Class for passing events from ViewModels to Activities/Fragments
+ * (see https://medium.com/google-developers/livedata-with-snackbar-navigation-and-other-events-the-singleliveevent-case-ac2622673150)
+ */
+abstract class ViewEvent
+
+abstract class ViewEventWithScope: ViewEvent() {
+    lateinit var scope: CoroutineScope
+}
+
+interface ContextExecutor {
+    operator fun invoke(context: Context)
+}
+
+interface ActivityExecutor {
+    operator fun invoke(activity: BaseUIActivity<*, *>)
+}
+
+interface FragmentExecutor {
+    operator fun invoke(fragment: Fragment)
+}

app/src/main/java/com/topjohnwu/magisk/core/App.kt

@@ -0,0 +1,109 @@
+package com.topjohnwu.magisk.core
+
+import android.app.Activity
+import android.app.Application
+import android.content.Context
+import android.content.res.Configuration
+import android.os.Bundle
+import androidx.appcompat.app.AppCompatDelegate
+import androidx.multidex.MultiDex
+import androidx.work.WorkManager
+import com.topjohnwu.magisk.BuildConfig
+import com.topjohnwu.magisk.DynAPK
+import com.topjohnwu.magisk.FileProvider
+import com.topjohnwu.magisk.core.su.SuCallbackHandler
+import com.topjohnwu.magisk.core.utils.IODispatcherExecutor
+import com.topjohnwu.magisk.core.utils.RootInit
+import com.topjohnwu.magisk.core.utils.updateConfig
+import com.topjohnwu.magisk.di.koinModules
+import com.topjohnwu.magisk.ktx.unwrap
+import com.topjohnwu.superuser.Shell
+import org.koin.android.ext.koin.androidContext
+import org.koin.core.context.startKoin
+import timber.log.Timber
+import kotlin.system.exitProcess
+
+open class App() : Application() {
+
+    constructor(o: Any) : this() {
+        Info.stub = DynAPK.load(o)
+    }
+
+    init {
+        AppCompatDelegate.setCompatVectorFromResourcesEnabled(true)
+        Shell.setDefaultBuilder(Shell.Builder.create()
+            .setFlags(Shell.FLAG_MOUNT_MASTER)
+            .setInitializers(RootInit::class.java)
+            .setTimeout(2))
+        Shell.EXECUTOR = IODispatcherExecutor()
+        FileProvider.callHandler = SuCallbackHandler
+
+        // Always log full stack trace with Timber
+        Timber.plant(Timber.DebugTree())
+        Thread.setDefaultUncaughtExceptionHandler { _, e ->
+            Timber.e(e)
+            exitProcess(1)
+        }
+    }
+
+    override fun attachBaseContext(base: Context) {
+        // Basic setup
+        if (BuildConfig.DEBUG)
+            MultiDex.install(base)
+
+        // Some context magic
+        val app: Application
+        val impl: Context
+        if (base is Application) {
+            app = base
+            impl = base.baseContext
+        } else {
+            app = this
+            impl = base
+        }
+        val wrapped = impl.wrap()
+        super.attachBaseContext(wrapped)
+
+        // Normal startup
+        startKoin {
+            androidContext(wrapped)
+            modules(koinModules)
+        }
+        ResMgr.init(impl)
+        app.registerActivityLifecycleCallbacks(ForegroundTracker)
+        WorkManager.initialize(impl.wrapJob(), androidx.work.Configuration.Builder().build())
+    }
+
+    // This is required as some platforms expect ContextImpl
+    override fun getBaseContext(): Context {
+        return super.getBaseContext().unwrap()
+    }
+
+    override fun onConfigurationChanged(newConfig: Configuration) {
+        resources.updateConfig(newConfig)
+        if (!isRunningAsStub)
+            super.onConfigurationChanged(newConfig)
+    }
+}
+
+object ForegroundTracker : Application.ActivityLifecycleCallbacks {
+
+    @Volatile
+    var foreground: Activity? = null
+
+    val hasForeground get() = foreground != null
+
+    override fun onActivityResumed(activity: Activity) {
+        foreground = activity
+    }
+
+    override fun onActivityPaused(activity: Activity) {
+        foreground = null
+    }
+
+    override fun onActivityCreated(activity: Activity, bundle: Bundle?) {}
+    override fun onActivityStarted(activity: Activity) {}
+    override fun onActivityStopped(activity: Activity) {}
+    override fun onActivitySaveInstanceState(activity: Activity, bundle: Bundle) {}
+    override fun onActivityDestroyed(activity: Activity) {}
+}

app/src/main/java/com/topjohnwu/magisk/core/Config.kt

@@ -1,14 +1,22 @@
-package com.topjohnwu.magisk
+package com.topjohnwu.magisk.core
 
 import android.content.Context
+import android.content.SharedPreferences
 import android.util.Xml
+import androidx.appcompat.app.AppCompatDelegate
 import androidx.core.content.edit
-import com.topjohnwu.magisk.data.database.SettingsDao
-import com.topjohnwu.magisk.data.database.StringDao
+import com.topjohnwu.magisk.BuildConfig
+import com.topjohnwu.magisk.core.magiskdb.SettingsDao
+import com.topjohnwu.magisk.core.magiskdb.StringDao
+import com.topjohnwu.magisk.core.utils.BiometricHelper
+import com.topjohnwu.magisk.core.utils.defaultLocale
+import com.topjohnwu.magisk.core.utils.refreshLocale
+import com.topjohnwu.magisk.data.preference.PreferenceModel
 import com.topjohnwu.magisk.data.repository.DBConfig
 import com.topjohnwu.magisk.di.Protected
-import com.topjohnwu.magisk.model.preference.PreferenceModel
-import com.topjohnwu.magisk.utils.*
+import com.topjohnwu.magisk.ktx.get
+import com.topjohnwu.magisk.ktx.inject
+import com.topjohnwu.magisk.ui.theme.Theme
 import com.topjohnwu.superuser.Shell
 import com.topjohnwu.superuser.io.SuFile
 import com.topjohnwu.superuser.io.SuFileInputStream
@@ -26,8 +34,9 @@ object Config : PreferenceModel, DBConfig {
         const val ROOT_ACCESS = "root_access"
         const val SU_MULTIUSER_MODE = "multiuser_mode"
         const val SU_MNT_NS = "mnt_ns"
+        const val SU_BIOMETRIC = "su_biometric"
         const val SU_MANAGER = "requester"
-        const val SU_FINGERPRINT = "su_fingerprint"
+        const val KEYSTORE = "keystore"
 
         // prefs
         const val SU_REQUEST_TIMEOUT = "su_request_timeout"
@@ -38,14 +47,18 @@ object Config : PreferenceModel, DBConfig {
         const val UPDATE_CHANNEL = "update_channel"
         const val CUSTOM_CHANNEL = "custom_channel"
         const val LOCALE = "locale"
-        const val DARK_THEME = "dark_theme"
-        const val ETAG_KEY = "ETag"
+        const val DARK_THEME = "dark_theme_extended"
         const val REPO_ORDER = "repo_order"
         const val SHOW_SYSTEM_APP = "show_system"
+        const val DOWNLOAD_DIR = "download_dir"
+        const val SAFETY = "safety_notice"
+        const val THEME_ORDINAL = "theme_ordinal"
+        const val BOOT_ID = "boot_id"
+        const val ASKED_HOME = "asked_home"
+        const val DOH = "doh"
 
         // system state
         const val MAGISKHIDE = "magiskhide"
-        const val COREONLY = "disable"
     }
 
     object Value {
@@ -55,7 +68,6 @@ object Config : PreferenceModel, DBConfig {
         const val BETA_CHANNEL = 1
         const val CUSTOM_CHANNEL = 2
         const val CANARY_CHANNEL = 3
-        const val CANARY_DEBUG_CHANNEL = 4
 
         // root access mode
         const val ROOT_ACCESS_DISABLED = 0
@@ -91,9 +103,19 @@ object Config : PreferenceModel, DBConfig {
     }
 
     private val defaultChannel =
-            if (Utils.isCanary) Value.CANARY_DEBUG_CHANNEL
-            else Value.DEFAULT_CHANNEL
+        if (BuildConfig.DEBUG)
+            Value.CANARY_CHANNEL
+        else
+            Value.DEFAULT_CHANNEL
 
+    @JvmStatic var keepVerity = false
+    @JvmStatic var keepEnc = false
+    @JvmStatic var recovery = false
+
+    var bootId by preference(Key.BOOT_ID, "")
+    var askedHome by preference(Key.ASKED_HOME, false)
+
+    var downloadDir by preference(Key.DOWNLOAD_DIR, "")
     var repoOrder by preference(Key.REPO_ORDER, Value.ORDER_DATE)
 
     var suDefaultTimeout by preferenceStrInt(Key.SU_REQUEST_TIMEOUT, 10)
@@ -101,30 +123,60 @@ object Config : PreferenceModel, DBConfig {
     var suNotification by preferenceStrInt(Key.SU_NOTIFICATION, Value.NOTIFICATION_TOAST)
     var updateChannel by preferenceStrInt(Key.UPDATE_CHANNEL, defaultChannel)
 
-    var darkTheme by preference(Key.DARK_THEME, true)
+    var safetyNotice by preference(Key.SAFETY, true)
+    var darkTheme by preference(Key.DARK_THEME, AppCompatDelegate.MODE_NIGHT_FOLLOW_SYSTEM)
+    var themeOrdinal by preference(Key.THEME_ORDINAL, Theme.Piplup.ordinal)
     var suReAuth by preference(Key.SU_REAUTH, false)
     var checkUpdate by preference(Key.CHECK_UPDATES, true)
-    @JvmStatic
+    var doh by preference(Key.DOH, defaultLocale.country == "CN")
     var magiskHide by preference(Key.MAGISKHIDE, true)
-    var coreOnly by preference(Key.COREONLY, false)
     var showSystemApp by preference(Key.SHOW_SYSTEM_APP, false)
 
     var customChannelUrl by preference(Key.CUSTOM_CHANNEL, "")
-    var locale by preference(Key.LOCALE, "")
-    @JvmStatic
-    var etagKey by preference(Key.ETAG_KEY, "")
+    private var localePrefs by preference(Key.LOCALE, "")
+    var locale
+        get() = localePrefs
+        set(value) {
+            localePrefs = value
+            refreshLocale()
+        }
 
     var rootMode by dbSettings(Key.ROOT_ACCESS, Value.ROOT_ACCESS_APPS_AND_ADB)
     var suMntNamespaceMode by dbSettings(Key.SU_MNT_NS, Value.NAMESPACE_MODE_REQUESTER)
     var suMultiuserMode by dbSettings(Key.SU_MULTIUSER_MODE, Value.MULTIUSER_MODE_OWNER_ONLY)
-    var suFingerprint by dbSettings(Key.SU_FINGERPRINT, false)
-    @JvmStatic
-    var suManager by dbStrings(Key.SU_MANAGER, "")
+    var suBiometric by dbSettings(Key.SU_BIOMETRIC, false)
+    var suManager by dbStrings(Key.SU_MANAGER, "", true)
+    var keyStoreRaw by dbStrings(Key.KEYSTORE, "", true)
 
-    fun initialize() = prefs.edit {
+    private const val SU_FINGERPRINT = "su_fingerprint"
+
+    fun initialize() {
+        prefs.edit { parsePrefs() }
+
+        prefs.edit {
+            // Settings migration
+            if (prefs.getBoolean(SU_FINGERPRINT, false))
+                suBiometric = true
+            remove(SU_FINGERPRINT)
+            prefs.getString(Key.UPDATE_CHANNEL, null).also {
+                if (it == null)
+                    putString(Key.UPDATE_CHANNEL, defaultChannel.toString())
+                else if (it.toInt() > Value.CANARY_CHANNEL)
+                    putString(Key.UPDATE_CHANNEL, Value.CANARY_CHANNEL.toString())
+            }
+
+            // Write database configs
+            putString(Key.ROOT_ACCESS, rootMode.toString())
+            putString(Key.SU_MNT_NS, suMntNamespaceMode.toString())
+            putString(Key.SU_MULTIUSER_MODE, suMultiuserMode.toString())
+            putBoolean(Key.SU_BIOMETRIC, BiometricHelper.isEnabled)
+        }
+    }
+
+    private fun SharedPreferences.Editor.parsePrefs() {
         val config = SuFile.open("/data/adb", Const.MANAGER_CONFIGS)
         if (config.exists()) runCatching {
-            val input = SuFileInputStream(config).buffered()
+            val input = SuFileInputStream(config)
             val parser = Xml.newPullParser()
             parser.setFeature(XmlPullParser.FEATURE_PROCESS_NAMESPACES, false)
             parser.setInput(input, "UTF-8")
@@ -134,7 +186,7 @@ object Config : PreferenceModel, DBConfig {
                 if (parser.eventType != XmlPullParser.START_TAG)
                     continue
                 val key: String = parser.getAttributeValue(null, "name")
-                val value: String = parser.getAttributeValue(null, "value")
+                fun value() = parser.getAttributeValue(null, "value")!!
                 when (parser.name) {
                     "string" -> {
                         parser.require(XmlPullParser.START_TAG, null, "string")
@@ -143,25 +195,25 @@ object Config : PreferenceModel, DBConfig {
                     }
                     "boolean" -> {
                         parser.require(XmlPullParser.START_TAG, null, "boolean")
-                        putBoolean(key, value.toBoolean())
+                        putBoolean(key, value().toBoolean())
                         parser.nextTag()
                         parser.require(XmlPullParser.END_TAG, null, "boolean")
                     }
                     "int" -> {
                         parser.require(XmlPullParser.START_TAG, null, "int")
-                        putInt(key, value.toInt())
+                        putInt(key, value().toInt())
                         parser.nextTag()
                         parser.require(XmlPullParser.END_TAG, null, "int")
                     }
                     "long" -> {
                         parser.require(XmlPullParser.START_TAG, null, "long")
-                        putLong(key, value.toLong())
+                        putLong(key, value().toLong())
                         parser.nextTag()
                         parser.require(XmlPullParser.END_TAG, null, "long")
                     }
                     "float" -> {
                         parser.require(XmlPullParser.START_TAG, null, "int")
-                        putFloat(key, value.toFloat())
+                        putFloat(key, value().toFloat())
                         parser.nextTag()
                         parser.require(XmlPullParser.END_TAG, null, "int")
                     }
@@ -170,27 +222,19 @@ object Config : PreferenceModel, DBConfig {
             }
             config.delete()
         }
-        remove(Key.ETAG_KEY)
-        if (!prefs.contains(Key.UPDATE_CHANNEL))
-            putString(Key.UPDATE_CHANNEL, defaultChannel.toString())
-
-        // Get actual state
-        putBoolean(Key.COREONLY, Const.MAGISK_DISABLE_FILE.exists())
-
-        // Write database configs
-        putString(Key.ROOT_ACCESS, rootMode.toString())
-        putString(Key.SU_MNT_NS, suMntNamespaceMode.toString())
-        putString(Key.SU_MULTIUSER_MODE, suMultiuserMode.toString())
-        putBoolean(Key.SU_FINGERPRINT, FingerprintHelper.useFingerprint())
     }
 
-    @JvmStatic
     fun export() {
         // Flush prefs to disk
-        prefs.edit().apply()
-        val xml = File("${get<Context>(Protected).filesDir.parent}/shared_prefs",
-                "${packageName}_preferences.xml")
+        prefs.edit().apply {
+            remove(Key.ASKED_HOME)
+        }.commit()
+        val context = get<Context>(Protected)
+        val xml = File(
+            "${context.filesDir.parent}/shared_prefs",
+            "${context.packageName}_preferences.xml"
+        )
         Shell.su("cat $xml > /data/adb/${Const.MANAGER_CONFIGS}").exec()
     }
 
-}
+}

app/src/main/java/com/topjohnwu/magisk/core/Const.kt

@@ -0,0 +1,82 @@
+package com.topjohnwu.magisk.core
+
+import android.os.Process
+
+object Const {
+
+    // Paths
+    lateinit var MAGISKTMP: String
+    val MAGISK_PATH get() = "$MAGISKTMP/modules"
+    const val TMP_FOLDER_PATH = "/dev/tmp"
+    const val MAGISK_LOG = "/cache/magisk.log"
+
+    // Versions
+    const val SNET_EXT_VER = 15
+    const val SNET_REVISION = "d494bc726e86166913a13629e3b1336728ec5d7f"
+    const val BOOTCTL_REVISION = "a6c47f86f10b310358afa9dbe837037dd5d561df"
+
+    // Misc
+    const val ANDROID_MANIFEST = "AndroidManifest.xml"
+    const val MAGISK_INSTALL_LOG_FILENAME = "magisk_install_log_%s.log"
+    const val MANAGER_CONFIGS = ".tmp.magisk.config"
+    val USER_ID = Process.myUid() / 100000
+
+    object Version {
+        const val MIN_VERSION = "v19.0"
+        const val MIN_VERCODE = 19000
+
+        fun atLeast_20_2() = Info.env.magiskVersionCode >= 20200 || isCanary()
+        fun atLeast_20_4() = Info.env.magiskVersionCode >= 20400 || isCanary()
+        fun atLeast_21_0() = Info.env.magiskVersionCode >= 21000 || isCanary()
+        fun isCanary() = Info.env.magiskVersionCode % 100 != 0
+    }
+
+    object ID {
+        const val FETCH_ZIP = 2
+        const val SELECT_BOOT = 3
+
+        // notifications
+        const val MAGISK_UPDATE_NOTIFICATION_ID = 4
+        const val APK_UPDATE_NOTIFICATION_ID = 5
+        const val DTBO_NOTIFICATION_ID = 7
+        const val HIDE_MANAGER_NOTIFICATION_ID = 8
+        const val UPDATE_NOTIFICATION_CHANNEL = "update"
+        const val PROGRESS_NOTIFICATION_CHANNEL = "progress"
+        const val CHECK_MAGISK_UPDATE_WORKER_ID = "magisk_update"
+    }
+
+    object Url {
+        const val ZIP_URL = "https://github.com/Magisk-Modules-Repo/%s/archive/master.zip"
+        const val PATREON_URL = "https://www.patreon.com/topjohnwu"
+        const val SOURCE_CODE_URL = "https://github.com/topjohnwu/Magisk"
+
+        const val GITHUB_RAW_URL = "https://raw.githubusercontent.com/"
+        const val GITHUB_API_URL = "https://api.github.com/users/Magisk-Modules-Repo/"
+        const val GITHUB_PAGE_URL = "https://topjohnwu.github.io/magisk_files/"
+    }
+
+    object Key {
+        // others
+        const val LINK_KEY = "Link"
+        const val IF_NONE_MATCH = "If-None-Match"
+        const val ETAG_KEY = "ETag"
+        // intents
+        const val OPEN_SECTION = "section"
+    }
+
+    object Value {
+        const val FLASH_ZIP = "flash"
+        const val PATCH_FILE = "patch"
+        const val FLASH_MAGISK = "magisk"
+        const val FLASH_INACTIVE_SLOT = "slot"
+        const val UNINSTALL = "uninstall"
+    }
+
+    object Nav {
+        const val HOME = "home"
+        const val SETTINGS = "settings"
+        const val HIDE = "hide"
+        const val MODULES = "modules"
+        const val SUPERUSER = "superuser"
+    }
+}

app/src/main/java/com/topjohnwu/magisk/core/GeneralReceiver.kt

@@ -0,0 +1,46 @@
+package com.topjohnwu.magisk.core
+
+import android.content.ContextWrapper
+import android.content.Intent
+import com.topjohnwu.magisk.core.base.BaseReceiver
+import com.topjohnwu.magisk.core.magiskdb.PolicyDao
+import com.topjohnwu.magisk.core.su.SuCallbackHandler
+import com.topjohnwu.magisk.view.Shortcuts
+import com.topjohnwu.superuser.Shell
+import kotlinx.coroutines.GlobalScope
+import kotlinx.coroutines.launch
+import org.koin.core.inject
+
+open class GeneralReceiver : BaseReceiver() {
+
+    private val policyDB: PolicyDao by inject()
+
+    private fun getPkg(intent: Intent): String {
+        return intent.data?.encodedSchemeSpecificPart.orEmpty()
+    }
+
+    override fun onReceive(context: ContextWrapper, intent: Intent?) {
+        intent ?: return
+
+        fun rmPolicy(pkg: String) = GlobalScope.launch {
+            policyDB.delete(pkg)
+        }
+
+        when (intent.action ?: return) {
+            Intent.ACTION_REBOOT -> {
+                SuCallbackHandler(context, intent.getStringExtra("action"), intent.extras)
+            }
+            Intent.ACTION_PACKAGE_REPLACED -> {
+                // This will only work pre-O
+                if (Config.suReAuth)
+                    rmPolicy(getPkg(intent))
+            }
+            Intent.ACTION_PACKAGE_FULLY_REMOVED -> {
+                val pkg = getPkg(intent)
+                rmPolicy(pkg)
+                Shell.su("magiskhide --rm $pkg").submit()
+            }
+            Intent.ACTION_LOCALE_CHANGED -> Shortcuts.setupDynamic(context)
+        }
+    }
+}

app/src/main/java/com/topjohnwu/magisk/core/Hacks.kt

@@ -0,0 +1,173 @@
+@file:Suppress("DEPRECATION")
+
+package com.topjohnwu.magisk.core
+
+import android.annotation.SuppressLint
+import android.app.Activity
+import android.app.job.JobInfo
+import android.app.job.JobScheduler
+import android.app.job.JobWorkItem
+import android.content.ComponentName
+import android.content.Context
+import android.content.ContextWrapper
+import android.content.Intent
+import android.content.res.AssetManager
+import android.content.res.Configuration
+import android.content.res.Resources
+import androidx.annotation.RequiresApi
+import com.topjohnwu.magisk.DynAPK
+import com.topjohnwu.magisk.R
+import com.topjohnwu.magisk.core.download.DownloadService
+import com.topjohnwu.magisk.core.utils.refreshLocale
+import com.topjohnwu.magisk.core.utils.updateConfig
+import com.topjohnwu.magisk.ktx.forceGetDeclaredField
+import com.topjohnwu.magisk.ui.MainActivity
+import com.topjohnwu.magisk.ui.surequest.SuRequestActivity
+
+fun AssetManager.addAssetPath(path: String) {
+    DynAPK.addAssetPath(this, path)
+}
+
+fun Context.wrap(global: Boolean = true): Context =
+    if (global) GlobalResContext(this) else ResContext(this)
+
+fun Context.wrapJob(): Context = object : GlobalResContext(this) {
+
+    override fun getApplicationContext(): Context {
+        return this
+    }
+
+    @SuppressLint("NewApi")
+    override fun getSystemService(name: String): Any? {
+        return if (!isRunningAsStub) super.getSystemService(name) else
+            when (name) {
+                Context.JOB_SCHEDULER_SERVICE ->
+                    JobSchedulerWrapper(super.getSystemService(name) as JobScheduler)
+                else -> super.getSystemService(name)
+            }
+    }
+}
+
+fun Class<*>.cmp(pkg: String): ComponentName {
+    val name = ClassMap[this].name
+    return ComponentName(pkg, Info.stub?.classToComponent?.get(name) ?: name)
+}
+
+inline fun <reified T> Activity.redirect() = Intent(intent)
+    .setComponent(T::class.java.cmp(packageName))
+    .setFlags(0)
+
+inline fun <reified T> Context.intent() = Intent().setComponent(T::class.java.cmp(packageName))
+
+private open class GlobalResContext(base: Context) : ContextWrapper(base) {
+    open val mRes: Resources get() = ResMgr.resource
+
+    override fun getResources(): Resources {
+        return mRes
+    }
+
+    override fun getClassLoader(): ClassLoader {
+        return javaClass.classLoader!!
+    }
+
+    override fun createConfigurationContext(config: Configuration): Context {
+        return ResContext(super.createConfigurationContext(config))
+    }
+}
+
+private class ResContext(base: Context) : GlobalResContext(base) {
+    override val mRes by lazy { base.resources.patch() }
+
+    private fun Resources.patch(): Resources {
+        updateConfig()
+        if (isRunningAsStub)
+            assets.addAssetPath(ResMgr.apk)
+        return this
+    }
+}
+
+object ResMgr {
+
+    lateinit var resource: Resources
+    lateinit var apk: String
+
+    fun init(context: Context) {
+        resource = context.resources
+        refreshLocale()
+        if (isRunningAsStub) {
+            apk = DynAPK.current(context).path
+            resource.assets.addAssetPath(apk)
+        } else {
+            apk = context.packageResourcePath
+        }
+    }
+}
+
+@RequiresApi(28)
+private class JobSchedulerWrapper(private val base: JobScheduler) : JobScheduler() {
+
+    override fun schedule(job: JobInfo): Int {
+        return base.schedule(job.patch())
+    }
+
+    override fun enqueue(job: JobInfo, work: JobWorkItem): Int {
+        return base.enqueue(job.patch(), work)
+    }
+
+    override fun cancel(jobId: Int) {
+        base.cancel(jobId)
+    }
+
+    override fun cancelAll() {
+        base.cancelAll()
+    }
+
+    override fun getAllPendingJobs(): List<JobInfo> {
+        return base.allPendingJobs
+    }
+
+    override fun getPendingJob(jobId: Int): JobInfo? {
+        return base.getPendingJob(jobId)
+    }
+
+    private fun JobInfo.patch(): JobInfo {
+        // We need to swap out the service of JobInfo
+        val name = service.className
+        val component = ComponentName(
+            service.packageName,
+            Info.stubChk.classToComponent[name] ?: name
+        )
+
+        javaClass.forceGetDeclaredField("service")?.set(this, component)
+        return this
+    }
+}
+
+private object ClassMap {
+
+    private val map = mapOf(
+        App::class.java to a.e::class.java,
+        MainActivity::class.java to a.b::class.java,
+        SplashActivity::class.java to a.c::class.java,
+        GeneralReceiver::class.java to a.h::class.java,
+        DownloadService::class.java to a.j::class.java,
+        SuRequestActivity::class.java to a.m::class.java
+    )
+
+    operator fun get(c: Class<*>) = map.getOrElse(c) { c }
+}
+
+// Keep a reference to these resources to prevent it from
+// being removed when running "remove unused resources"
+val shouldKeepResources = listOf(
+    R.string.no_info_provided,
+    R.string.release_notes,
+    R.string.invalid_update_channel,
+    R.string.update_available,
+    R.string.safetynet_api_error,
+    R.raw.changelog,
+    R.drawable.ic_device,
+    R.drawable.ic_hide_select_md2,
+    R.drawable.ic_more,
+    R.drawable.ic_magisk_delete
+)

app/src/main/java/com/topjohnwu/magisk/core/Info.kt

@@ -0,0 +1,87 @@
+package com.topjohnwu.magisk.core
+
+import androidx.databinding.ObservableBoolean
+import com.topjohnwu.magisk.DynAPK
+import com.topjohnwu.magisk.core.model.UpdateInfo
+import com.topjohnwu.magisk.core.utils.net.NetworkObserver
+import com.topjohnwu.magisk.ktx.get
+import com.topjohnwu.magisk.utils.CachedValue
+import com.topjohnwu.superuser.Shell
+import com.topjohnwu.superuser.ShellUtils.fastCmd
+import com.topjohnwu.superuser.internal.UiThreadHandler
+import java.io.FileInputStream
+import java.io.IOException
+import java.util.*
+
+val isRunningAsStub get() = Info.stub != null
+
+object Info {
+
+    val envRef = CachedValue { loadState() }
+
+    @JvmStatic val env by envRef
+
+    var stub: DynAPK.Data? = null
+    val stubChk: DynAPK.Data
+        get() = stub as DynAPK.Data
+
+    var remote = UpdateInfo()
+
+    // Device state
+    var crypto = ""
+    @JvmStatic var isSAR = false
+    @JvmStatic var isAB = false
+    @JvmStatic val isFDE get() = crypto == "block"
+    @JvmStatic var ramdisk = false
+    @JvmStatic var hasGMS = true
+    @JvmStatic var isPixel = false
+    @JvmStatic val cryptoText get() = crypto.capitalize(Locale.US)
+
+    val isConnected by lazy {
+        ObservableBoolean(false).also { field ->
+            NetworkObserver.observe(get()) {
+                UiThreadHandler.run { field.set(it) }
+            }
+        }
+    }
+
+    val isNewReboot by lazy {
+        try {
+            FileInputStream("/proc/sys/kernel/random/boot_id").bufferedReader().use {
+                val id = it.readLine()
+                if (id != Config.bootId) {
+                    Config.bootId = id
+                    true
+                } else {
+                    false
+                }
+            }
+        } catch (e: IOException) {
+            false
+        }
+    }
+
+    private fun loadState() = Env(
+        fastCmd("magisk -v").split(":".toRegex())[0],
+        runCatching { fastCmd("magisk -V").toInt() }.getOrDefault(-1),
+        Shell.su("magiskhide --status").exec().isSuccess
+    )
+
+    class Env(
+        val magiskVersionString: String = "",
+        code: Int = -1,
+        hide: Boolean = false
+    ) {
+        val magiskHide get() = Config.magiskHide
+        val magiskVersionCode = when (code) {
+            in Int.MIN_VALUE..Const.Version.MIN_VERCODE -> -1
+            else -> if (Shell.rootAccess()) code else -1
+        }
+        val isUnsupported = code > 0 && code < Const.Version.MIN_VERCODE
+        val isActive = magiskVersionCode >= 0
+
+        init {
+            Config.magiskHide = hide
+        }
+    }
+}

app/src/main/java/com/topjohnwu/magisk/core/SplashActivity.kt

@@ -0,0 +1,69 @@
+package com.topjohnwu.magisk.core
+
+import android.app.Activity
+import android.content.Context
+import android.os.Bundle
+import com.topjohnwu.magisk.BuildConfig
+import com.topjohnwu.magisk.R
+import com.topjohnwu.magisk.data.network.GithubRawServices
+import com.topjohnwu.magisk.ktx.get
+import com.topjohnwu.magisk.ui.MainActivity
+import com.topjohnwu.magisk.view.Notifications
+import com.topjohnwu.magisk.view.Shortcuts
+import com.topjohnwu.superuser.Shell
+import kotlinx.coroutines.Dispatchers
+import kotlinx.coroutines.GlobalScope
+import kotlinx.coroutines.launch
+
+open class SplashActivity : Activity() {
+
+    override fun attachBaseContext(base: Context) {
+        super.attachBaseContext(base.wrap())
+    }
+
+    override fun onCreate(savedInstanceState: Bundle?) {
+        setTheme(R.style.SplashTheme)
+        super.onCreate(savedInstanceState)
+        GlobalScope.launch(Dispatchers.IO) {
+            initAndStart()
+        }
+    }
+
+    private fun handleRepackage() {
+        val pkg = Config.suManager
+        if (Config.suManager.isNotEmpty() && packageName == BuildConfig.APPLICATION_ID) {
+            Config.suManager = ""
+            Shell.su("(pm uninstall $pkg)& >/dev/null 2>&1").exec()
+        }
+        if (pkg == packageName) {
+            runCatching {
+                // We are the manager, remove com.topjohnwu.magisk as it could be malware
+                packageManager.getApplicationInfo(BuildConfig.APPLICATION_ID, 0)
+                Shell.su("(pm uninstall ${BuildConfig.APPLICATION_ID})& >/dev/null 2>&1").exec()
+            }
+        }
+    }
+
+    private fun initAndStart() {
+        // Pre-initialize root shell
+        Shell.getShell()
+
+        Config.initialize()
+        handleRepackage()
+        Notifications.setup(this)
+        UpdateCheckService.schedule(this)
+        Shortcuts.setupDynamic(this)
+
+        // Pre-fetch network stuffs
+        get<GithubRawServices>()
+
+        DONE = true
+
+        redirect<MainActivity>().also { startActivity(it) }
+        finish()
+    }
+
+    companion object {
+        var DONE = false
+    }
+}

app/src/main/java/com/topjohnwu/magisk/core/UpdateCheckService.kt

@@ -0,0 +1,53 @@
+package com.topjohnwu.magisk.core
+
+import android.content.Context
+import androidx.work.*
+import com.topjohnwu.magisk.BuildConfig
+import com.topjohnwu.magisk.data.repository.MagiskRepository
+import com.topjohnwu.magisk.view.Notifications
+import com.topjohnwu.superuser.Shell
+import kotlinx.coroutines.Dispatchers
+import kotlinx.coroutines.withContext
+import org.koin.core.KoinComponent
+import org.koin.core.inject
+import java.util.concurrent.TimeUnit
+
+class UpdateCheckService(context: Context, workerParams: WorkerParameters)
+    : CoroutineWorker(context, workerParams), KoinComponent {
+
+    private val magiskRepo: MagiskRepository by inject()
+
+    override suspend fun doWork(): Result {
+        // Make sure shell initializer was ran
+        withContext(Dispatchers.IO) {
+            Shell.getShell()
+        }
+        return magiskRepo.fetchUpdate()?.let {
+            if (BuildConfig.VERSION_CODE < it.app.versionCode)
+                Notifications.managerUpdate(applicationContext)
+            else if (Info.env.isActive && Info.env.magiskVersionCode < it.magisk.versionCode)
+                Notifications.magiskUpdate(applicationContext)
+            Result.success()
+        } ?: Result.failure()
+    }
+
+    companion object {
+        fun schedule(context: Context) {
+            if (Config.checkUpdate) {
+                val constraints = Constraints.Builder()
+                    .setRequiredNetworkType(NetworkType.CONNECTED)
+                    .setRequiresDeviceIdle(true)
+                    .build()
+                val request = PeriodicWorkRequestBuilder<UpdateCheckService>(12, TimeUnit.HOURS)
+                    .setConstraints(constraints)
+                    .build()
+                WorkManager.getInstance(context).enqueueUniquePeriodicWork(
+                    Const.ID.CHECK_MAGISK_UPDATE_WORKER_ID,
+                    ExistingPeriodicWorkPolicy.REPLACE, request)
+            } else {
+                WorkManager.getInstance(context)
+                    .cancelUniqueWork(Const.ID.CHECK_MAGISK_UPDATE_WORKER_ID)
+            }
+        }
+    }
+}

app/src/main/java/com/topjohnwu/magisk/core/base/BaseActivity.kt

@@ -0,0 +1,104 @@
+package com.topjohnwu.magisk.core.base
+
+import android.Manifest
+import android.content.ActivityNotFoundException
+import android.content.Context
+import android.content.Intent
+import android.content.pm.PackageManager
+import android.content.res.Configuration
+import android.os.Build
+import android.widget.Toast
+import androidx.appcompat.app.AppCompatActivity
+import androidx.collection.SparseArrayCompat
+import androidx.core.app.ActivityCompat
+import androidx.core.content.ContextCompat
+import com.topjohnwu.magisk.R
+import com.topjohnwu.magisk.core.utils.currentLocale
+import com.topjohnwu.magisk.core.wrap
+import com.topjohnwu.magisk.ktx.set
+import com.topjohnwu.magisk.utils.Utils
+import kotlin.random.Random
+
+typealias RequestCallback = BaseActivity.(Int, Intent?) -> Unit
+
+abstract class BaseActivity : AppCompatActivity() {
+
+    private val resultCallbacks by lazy { SparseArrayCompat<RequestCallback>() }
+
+    override fun applyOverrideConfiguration(config: Configuration?) {
+        // Force applying our preferred local
+        config?.setLocale(currentLocale)
+        super.applyOverrideConfiguration(config)
+    }
+
+    override fun attachBaseContext(base: Context) {
+        super.attachBaseContext(base.wrap(false))
+    }
+
+    fun withPermission(permission: String, builder: PermissionRequestBuilder.() -> Unit) {
+        val request = PermissionRequestBuilder().apply(builder).build()
+
+        if (permission == Manifest.permission.WRITE_EXTERNAL_STORAGE &&
+            Build.VERSION.SDK_INT >= 29) {
+            // We do not need external rw on 29+
+            request.onSuccess()
+            return
+        }
+
+        if (ContextCompat.checkSelfPermission(this, permission) == PackageManager.PERMISSION_GRANTED) {
+            request.onSuccess()
+        } else {
+            val requestCode = Random.nextInt(256, 512)
+            resultCallbacks[requestCode] =  { result, _ ->
+                if (result > 0)
+                    request.onSuccess()
+                else
+                    request.onFailure()
+            }
+            ActivityCompat.requestPermissions(this, arrayOf(permission), requestCode)
+        }
+    }
+
+    fun withExternalRW(builder: PermissionRequestBuilder.() -> Unit) {
+        withPermission(Manifest.permission.WRITE_EXTERNAL_STORAGE, builder = builder)
+    }
+
+    override fun onRequestPermissionsResult(
+        requestCode: Int, permissions: Array<out String>, grantResults: IntArray) {
+        var success = true
+        for (res in grantResults) {
+            if (res != PackageManager.PERMISSION_GRANTED) {
+                success = false
+                break
+            }
+        }
+        resultCallbacks[requestCode]?.also {
+            resultCallbacks.remove(requestCode)
+            it(this, if (success) 1 else -1, null)
+        }
+
+    }
+
+    override fun onActivityResult(requestCode: Int, resultCode: Int, data: Intent?) {
+        super.onActivityResult(requestCode, resultCode, data)
+        resultCallbacks[requestCode]?.also {
+            resultCallbacks.remove(requestCode)
+            it(this, resultCode, data)
+        }
+    }
+
+    fun startActivityForResult(intent: Intent, requestCode: Int, listener: RequestCallback) {
+        resultCallbacks[requestCode] = listener
+        try {
+            startActivityForResult(intent, requestCode)
+        } catch (e: ActivityNotFoundException) {
+            Utils.toast(R.string.app_not_found, Toast.LENGTH_SHORT)
+        }
+    }
+
+    override fun recreate() {
+        startActivity(Intent().setComponent(intent.component))
+        finish()
+    }
+
+}

app/src/main/java/com/topjohnwu/magisk/core/base/BaseReceiver.kt

@@ -0,0 +1,17 @@
+package com.topjohnwu.magisk.core.base
+
+import android.content.BroadcastReceiver
+import android.content.Context
+import android.content.ContextWrapper
+import android.content.Intent
+import com.topjohnwu.magisk.core.wrap
+import org.koin.core.KoinComponent
+
+abstract class BaseReceiver : BroadcastReceiver(), KoinComponent {
+
+    final override fun onReceive(context: Context, intent: Intent?) {
+        onReceive(context.wrap() as ContextWrapper, intent)
+    }
+
+    abstract fun onReceive(context: ContextWrapper, intent: Intent?)
+}

app/src/main/java/com/topjohnwu/magisk/core/base/BaseService.kt

@@ -0,0 +1,12 @@
+package com.topjohnwu.magisk.core.base
+
+import android.app.Service
+import android.content.Context
+import com.topjohnwu.magisk.core.wrap
+import org.koin.core.KoinComponent
+
+abstract class BaseService : Service(), KoinComponent {
+    override fun attachBaseContext(base: Context) {
+        super.attachBaseContext(base.wrap())
+    }
+}

app/src/main/java/com/topjohnwu/magisk/core/base/BaseWorkerWrapper.kt

@@ -0,0 +1,59 @@
+package com.topjohnwu.magisk.core.base
+
+import android.content.Context
+import android.net.Network
+import android.net.Uri
+import androidx.annotation.MainThread
+import androidx.annotation.RequiresApi
+import androidx.work.Data
+import androidx.work.ListenableWorker
+import com.google.common.util.concurrent.ListenableFuture
+import java.util.*
+
+abstract class BaseWorkerWrapper {
+
+    private lateinit var worker: ListenableWorker
+
+    val applicationContext: Context
+        get() = worker.applicationContext
+
+    val id: UUID
+        get() = worker.id
+
+    val inputData: Data
+        get() = worker.inputData
+
+    val tags: Set<String>
+        get() = worker.tags
+
+    val triggeredContentUris: List<Uri>
+        @RequiresApi(24)
+        get() = worker.triggeredContentUris
+
+    val triggeredContentAuthorities: List<String>
+        @RequiresApi(24)
+        get() = worker.triggeredContentAuthorities
+
+    val network: Network?
+        @RequiresApi(28)
+        get() = worker.network
+
+    val runAttemptCount: Int
+        get() = worker.runAttemptCount
+
+    val isStopped: Boolean
+        get() = worker.isStopped
+
+    abstract fun doWork(): ListenableWorker.Result
+
+    fun onStopped() {}
+
+    fun attachWorker(w: ListenableWorker) {
+        worker = w
+    }
+
+    @MainThread
+    fun startWork(): ListenableFuture<ListenableWorker.Result> {
+        return worker.startWork()
+    }
+}

app/src/main/java/com/topjohnwu/magisk/core/base/PermissionRequestBuilder.kt

@@ -1,4 +1,4 @@
-package com.topjohnwu.magisk.model.permissions
+package com.topjohnwu.magisk.core.base
 
 typealias SimpleCallback = () -> Unit
 typealias PermissionRationaleCallback = (List<String>) -> Unit
@@ -37,4 +37,4 @@ class PermissionRequest(
     fun onFailure() = onFailureCallback()
     fun onShowRationale(permissions: List<String>) = onShowRationaleCallback(permissions)
 
-}
+}

app/src/main/java/com/topjohnwu/magisk/core/download/Action.kt

@@ -0,0 +1,40 @@
+package com.topjohnwu.magisk.core.download
+
+import android.net.Uri
+import android.os.Parcelable
+import kotlinx.android.parcel.Parcelize
+
+sealed class Action : Parcelable {
+
+    sealed class Flash : Action() {
+
+        @Parcelize
+        object Primary : Flash()
+
+        @Parcelize
+        object Secondary : Flash()
+
+    }
+
+    sealed class APK : Action() {
+
+        @Parcelize
+        object Upgrade : APK()
+
+        @Parcelize
+        object Restore : APK()
+    }
+
+    @Parcelize
+    object Download : Action()
+
+    @Parcelize
+    object Uninstall : Action()
+
+    @Parcelize
+    object EnvFix : Action()
+
+    @Parcelize
+    data class Patch(val fileUri: Uri) : Action()
+
+}

app/src/main/java/com/topjohnwu/magisk/core/download/BaseDownloader.kt

@@ -0,0 +1,204 @@
+package com.topjohnwu.magisk.core.download
+
+import android.app.Notification
+import android.content.Intent
+import android.os.IBinder
+import androidx.lifecycle.LifecycleOwner
+import androidx.lifecycle.MutableLiveData
+import com.topjohnwu.magisk.R
+import com.topjohnwu.magisk.core.ForegroundTracker
+import com.topjohnwu.magisk.core.base.BaseService
+import com.topjohnwu.magisk.core.utils.MediaStoreUtils.checkSum
+import com.topjohnwu.magisk.core.utils.MediaStoreUtils.outputStream
+import com.topjohnwu.magisk.core.utils.ProgressInputStream
+import com.topjohnwu.magisk.data.network.GithubRawServices
+import com.topjohnwu.magisk.ktx.withStreams
+import com.topjohnwu.magisk.view.Notifications
+import kotlinx.coroutines.CoroutineScope
+import kotlinx.coroutines.Dispatchers
+import kotlinx.coroutines.cancel
+import kotlinx.coroutines.launch
+import okhttp3.ResponseBody
+import org.koin.android.ext.android.inject
+import org.koin.core.KoinComponent
+import timber.log.Timber
+import java.io.IOException
+import java.io.InputStream
+import java.util.*
+import kotlin.collections.HashMap
+import kotlin.random.Random.Default.nextInt
+
+abstract class BaseDownloader : BaseService(), KoinComponent {
+
+    private val hasNotifications get() = notifications.isNotEmpty()
+    private val notifications = Collections.synchronizedMap(HashMap<Int, Notification.Builder>())
+    private val coroutineScope = CoroutineScope(Dispatchers.IO)
+
+    val service: GithubRawServices by inject()
+
+    // -- Service overrides
+
+    override fun onBind(intent: Intent?): IBinder? = null
+
+    override fun onStartCommand(intent: Intent, flags: Int, startId: Int): Int {
+        intent.getParcelableExtra<Subject>(ACTION_KEY)?.let { subject ->
+            update(subject.notifyID())
+            coroutineScope.launch {
+                try {
+                    subject.startDownload()
+                } catch (e: IOException) {
+                    Timber.e(e)
+                    notifyFail(subject)
+                }
+            }
+        }
+        return START_REDELIVER_INTENT
+    }
+
+    override fun onTaskRemoved(rootIntent: Intent?) {
+        super.onTaskRemoved(rootIntent)
+        notifications.forEach { cancel(it.key) }
+        notifications.clear()
+    }
+
+    override fun onDestroy() {
+        super.onDestroy()
+        coroutineScope.cancel()
+    }
+
+    // -- Download logic
+
+    private suspend fun Subject.startDownload() {
+        val skip = this is Subject.Magisk && file.checkSum("MD5", magisk.md5)
+        if (!skip) {
+            val stream = service.fetchFile(url).toProgressStream(this)
+            when (this) {
+                is Subject.Module ->  // Download and process on-the-fly
+                    stream.toModule(file, service.fetchInstaller().byteStream())
+                else -> {
+                    withStreams(stream, file.outputStream()) { it, out -> it.copyTo(out) }
+                    if (this is Subject.Manager)
+                        handleAPK(this)
+                }
+            }
+        }
+        val newId = notifyFinish(this)
+        if (ForegroundTracker.hasForeground)
+            onFinish(this, newId)
+        if (!hasNotifications)
+            stopSelf()
+    }
+
+    private fun ResponseBody.toProgressStream(subject: Subject): InputStream {
+        val max = contentLength()
+        val total = max.toFloat() / 1048576
+        val id = subject.notifyID()
+
+        update(id) { it.setContentTitle(subject.title) }
+
+        return ProgressInputStream(byteStream()) {
+            val progress = it.toFloat() / 1048576
+            update(id) { notification ->
+                if (max > 0) {
+                    broadcast(progress / total, subject)
+                    notification
+                        .setProgress(max.toInt(), it.toInt(), false)
+                        .setContentText("%.2f / %.2f MB".format(progress, total))
+                } else {
+                    broadcast(-1f, subject)
+                    notification.setContentText("%.2f MB / ??".format(progress))
+                }
+            }
+        }
+    }
+
+    // --- Notification managements
+
+    fun Subject.notifyID() = hashCode()
+
+    private fun notifyFail(subject: Subject) = lastNotify(subject.notifyID()) {
+        broadcast(-1f, subject)
+        it.setContentText(getString(R.string.download_file_error))
+            .setSmallIcon(android.R.drawable.stat_notify_error)
+            .setOngoing(false)
+    }
+
+    private fun notifyFinish(subject: Subject) = lastNotify(subject.notifyID()) {
+        broadcast(1f, subject)
+        it.setIntent(subject)
+            .setContentTitle(subject.title)
+            .setContentText(getString(R.string.download_complete))
+            .setSmallIcon(android.R.drawable.stat_sys_download_done)
+            .setProgress(0, 0, false)
+            .setOngoing(false)
+            .setAutoCancel(true)
+    }
+
+    private fun create() = Notifications.progress(this, "")
+
+    fun update(id: Int, editor: (Notification.Builder) -> Unit = {}) {
+        val wasEmpty = !hasNotifications
+        val notification = notifications.getOrPut(id, ::create).also(editor)
+        if (wasEmpty)
+            updateForeground()
+        else
+            notify(id, notification.build())
+    }
+
+    private fun lastNotify(
+        id: Int,
+        editor: (Notification.Builder) -> Notification.Builder? = { null }
+    ) : Int {
+        val notification = remove(id)?.run(editor) ?: return -1
+        val newId: Int = nextInt()
+        notify(newId, notification.build())
+        return newId
+    }
+
+    protected fun remove(id: Int) = notifications.remove(id)
+        ?.also { updateForeground(); cancel(id) }
+        ?: { cancel(id); null }()
+
+    private fun notify(id: Int, notification: Notification) {
+        Notifications.mgr.notify(id, notification)
+    }
+
+    private fun cancel(id: Int) {
+        Notifications.mgr.cancel(id)
+    }
+
+    private fun updateForeground() {
+        if (hasNotifications) {
+            val (id, notification) = notifications.entries.first()
+            startForeground(id, notification.build())
+        } else {
+            stopForeground(false)
+        }
+    }
+
+    // --- Implement custom logic
+
+    protected abstract suspend fun onFinish(subject: Subject, id: Int)
+
+    protected abstract fun Notification.Builder.setIntent(subject: Subject): Notification.Builder
+
+    // ---
+
+    companion object : KoinComponent {
+        const val ACTION_KEY = "download_action"
+
+        private val progressBroadcast = MutableLiveData<Pair<Float, Subject>>()
+
+        fun observeProgress(owner: LifecycleOwner, callback: (Float, Subject) -> Unit) {
+            progressBroadcast.value = null
+            progressBroadcast.observe(owner) {
+                val (progress, subject) = it ?: return@observe
+                callback(progress, subject)
+            }
+        }
+
+        private fun broadcast(progress: Float, subject: Subject) {
+            progressBroadcast.postValue(progress to subject)
+        }
+    }
+}

app/src/main/java/com/topjohnwu/magisk/core/download/DownloadService.kt

@@ -0,0 +1,113 @@
+package com.topjohnwu.magisk.core.download
+
+import android.annotation.SuppressLint
+import android.app.Notification
+import android.app.PendingIntent
+import android.content.Context
+import android.content.Intent
+import android.os.Build
+import androidx.core.net.toFile
+import com.topjohnwu.magisk.core.download.Action.*
+import com.topjohnwu.magisk.core.download.Action.Flash.Secondary
+import com.topjohnwu.magisk.core.download.Subject.*
+import com.topjohnwu.magisk.core.intent
+import com.topjohnwu.magisk.core.tasks.EnvFixTask
+import com.topjohnwu.magisk.ui.flash.FlashFragment
+import com.topjohnwu.magisk.utils.APKInstall
+import kotlin.random.Random.Default.nextInt
+
+@SuppressLint("Registered")
+open class DownloadService : BaseDownloader() {
+
+    private val context get() = this
+
+    override suspend fun onFinish(subject: Subject, id: Int) = when (subject) {
+        is Magisk -> subject.onFinish(id)
+        is Module -> subject.onFinish(id)
+        is Manager -> subject.onFinish(id)
+    }
+
+    private suspend fun Magisk.onFinish(id: Int) = when (val action = action) {
+        Uninstall -> FlashFragment.uninstall(file, id)
+        EnvFix -> {
+            remove(id)
+            EnvFixTask(file).exec()
+            Unit
+        }
+        is Patch -> FlashFragment.patch(file, action.fileUri, id)
+        is Flash -> FlashFragment.flash(file, action is Secondary, id)
+        else -> Unit
+    }
+
+    private fun Module.onFinish(id: Int) = when (action) {
+        is Flash -> FlashFragment.install(file, id)
+        else -> Unit
+    }
+
+    private fun Manager.onFinish(id: Int) {
+        remove(id)
+        APKInstall.install(context, file.toFile())
+    }
+
+    // --- Customize finish notification
+
+    override fun Notification.Builder.setIntent(subject: Subject)
+    = when (subject) {
+        is Magisk -> setIntent(subject)
+        is Module -> setIntent(subject)
+        is Manager -> setIntent(subject)
+    }
+
+    private fun Notification.Builder.setIntent(subject: Magisk)
+    = when (val action = subject.action) {
+        Uninstall -> setContentIntent(FlashFragment.uninstallIntent(context, subject.file))
+        is Flash -> setContentIntent(FlashFragment.flashIntent(context, subject.file, action is Secondary))
+        is Patch -> setContentIntent(FlashFragment.patchIntent(context, subject.file, action.fileUri))
+        else -> setContentIntent(Intent())
+    }
+
+    private fun Notification.Builder.setIntent(subject: Module)
+    = when (subject.action) {
+        is Flash -> setContentIntent(FlashFragment.installIntent(context, subject.file))
+        else -> setContentIntent(Intent())
+    }
+
+    private fun Notification.Builder.setIntent(subject: Manager)
+    = when (subject.action) {
+        APK.Upgrade -> setContentIntent(APKInstall.installIntent(context, subject.file.toFile()))
+        else -> setContentIntent(Intent())
+    }
+
+    private fun Notification.Builder.setContentIntent(intent: Intent) =
+        setContentIntent(
+            PendingIntent.getActivity(context, nextInt(), intent, PendingIntent.FLAG_ONE_SHOT)
+        )
+
+    // ---
+
+    companion object {
+
+        private fun intent(context: Context, subject: Subject) =
+            context.intent<DownloadService>().putExtra(ACTION_KEY, subject)
+
+        fun pendingIntent(context: Context, subject: Subject): PendingIntent {
+            return if (Build.VERSION.SDK_INT >= 26) {
+                PendingIntent.getForegroundService(context, nextInt(),
+                    intent(context, subject), PendingIntent.FLAG_UPDATE_CURRENT)
+            } else {
+                PendingIntent.getService(context, nextInt(),
+                    intent(context, subject), PendingIntent.FLAG_UPDATE_CURRENT)
+            }
+        }
+
+        fun start(context: Context, subject: Subject) {
+            val app = context.applicationContext
+            if (Build.VERSION.SDK_INT >= 26) {
+                app.startForegroundService(intent(app, subject))
+            } else {
+                app.startService(intent(app, subject))
+            }
+        }
+    }
+
+}

app/src/main/java/com/topjohnwu/magisk/core/download/ManagerHandler.kt

@@ -0,0 +1,72 @@
+package com.topjohnwu.magisk.core.download
+
+import android.content.Context
+import androidx.core.net.toFile
+import com.topjohnwu.magisk.BuildConfig
+import com.topjohnwu.magisk.DynAPK
+import com.topjohnwu.magisk.R
+import com.topjohnwu.magisk.core.Config
+import com.topjohnwu.magisk.core.Info
+import com.topjohnwu.magisk.core.download.Action.APK.Restore
+import com.topjohnwu.magisk.core.download.Action.APK.Upgrade
+import com.topjohnwu.magisk.core.isRunningAsStub
+import com.topjohnwu.magisk.core.tasks.PatchAPK
+import com.topjohnwu.magisk.ktx.relaunchApp
+import com.topjohnwu.magisk.ktx.writeTo
+import com.topjohnwu.superuser.Shell
+import java.io.File
+
+private fun Context.patch(apk: File) {
+    val patched = File(apk.parent, "patched.apk")
+    PatchAPK.patch(this, apk.path, patched.path, packageName, applicationInfo.nonLocalizedLabel)
+    apk.delete()
+    patched.renameTo(apk)
+}
+
+private fun BaseDownloader.notifyHide(id: Int) {
+    update(id) {
+        it.setProgress(0, 0, true)
+            .setContentTitle(getString(R.string.hide_manager_title))
+            .setContentText("")
+    }
+}
+
+private suspend fun BaseDownloader.upgrade(subject: Subject.Manager) {
+    val apk = subject.file.toFile()
+    val id = subject.notifyID()
+    if (isRunningAsStub) {
+        // Move to upgrade location
+        apk.copyTo(DynAPK.update(this), overwrite = true)
+        apk.delete()
+        if (Info.stubChk.version < subject.stub.versionCode) {
+            notifyHide(id)
+            // Also upgrade stub
+            service.fetchFile(subject.stub.link).byteStream().use { it.writeTo(apk) }
+            patch(apk)
+        } else {
+            // Simply relaunch the app
+            stopSelf()
+            relaunchApp(this)
+        }
+    } else if (packageName != BuildConfig.APPLICATION_ID) {
+        notifyHide(id)
+        patch(apk)
+    }
+}
+
+private fun BaseDownloader.restore(apk: File, id: Int) {
+    update(id) {
+        it.setProgress(0, 0, true)
+            .setProgress(0, 0, true)
+            .setContentTitle(getString(R.string.restore_img_msg))
+            .setContentText("")
+    }
+    Config.export()
+    Shell.su("pm install $apk && pm uninstall $packageName").exec()
+}
+
+suspend fun BaseDownloader.handleAPK(subject: Subject.Manager) =
+    when (subject.action) {
+        is Upgrade -> upgrade(subject)
+        is Restore -> restore(subject.file.toFile(), subject.notifyID())
+    }

app/src/main/java/com/topjohnwu/magisk/core/download/ModuleProcessor.kt

@@ -0,0 +1,45 @@
+package com.topjohnwu.magisk.core.download
+
+import android.net.Uri
+import com.topjohnwu.magisk.ktx.withStreams
+import com.topjohnwu.magisk.core.utils.MediaStoreUtils.outputStream
+import java.io.InputStream
+import java.util.zip.ZipEntry
+import java.util.zip.ZipInputStream
+import java.util.zip.ZipOutputStream
+
+fun InputStream.toModule(file: Uri, installer: InputStream) {
+
+    val input = ZipInputStream(buffered())
+    val output = ZipOutputStream(file.outputStream().buffered())
+
+    withStreams(input, output) { zin, zout ->
+        zout.putNextEntry(ZipEntry("META-INF/"))
+        zout.putNextEntry(ZipEntry("META-INF/com/"))
+        zout.putNextEntry(ZipEntry("META-INF/com/google/"))
+        zout.putNextEntry(ZipEntry("META-INF/com/google/android/"))
+        zout.putNextEntry(ZipEntry("META-INF/com/google/android/update-binary"))
+        installer.copyTo(zout)
+
+        zout.putNextEntry(ZipEntry("META-INF/com/google/android/updater-script"))
+        zout.write("#MAGISK\n".toByteArray(charset("UTF-8")))
+
+        var off = -1
+        var entry: ZipEntry? = zin.nextEntry
+        while (entry != null) {
+            if (off < 0) {
+                off = entry.name.indexOf('/') + 1
+            }
+
+            val path = entry.name.substring(off)
+            if (path.isNotEmpty() && !path.startsWith("META-INF")) {
+                zout.putNextEntry(ZipEntry(path))
+                if (!entry.isDirectory) {
+                    zin.copyTo(zout)
+                }
+            }
+
+            entry = zin.nextEntry
+        }
+    }
+}

app/src/main/java/com/topjohnwu/magisk/core/download/Subject.kt

@@ -0,0 +1,114 @@
+package com.topjohnwu.magisk.core.download
+
+import android.content.Context
+import android.net.Uri
+import android.os.Parcelable
+import androidx.core.net.toUri
+import com.topjohnwu.magisk.core.Info
+import com.topjohnwu.magisk.core.model.MagiskJson
+import com.topjohnwu.magisk.core.model.ManagerJson
+import com.topjohnwu.magisk.core.model.StubJson
+import com.topjohnwu.magisk.core.model.module.Repo
+import com.topjohnwu.magisk.core.utils.MediaStoreUtils
+import com.topjohnwu.magisk.ktx.cachedFile
+import com.topjohnwu.magisk.ktx.get
+import kotlinx.android.parcel.IgnoredOnParcel
+import kotlinx.android.parcel.Parcelize
+
+private fun cachedFile(name: String) = get<Context>().cachedFile(name).apply { delete() }.toUri()
+
+sealed class Subject : Parcelable {
+
+    abstract val url: String
+    abstract val file: Uri
+    abstract val action: Action
+    abstract val title: String
+
+    @Parcelize
+    class Module(
+        val module: Repo,
+        override val action: Action
+    ) : Subject() {
+        override val url: String get() = module.zipUrl
+        override val title: String get() = module.downloadFilename
+
+        @IgnoredOnParcel
+        override val file by lazy {
+            MediaStoreUtils.getFile(title).uri
+        }
+    }
+
+    @Parcelize
+    class Manager(
+        override val action: Action.APK,
+        private val app: ManagerJson = Info.remote.app,
+        val stub: StubJson = Info.remote.stub
+    ) : Subject() {
+
+        override val title: String
+            get() = "MagiskManager-${app.version}(${app.versionCode})"
+
+        override val url: String
+            get() = app.link
+
+        @IgnoredOnParcel
+        override val file by lazy {
+            cachedFile("manager.apk")
+        }
+
+    }
+
+    abstract class Magisk : Subject() {
+
+        val magisk: MagiskJson = Info.remote.magisk
+
+        @Parcelize
+        private class Internal(
+            override val action: Action
+        ) : Magisk() {
+            override val url: String get() = magisk.link
+            override val title: String get() = "Magisk-${magisk.version}(${magisk.versionCode})"
+
+            @IgnoredOnParcel
+            override val file by lazy {
+                cachedFile("magisk.zip")
+            }
+        }
+
+        @Parcelize
+        private class Uninstall : Magisk() {
+            override val action get() = Action.Uninstall
+            override val url: String get() = Info.remote.uninstaller.link
+            override val title: String get() = "uninstall.zip"
+
+            @IgnoredOnParcel
+            override val file by lazy {
+                cachedFile(title)
+            }
+
+        }
+
+        @Parcelize
+        private class Download : Magisk() {
+            override val action get() = Action.Download
+            override val url: String get() = magisk.link
+            override val title: String get() = "Magisk-${magisk.version}(${magisk.versionCode}).zip"
+
+            @IgnoredOnParcel
+            override val file by lazy {
+                MediaStoreUtils.getFile(title).uri
+            }
+        }
+
+        companion object {
+            operator fun invoke(config: Action) = when (config) {
+                Action.Download -> Download()
+                Action.Uninstall -> Uninstall()
+                Action.EnvFix, is Action.Flash, is Action.Patch -> Internal(config)
+                else -> throw IllegalArgumentException()
+            }
+        }
+
+    }
+
+}

app/src/main/java/com/topjohnwu/magisk/core/magiskdb/BaseDao.kt

@@ -0,0 +1,28 @@
+package com.topjohnwu.magisk.core.magiskdb
+
+import androidx.annotation.StringDef
+
+abstract class BaseDao {
+
+    object Table {
+        const val POLICY = "policies"
+        const val LOG = "logs"
+        const val SETTINGS = "settings"
+        const val STRINGS = "strings"
+    }
+
+    @StringDef(Table.POLICY, Table.LOG, Table.SETTINGS, Table.STRINGS)
+    @Retention(AnnotationRetention.SOURCE)
+    annotation class TableStrict
+
+    @TableStrict
+    abstract val table: String
+
+    inline fun <reified Builder : Query.Builder> buildQuery(builder: Builder.() -> Unit = {}) =
+        Builder::class.java.newInstance()
+            .apply { table = this@BaseDao.table }
+            .apply(builder)
+            .toString()
+            .let { Query(it) }
+
+}

app/src/main/java/com/topjohnwu/magisk/core/magiskdb/PolicyDao.kt

@@ -0,0 +1,77 @@
+package com.topjohnwu.magisk.core.magiskdb
+
+import android.content.Context
+import android.content.pm.PackageManager
+import com.topjohnwu.magisk.core.Const
+import com.topjohnwu.magisk.core.model.su.SuPolicy
+import com.topjohnwu.magisk.core.model.su.toMap
+import com.topjohnwu.magisk.core.model.su.toPolicy
+import com.topjohnwu.magisk.ktx.now
+import kotlinx.coroutines.GlobalScope
+import kotlinx.coroutines.launch
+import timber.log.Timber
+import java.util.concurrent.TimeUnit
+
+
+class PolicyDao(
+    private val context: Context
+) : BaseDao() {
+
+    override val table: String = Table.POLICY
+
+    suspend fun deleteOutdated() = buildQuery<Delete> {
+        condition {
+            greaterThan("until", "0")
+            and {
+                lessThan("until", TimeUnit.MILLISECONDS.toSeconds(now).toString())
+            }
+            or {
+                lessThan("until", "0")
+            }
+        }
+    }.commit()
+
+    suspend fun delete(packageName: String) = buildQuery<Delete> {
+        condition {
+            equals("package_name", packageName)
+        }
+    }.commit()
+
+    suspend fun delete(uid: Int) = buildQuery<Delete> {
+        condition {
+            equals("uid", uid)
+        }
+    }.commit()
+
+    suspend fun fetch(uid: Int) = buildQuery<Select> {
+        condition {
+            equals("uid", uid)
+        }
+    }.query().first().toPolicyOrNull()
+
+    suspend fun update(policy: SuPolicy) = buildQuery<Replace> {
+        values(policy.toMap())
+    }.commit()
+
+    suspend fun <R: Any> fetchAll(mapper: (SuPolicy) -> R) = buildQuery<Select> {
+        condition {
+            equals("uid/100000", Const.USER_ID)
+        }
+    }.query {
+        it.toPolicyOrNull()?.let(mapper)
+    }
+
+    private fun Map<String, String>.toPolicyOrNull(): SuPolicy? {
+        return runCatching { toPolicy(context.packageManager) }.getOrElse {
+            Timber.e(it)
+            if (it is PackageManager.NameNotFoundException) {
+                val uid = getOrElse("uid") { null } ?: return null
+                GlobalScope.launch {
+                    delete(uid.toInt())
+                }
+            }
+            null
+        }
+    }
+
+}

app/src/main/java/com/topjohnwu/magisk/core/magiskdb/Query.kt

@@ -1,27 +1,41 @@
-package com.topjohnwu.magisk.data.database.base
+package com.topjohnwu.magisk.core.magiskdb
 
 import androidx.annotation.StringDef
-import com.topjohnwu.magisk.data.database.base.Order.Companion.ASC
-import com.topjohnwu.magisk.data.database.base.Order.Companion.DESC
+import com.topjohnwu.magisk.ktx.await
+import com.topjohnwu.superuser.Shell
+import kotlinx.coroutines.Dispatchers
+import kotlinx.coroutines.async
+import kotlinx.coroutines.awaitAll
+import kotlinx.coroutines.withContext
 
-interface MagiskQueryBuilder {
+class Query(private val _query: String) {
+    val query get() = "magisk --sqlite '$_query'"
 
-    val requestType: String
-    var table: String
-
-    companion object {
-        inline operator fun <reified Builder : MagiskQueryBuilder> invoke(builder: Builder.() -> Unit): MagiskQuery =
-            Builder::class.java.newInstance()
-                .apply(builder)
-                .toString()
-                .let {
-                    MagiskQuery(it)
-                }
+    interface Builder {
+        val requestType: String
+        var table: String
     }
 
+    suspend inline fun <R : Any> query(crossinline mapper: (Map<String, String>) -> R?): List<R> =
+        withContext(Dispatchers.Default) {
+            Shell.su(query).await().out.map { line ->
+                async {
+                    line.split("\\|".toRegex())
+                        .map { it.split("=", limit = 2) }
+                        .filter { it.size == 2 }
+                        .map { it[0] to it[1] }
+                        .toMap()
+                        .let(mapper)
+                }
+            }.awaitAll().filterNotNull()
+        }
+
+    suspend inline fun query() = query { it }
+
+    suspend inline fun commit() = Shell.su(query).to(null).await()
 }
 
-class Delete : MagiskQueryBuilder {
+class Delete : Query.Builder {
     override val requestType: String = "DELETE FROM"
     override var table = ""
 
@@ -36,7 +50,7 @@ class Delete : MagiskQueryBuilder {
     }
 }
 
-class Select : MagiskQueryBuilder {
+class Select : Query.Builder {
     override val requestType: String get() = "SELECT $fields FROM"
     override lateinit var table: String
 
@@ -69,7 +83,7 @@ class Replace : Insert() {
     override val requestType: String = "REPLACE INTO"
 }
 
-open class Insert : MagiskQueryBuilder {
+open class Insert : Query.Builder {
     override val requestType: String = "INSERT INTO"
     override lateinit var table: String
 
@@ -137,19 +151,11 @@ class Condition {
     }
 }
 
-class Order {
-
-    @set:OrderStrict
-    var order = DESC
-    var field = ""
-
-    companion object {
-        const val ASC = "ASC"
-        const val DESC = "DESC"
-    }
-
+object Order {
+    const val ASC = "ASC"
+    const val DESC = "DESC"
 }
 
-@StringDef(ASC, DESC)
+@StringDef(Order.ASC, Order.DESC)
 @Retention(AnnotationRetention.SOURCE)
-annotation class OrderStrict
+annotation class OrderStrict

app/src/main/java/com/topjohnwu/magisk/core/magiskdb/SettingsDao.kt

@@ -0,0 +1,22 @@
+package com.topjohnwu.magisk.core.magiskdb
+
+class SettingsDao : BaseDao() {
+
+    override val table = Table.SETTINGS
+
+    suspend fun delete(key: String) = buildQuery<Delete> {
+        condition { equals("key", key) }
+    }.commit()
+
+    suspend fun put(key: String, value: Int) = buildQuery<Replace> {
+        values("key" to key, "value" to value)
+    }.commit()
+
+    suspend fun fetch(key: String, default: Int = -1) = buildQuery<Select> {
+        fields("value")
+        condition { equals("key", key) }
+    }.query {
+        it["value"]?.toIntOrNull()
+    }.firstOrNull() ?: default
+
+}

app/src/main/java/com/topjohnwu/magisk/core/magiskdb/StringDao.kt

@@ -0,0 +1,22 @@
+package com.topjohnwu.magisk.core.magiskdb
+
+class StringDao : BaseDao() {
+
+    override val table = Table.STRINGS
+
+    suspend fun delete(key: String) = buildQuery<Delete> {
+        condition { equals("key", key) }
+    }.commit()
+
+    suspend fun put(key: String, value: String) = buildQuery<Replace> {
+        values("key" to key, "value" to value)
+    }.commit()
+
+    suspend fun fetch(key: String, default: String = "") = buildQuery<Select> {
+        fields("value")
+        condition { equals("key", key) }
+    }.query {
+        it["value"]
+    }.firstOrNull() ?: default
+
+}

app/src/main/java/com/topjohnwu/magisk/core/model/UpdateInfo.kt

@@ -0,0 +1,43 @@
+package com.topjohnwu.magisk.core.model
+
+import android.os.Parcelable
+import com.squareup.moshi.JsonClass
+import kotlinx.android.parcel.Parcelize
+
+@JsonClass(generateAdapter = true)
+data class UpdateInfo(
+    val app: ManagerJson = ManagerJson(),
+    val uninstaller: UninstallerJson = UninstallerJson(),
+    val magisk: MagiskJson = MagiskJson(),
+    val stub: StubJson = StubJson()
+)
+
+@JsonClass(generateAdapter = true)
+data class UninstallerJson(
+    val link: String = ""
+)
+
+@JsonClass(generateAdapter = true)
+data class MagiskJson(
+    val version: String = "",
+    val versionCode: Int = -1,
+    val link: String = "",
+    val note: String = "",
+    val md5: String = ""
+)
+
+@Parcelize
+@JsonClass(generateAdapter = true)
+data class ManagerJson(
+    val version: String = "",
+    val versionCode: Int = -1,
+    val link: String = "",
+    val note: String = ""
+) : Parcelable
+
+@Parcelize
+@JsonClass(generateAdapter = true)
+data class StubJson(
+    val versionCode: Int = -1,
+    val link: String = ""
+) : Parcelable

app/src/main/java/com/topjohnwu/magisk/core/model/module/BaseModule.kt

@@ -0,0 +1,41 @@
+package com.topjohnwu.magisk.core.model.module
+
+abstract class BaseModule : Comparable<BaseModule> {
+    abstract var id: String
+        protected set
+    abstract var name: String
+        protected set
+    abstract var author: String
+        protected set
+    abstract var version: String
+        protected set
+    abstract var versionCode: Int
+        protected set
+    abstract var description: String
+        protected set
+
+    @Throws(NumberFormatException::class)
+    protected fun parseProps(props: List<String>) {
+        for (line in props) {
+            val prop = line.split("=".toRegex(), 2).map { it.trim() }
+            if (prop.size != 2)
+                continue
+
+            val key = prop[0]
+            val value = prop[1]
+            if (key.isEmpty() || key[0] == '#')
+                continue
+
+            when (key) {
+                "id" -> id = value
+                "name" -> name = value
+                "version" -> version = value
+                "versionCode" -> versionCode = value.toInt()
+                "author" -> author = value
+                "description" -> description = value
+            }
+        }
+    }
+
+    override operator fun compareTo(other: BaseModule) = name.compareTo(other.name, true)
+}

app/src/main/java/com/topjohnwu/magisk/core/model/module/Module.kt

@@ -0,0 +1,77 @@
+package com.topjohnwu.magisk.core.model.module
+
+import com.topjohnwu.magisk.core.Const
+import com.topjohnwu.superuser.Shell
+import com.topjohnwu.superuser.io.SuFile
+import kotlinx.coroutines.Dispatchers
+import kotlinx.coroutines.withContext
+
+class Module(path: String) : BaseModule() {
+    override var id: String = ""
+    override var name: String = ""
+    override var author: String = ""
+    override var version: String = ""
+    override var versionCode: Int = -1
+    override var description: String = ""
+
+    private val removeFile = SuFile(path, "remove")
+    private val disableFile = SuFile(path, "disable")
+    private val updateFile = SuFile(path, "update")
+    private val ruleFile = SuFile(path, "sepolicy.rule")
+
+    val updated: Boolean get() = updateFile.exists()
+
+    var enable: Boolean
+        get() = !disableFile.exists()
+        set(enable) {
+            val dir = "$PERSIST/$id"
+            if (enable) {
+                Shell.su("mkdir -p $dir", "cp -af $ruleFile $dir").submit()
+                disableFile.delete()
+            } else {
+                Shell.su("rm -rf $dir").submit()
+                !disableFile.createNewFile()
+            }
+        }
+
+    var remove: Boolean
+        get() = removeFile.exists()
+        set(remove) {
+            if (remove) {
+                Shell.su("rm -rf $PERSIST/$id").submit()
+                removeFile.createNewFile()
+            } else {
+                Shell.su("cp -af $ruleFile $PERSIST/$id").submit()
+                !removeFile.delete()
+            }
+        }
+
+    init {
+        runCatching {
+            parseProps(Shell.su("dos2unix < $path/module.prop").exec().out)
+        }
+
+        if (id.isEmpty()) {
+            val sep = path.lastIndexOf('/')
+            id = path.substring(sep + 1)
+        }
+
+        if (name.isEmpty()) {
+            name = id
+        }
+    }
+
+    companion object {
+
+        private val PERSIST get() = "${Const.MAGISKTMP}/mirror/persist/magisk"
+
+        suspend fun installed() = withContext(Dispatchers.IO) {
+            SuFile(Const.MAGISK_PATH)
+                .listFiles { _, name -> name != "lost+found" && name != ".core" }
+                .orEmpty()
+                .filter { !it.isFile }
+                .map { Module("${Const.MAGISK_PATH}/${it.name}") }
+                .sortedBy { it.name.toLowerCase() }
+        }
+    }
+}

app/src/main/java/com/topjohnwu/magisk/core/model/module/Repo.kt

@@ -0,0 +1,64 @@
+package com.topjohnwu.magisk.core.model.module
+
+import android.os.Parcelable
+import androidx.room.Entity
+import androidx.room.PrimaryKey
+import com.topjohnwu.magisk.core.Const
+import com.topjohnwu.magisk.data.repository.StringRepository
+import com.topjohnwu.magisk.ktx.get
+import com.topjohnwu.magisk.ktx.legalFilename
+import kotlinx.android.parcel.Parcelize
+import java.text.DateFormat
+import java.util.*
+
+@Entity(tableName = "repos")
+@Parcelize
+data class Repo(
+    @PrimaryKey override var id: String,
+    override var name: String,
+    override var author: String,
+    override var version: String,
+    override var versionCode: Int,
+    override var description: String,
+    var last_update: Long
+) : BaseModule(), Parcelable {
+
+    private val stringRepo: StringRepository get() = get()
+
+    val lastUpdate get() = Date(last_update)
+
+    val lastUpdateString: String get() = dateFormat.format(lastUpdate)
+
+    val downloadFilename: String get() = "$name-$version($versionCode).zip".legalFilename()
+
+    suspend fun readme() = stringRepo.getReadme(this)
+
+    val zipUrl: String get() = Const.Url.ZIP_URL.format(id)
+
+    constructor(id: String) : this(id, "", "", "", -1, "", 0)
+
+    @Throws(IllegalRepoException::class)
+    private fun loadProps(props: String) {
+        props.split("\\n".toRegex()).dropLastWhile { it.isEmpty() }.runCatching {
+            parseProps(this)
+        }.onFailure {
+            throw IllegalRepoException("Repo [$id] parse error: " + it.message)
+        }
+
+        if (versionCode < 0) {
+            throw IllegalRepoException("Repo [$id] does not contain versionCode")
+        }
+    }
+
+    @Throws(IllegalRepoException::class)
+    suspend fun update(lastUpdate: Date? = null) {
+        lastUpdate?.let { last_update = it.time }
+        loadProps(stringRepo.getMetadata(this))
+    }
+
+    class IllegalRepoException(message: String) : Exception(message)
+
+    companion object {
+        val dateFormat = DateFormat.getDateTimeInstance(DateFormat.MEDIUM, DateFormat.MEDIUM)
+    }
+}

app/src/main/java/com/topjohnwu/magisk/core/model/su/SuLog.kt

@@ -0,0 +1,30 @@
+package com.topjohnwu.magisk.core.model.su
+
+import androidx.room.Entity
+import androidx.room.Ignore
+import androidx.room.PrimaryKey
+import com.topjohnwu.magisk.core.model.su.SuPolicy.Companion.ALLOW
+import com.topjohnwu.magisk.ktx.now
+import com.topjohnwu.magisk.ktx.timeFormatTime
+import com.topjohnwu.magisk.ktx.toTime
+
+@Entity(tableName = "logs")
+data class SuLog(
+    val fromUid: Int,
+    val toUid: Int,
+    val fromPid: Int,
+    val packageName: String,
+    val appName: String,
+    val command: String,
+    val action: Boolean,
+    val time: Long = -1
+) {
+    @PrimaryKey(autoGenerate = true) var id: Int = 0
+    @Ignore val timeString = time.toTime(timeFormatTime)
+}
+
+fun SuPolicy.toLog(
+    toUid: Int,
+    fromPid: Int,
+    command: String
+) = SuLog(uid, toUid, fromPid, packageName, appName, command, policy == ALLOW, now)

app/src/main/java/com/topjohnwu/magisk/core/model/su/SuPolicy.kt

@@ -1,19 +1,20 @@
-package com.topjohnwu.magisk.model.entity
+package com.topjohnwu.magisk.core.model.su
 
-import android.content.pm.ApplicationInfo
 import android.content.pm.PackageManager
-import com.topjohnwu.magisk.model.entity.MagiskPolicy.Companion.INTERACTIVE
+import android.graphics.drawable.Drawable
+import com.topjohnwu.magisk.core.model.su.SuPolicy.Companion.INTERACTIVE
+import com.topjohnwu.magisk.ktx.getLabel
 
 
-data class MagiskPolicy(
-    val uid: Int,
+data class SuPolicy(
+    var uid: Int,
     val packageName: String,
     val appName: String,
-    val policy: Int = INTERACTIVE,
-    val until: Long = -1L,
+    val icon: Drawable,
+    var policy: Int = INTERACTIVE,
+    var until: Long = -1L,
     val logging: Boolean = true,
-    val notification: Boolean = true,
-    val applicationInfo: ApplicationInfo
+    val notification: Boolean = true
 ) {
 
     companion object {
@@ -24,7 +25,7 @@ data class MagiskPolicy(
 
 }
 
-fun MagiskPolicy.toMap() = mapOf(
+fun SuPolicy.toMap() = mapOf(
     "uid" to uid,
     "package_name" to packageName,
     "policy" to policy,
@@ -34,35 +35,36 @@ fun MagiskPolicy.toMap() = mapOf(
 )
 
 @Throws(PackageManager.NameNotFoundException::class)
-fun Map<String, String>.toPolicy(pm: PackageManager): MagiskPolicy {
+fun Map<String, String>.toPolicy(pm: PackageManager): SuPolicy {
     val uid = get("uid")?.toIntOrNull() ?: -1
     val packageName = get("package_name").orEmpty()
-    val info = pm.getApplicationInfo(packageName, 0)
+    val info = pm.getApplicationInfo(packageName, PackageManager.GET_UNINSTALLED_PACKAGES)
 
     if (info.uid != uid)
         throw PackageManager.NameNotFoundException()
 
-    return MagiskPolicy(
+    return SuPolicy(
         uid = uid,
         packageName = packageName,
+        appName = info.getLabel(pm),
+        icon = info.loadIcon(pm),
         policy = get("policy")?.toIntOrNull() ?: INTERACTIVE,
         until = get("until")?.toLongOrNull() ?: -1L,
         logging = get("logging")?.toIntOrNull() != 0,
-        notification = get("notification")?.toIntOrNull() != 0,
-        applicationInfo = info,
-        appName = info.loadLabel(pm).toString()
+        notification = get("notification")?.toIntOrNull() != 0
     )
 }
 
 @Throws(PackageManager.NameNotFoundException::class)
-fun Int.toPolicy(pm: PackageManager): MagiskPolicy {
+fun Int.toPolicy(pm: PackageManager, policy: Int = INTERACTIVE): SuPolicy {
     val pkg = pm.getPackagesForUid(this)?.firstOrNull()
         ?: throw PackageManager.NameNotFoundException()
-    val info = pm.getApplicationInfo(pkg, 0)
-    return MagiskPolicy(
-        uid = this,
+    val info = pm.getApplicationInfo(pkg, PackageManager.GET_UNINSTALLED_PACKAGES)
+    return SuPolicy(
+        uid = info.uid,
         packageName = pkg,
-        applicationInfo = info,
-        appName = info.loadLabel(pm).toString()
+        appName = info.getLabel(pm),
+        icon = info.loadIcon(pm),
+        policy = policy
     )
-}
+}

app/src/main/java/com/topjohnwu/magisk/core/su/SuCallbackHandler.kt

@@ -0,0 +1,145 @@
+package com.topjohnwu.magisk.core.su
+
+import android.content.Context
+import android.content.Intent
+import android.os.Build
+import android.os.Bundle
+import android.os.Process
+import android.widget.Toast
+import com.topjohnwu.magisk.BuildConfig
+import com.topjohnwu.magisk.ProviderCallHandler
+import com.topjohnwu.magisk.R
+import com.topjohnwu.magisk.core.Config
+import com.topjohnwu.magisk.core.intent
+import com.topjohnwu.magisk.core.model.su.SuPolicy
+import com.topjohnwu.magisk.core.model.su.toLog
+import com.topjohnwu.magisk.core.model.su.toPolicy
+import com.topjohnwu.magisk.core.wrap
+import com.topjohnwu.magisk.data.repository.LogRepository
+import com.topjohnwu.magisk.ktx.get
+import com.topjohnwu.magisk.ktx.startActivity
+import com.topjohnwu.magisk.ktx.startActivityWithRoot
+import com.topjohnwu.magisk.ui.surequest.SuRequestActivity
+import com.topjohnwu.magisk.utils.Utils
+import com.topjohnwu.superuser.Shell
+import kotlinx.coroutines.GlobalScope
+import kotlinx.coroutines.launch
+import timber.log.Timber
+
+object SuCallbackHandler : ProviderCallHandler {
+
+    const val REQUEST = "request"
+    const val LOG = "log"
+    const val NOTIFY = "notify"
+    const val TEST = "test"
+
+    override fun call(context: Context, method: String, arg: String?, extras: Bundle?): Bundle? {
+        invoke(context.wrap(), method, extras)
+        return Bundle.EMPTY
+    }
+
+    operator fun invoke(context: Context, action: String?, data: Bundle?) {
+        data ?: return
+
+        // Debug messages
+        if (BuildConfig.DEBUG) {
+            Timber.d(action)
+            data.let { bundle ->
+                bundle.keySet().forEach {
+                    Timber.d("[%s]=[%s]", it, bundle[it])
+                }
+            }
+        }
+
+        when (action) {
+            REQUEST -> handleRequest(context, data)
+            LOG -> handleLogging(context, data)
+            NOTIFY -> handleNotify(context, data)
+            TEST -> {
+                val mode = data.getInt("mode", 2)
+                Shell.su(
+                    "magisk --connect-mode $mode",
+                    "magisk --use-broadcast"
+                ).submit()
+            }
+        }
+    }
+
+    private fun Any?.toInt(): Int? {
+        return when (this) {
+            is Number -> this.toInt()
+            else -> null
+        }
+    }
+
+    private fun handleRequest(context: Context, data: Bundle) {
+        val intent = context.intent<SuRequestActivity>()
+            .setAction(REQUEST)
+            .putExtras(data)
+            .addFlags(Intent.FLAG_ACTIVITY_NEW_TASK)
+            .addFlags(Intent.FLAG_ACTIVITY_MULTIPLE_TASK)
+        if (Build.VERSION.SDK_INT >= 29) {
+            // Android Q does not allow starting activity from background
+            intent.startActivityWithRoot()
+        } else {
+            intent.startActivity(context)
+        }
+    }
+
+    private fun handleLogging(context: Context, data: Bundle) {
+        val fromUid = data["from.uid"].toInt() ?: return
+        if (fromUid == Process.myUid())
+            return
+
+        val pm = context.packageManager
+
+        val notify = data.getBoolean("notify", true)
+        val allow = data["policy"].toInt() ?: return
+
+        val policy = runCatching { fromUid.toPolicy(pm, allow) }.getOrElse { return }
+
+        if (notify)
+            notify(context, policy)
+
+        val toUid = data["to.uid"].toInt() ?: return
+        val pid = data["pid"].toInt() ?: return
+
+        val command = data.getString("command") ?: return
+        val log = policy.toLog(
+            toUid = toUid,
+            fromPid = pid,
+            command = command
+        )
+
+        val logRepo = get<LogRepository>()
+        GlobalScope.launch {
+            logRepo.insert(log)
+        }
+    }
+
+    private fun handleNotify(context: Context, data: Bundle) {
+        val fromUid = data["from.uid"].toInt() ?: return
+        if (fromUid == Process.myUid())
+            return
+
+        val pm = context.packageManager
+        val allow = data["policy"].toInt() ?: return
+
+        runCatching {
+            val policy = fromUid.toPolicy(pm, allow)
+            if (policy.policy >= 0)
+                notify(context, policy)
+        }
+    }
+
+    private fun notify(context: Context, policy: SuPolicy) {
+        if (policy.notification && Config.suNotification == Config.Value.NOTIFICATION_TOAST) {
+            val resId = if (policy.policy == SuPolicy.ALLOW)
+                R.string.su_allow_toast
+            else
+                R.string.su_deny_toast
+
+            Utils.toast(context.getString(resId, policy.appName), Toast.LENGTH_SHORT)
+        }
+    }
+}

app/src/main/java/com/topjohnwu/magisk/core/su/SuRequestHandler.kt

@@ -0,0 +1,139 @@
+package com.topjohnwu.magisk.core.su
+
+import android.content.Intent
+import android.content.pm.PackageManager
+import android.net.LocalSocket
+import android.net.LocalSocketAddress
+import androidx.collection.ArrayMap
+import com.topjohnwu.magisk.BuildConfig
+import com.topjohnwu.magisk.core.Config
+import com.topjohnwu.magisk.core.Const
+import com.topjohnwu.magisk.core.magiskdb.PolicyDao
+import com.topjohnwu.magisk.core.model.su.SuPolicy
+import com.topjohnwu.magisk.core.model.su.toPolicy
+import com.topjohnwu.magisk.ktx.now
+import kotlinx.coroutines.*
+import timber.log.Timber
+import java.io.*
+import java.util.concurrent.TimeUnit
+import java.util.concurrent.TimeUnit.SECONDS
+
+class SuRequestHandler(
+    private val pm: PackageManager,
+    private val policyDB: PolicyDao
+) : Closeable {
+
+    private lateinit var output: DataOutputStream
+    lateinit var policy: SuPolicy
+        private set
+
+    // Return true to indicate undetermined policy, require user interaction
+    suspend fun start(intent: Intent): Boolean {
+        if (!init(intent))
+            return false
+
+        // Never allow com.topjohnwu.magisk (could be malware)
+        if (policy.packageName == BuildConfig.APPLICATION_ID)
+            return false
+
+        when (Config.suAutoReponse) {
+            Config.Value.SU_AUTO_DENY -> {
+                respond(SuPolicy.DENY, 0)
+                return false
+            }
+            Config.Value.SU_AUTO_ALLOW -> {
+                respond(SuPolicy.ALLOW, 0)
+                return false
+            }
+        }
+
+        return true
+    }
+
+    private suspend fun <T> Deferred<T>.timedAwait() : T? {
+        return withTimeoutOrNull(SECONDS.toMillis(1)) {
+            await()
+        }
+    }
+
+    @Throws(IOException::class)
+    override fun close() {
+        if (::output.isInitialized)
+            output.close()
+    }
+
+    private class SuRequestError : IOException()
+
+    private suspend fun init(intent: Intent) = withContext(Dispatchers.IO) {
+        try {
+            val uid: Int
+            if (Const.Version.atLeast_21_0()) {
+                val name = intent.getStringExtra("fifo") ?: throw SuRequestError()
+                uid = intent.getIntExtra("uid", -1).also { if (it < 0) throw SuRequestError() }
+                output = DataOutputStream(FileOutputStream(name).buffered())
+            } else {
+                val name = intent.getStringExtra("socket") ?: throw SuRequestError()
+                val socket = LocalSocket()
+                socket.connect(LocalSocketAddress(name, LocalSocketAddress.Namespace.ABSTRACT))
+                output = DataOutputStream(BufferedOutputStream(socket.outputStream))
+                val input = DataInputStream(BufferedInputStream(socket.inputStream))
+                val map = async { input.readRequest() }.timedAwait() ?: throw SuRequestError()
+                uid = map["uid"]?.toIntOrNull() ?: throw SuRequestError()
+            }
+            policy = uid.toPolicy(pm)
+            true
+        } catch (e: Exception) {
+            when (e) {
+                is IOException, is PackageManager.NameNotFoundException -> {
+                    Timber.e(e)
+                    runCatching { close() }
+                    false
+                }
+                else -> throw e  // Unexpected error
+            }
+        }
+    }
+
+    fun respond(action: Int, time: Int) {
+        val until = if (time > 0)
+            TimeUnit.MILLISECONDS.toSeconds(now) + TimeUnit.MINUTES.toSeconds(time.toLong())
+        else
+            time.toLong()
+
+        policy.policy = action
+        policy.until = until
+        policy.uid = policy.uid % 100000 + Const.USER_ID * 100000
+
+        GlobalScope.launch(Dispatchers.IO) {
+            try {
+                output.writeInt(policy.policy)
+                output.flush()
+            } catch (e: IOException) {
+                Timber.e(e)
+            } finally {
+                runCatching { close() }
+                if (until >= 0)
+                    policyDB.update(policy)
+            }
+        }
+    }
+
+    @Throws(IOException::class)
+    private fun DataInputStream.readRequest(): Map<String, String> {
+        fun readString(): String {
+            val len = readInt()
+            val buf = ByteArray(len)
+            readFully(buf)
+            return String(buf, Charsets.UTF_8)
+        }
+        val ret = ArrayMap<String, String>()
+        while (true) {
+            val name = readString()
+            if (name == "eof")
+                break
+            ret[name] = readString()
+        }
+        return ret
+    }
+
+}

app/src/main/java/com/topjohnwu/magisk/core/tasks/FlashZip.kt

@@ -0,0 +1,118 @@
+package com.topjohnwu.magisk.core.tasks
+
+import android.content.Context
+import android.net.Uri
+import androidx.core.os.postDelayed
+import com.topjohnwu.magisk.core.Const
+import com.topjohnwu.magisk.core.utils.MediaStoreUtils.displayName
+import com.topjohnwu.magisk.core.utils.unzip
+import com.topjohnwu.magisk.core.utils.MediaStoreUtils.inputStream
+import com.topjohnwu.magisk.ktx.writeTo
+import com.topjohnwu.superuser.Shell
+import com.topjohnwu.superuser.internal.UiThreadHandler
+import kotlinx.coroutines.Dispatchers
+import kotlinx.coroutines.withContext
+import org.koin.core.KoinComponent
+import org.koin.core.inject
+import timber.log.Timber
+import java.io.File
+import java.io.FileNotFoundException
+import java.io.IOException
+
+open class FlashZip(
+    private val mUri: Uri,
+    private val console: MutableList<String>,
+    private val logs: MutableList<String>
+): KoinComponent {
+
+    val context: Context by inject()
+    private val installFolder = File(context.cacheDir, "flash").apply {
+        if (!exists()) mkdirs()
+    }
+    private val tmpFile: File = File(installFolder, "install.zip")
+
+    @Throws(IOException::class)
+    private fun unzipAndCheck(): Boolean {
+        val parentFile = tmpFile.parentFile ?: return false
+        tmpFile.unzip(parentFile, "META-INF/com/google/android", true)
+
+        val updaterScript = File(parentFile, "updater-script")
+        return Shell
+            .su("grep -q '#MAGISK' $updaterScript")
+            .exec()
+            .isSuccess
+    }
+
+    @Throws(IOException::class)
+    private fun flash(): Boolean {
+        console.add("- Copying zip to temp directory")
+
+        runCatching {
+            mUri.inputStream().writeTo(tmpFile)
+        }.getOrElse {
+            when (it) {
+                is FileNotFoundException -> console.add("! Invalid Uri")
+                is IOException -> console.add("! Cannot copy to cache")
+            }
+            throw it
+        }
+
+        val isMagiskModule = runCatching {
+            unzipAndCheck()
+        }.getOrElse {
+            console.add("! Unzip error")
+            throw it
+        }
+
+        if (!isMagiskModule) {
+            console.add("! This zip is not a Magisk Module!")
+            return false
+        }
+
+        console.add("- Installing ${mUri.displayName}")
+
+        val parentFile = tmpFile.parent ?: return false
+
+        return Shell
+            .su(
+                "cd $parentFile",
+                "BOOTMODE=true sh update-binary dummy 1 $tmpFile"
+            )
+            .to(console, logs)
+            .exec().isSuccess
+    }
+
+    open suspend fun exec() = withContext(Dispatchers.IO) {
+        try {
+            if (!flash()) {
+                console.add("! Installation failed")
+                false
+            } else {
+                true
+            }
+        } catch (e: IOException) {
+            Timber.e(e)
+            false
+        } finally {
+            Shell.su("cd /", "rm -rf ${tmpFile.parent} ${Const.TMP_FOLDER_PATH}").submit()
+        }
+    }
+
+    class Uninstall(
+        uri: Uri,
+        console: MutableList<String>,
+        log: MutableList<String>
+    ) : FlashZip(uri, console, log) {
+
+        override suspend fun exec(): Boolean {
+            val success = super.exec()
+            if (success) {
+                UiThreadHandler.handler.postDelayed(3000) {
+                    Shell.su("pm uninstall " + context.packageName).exec()
+                }
+            }
+            return success
+        }
+    }
+
+}

app/src/main/java/com/topjohnwu/magisk/core/tasks/MagiskInstaller.kt

@@ -0,0 +1,438 @@
+package com.topjohnwu.magisk.core.tasks
+
+import android.content.Context
+import android.content.Intent
+import android.net.Uri
+import android.os.Build
+import android.widget.Toast
+import androidx.annotation.WorkerThread
+import androidx.core.os.postDelayed
+import androidx.localbroadcastmanager.content.LocalBroadcastManager
+import com.topjohnwu.magisk.R
+import com.topjohnwu.magisk.core.Config
+import com.topjohnwu.magisk.core.utils.MediaStoreUtils
+import com.topjohnwu.magisk.core.utils.MediaStoreUtils.inputStream
+import com.topjohnwu.magisk.core.utils.MediaStoreUtils.outputStream
+import com.topjohnwu.magisk.data.network.GithubRawServices
+import com.topjohnwu.magisk.di.Protected
+import com.topjohnwu.magisk.events.dialog.EnvFixDialog
+import com.topjohnwu.magisk.ktx.reboot
+import com.topjohnwu.magisk.ktx.withStreams
+import com.topjohnwu.magisk.utils.Utils
+import com.topjohnwu.signing.SignBoot
+import com.topjohnwu.superuser.Shell
+import com.topjohnwu.superuser.ShellUtils
+import com.topjohnwu.superuser.internal.NOPList
+import com.topjohnwu.superuser.internal.UiThreadHandler
+import com.topjohnwu.superuser.io.SuFile
+import com.topjohnwu.superuser.io.SuFileInputStream
+import com.topjohnwu.superuser.io.SuFileOutputStream
+import kotlinx.coroutines.Dispatchers
+import kotlinx.coroutines.withContext
+import org.kamranzafar.jtar.TarEntry
+import org.kamranzafar.jtar.TarHeader
+import org.kamranzafar.jtar.TarInputStream
+import org.kamranzafar.jtar.TarOutputStream
+import org.koin.core.KoinComponent
+import org.koin.core.get
+import org.koin.core.inject
+import timber.log.Timber
+import java.io.*
+import java.util.zip.ZipEntry
+import java.util.zip.ZipInputStream
+
+abstract class MagiskInstallImpl : KoinComponent {
+
+    protected lateinit var installDir: File
+    private lateinit var srcBoot: String
+    private lateinit var zipUri: Uri
+
+    protected val console: MutableList<String>
+    private val logs: MutableList<String>
+    private var tarOut: TarOutputStream? = null
+
+    private val service: GithubRawServices by inject()
+    protected val context: Context by inject()
+
+    protected constructor() {
+        console = NOPList.getInstance()
+        logs = NOPList.getInstance()
+    }
+
+    protected constructor(zip: Uri, out: MutableList<String>, err: MutableList<String>) {
+        console = out
+        logs = err
+        zipUri = zip
+        installDir = File(get<Context>(Protected).filesDir.parent, "install")
+        "rm -rf $installDir".sh()
+        installDir.mkdirs()
+    }
+
+    private fun findImage(): Boolean {
+        srcBoot = "find_boot_image; echo \"\$BOOTIMAGE\"".fsh()
+        if (srcBoot.isEmpty()) {
+            console.add("! Unable to detect target image")
+            return false
+        }
+        console.add("- Target image: $srcBoot")
+        return true
+    }
+
+    private fun findSecondaryImage(): Boolean {
+        val slot = "echo \$SLOT".fsh()
+        val target = if (slot == "_a") "_b" else "_a"
+        console.add("- Target slot: $target")
+        srcBoot = arrayOf(
+            "SLOT=$target",
+            "find_boot_image",
+            "SLOT=$slot",
+            "echo \"\$BOOTIMAGE\"").fsh()
+        if (srcBoot.isEmpty()) {
+            console.add("! Unable to detect target image")
+            return false
+        }
+        console.add("- Target image: $srcBoot")
+        return true
+    }
+
+    @Suppress("DEPRECATION")
+    private fun extractZip(): Boolean {
+        val arch: String
+        arch = if (Build.VERSION.SDK_INT >= 21) {
+            val abis = listOf(*Build.SUPPORTED_ABIS)
+            if (abis.contains("x86")) "x86" else "arm"
+        } else {
+            if (Build.CPU_ABI == "x86") "x86" else "arm"
+        }
+
+        console.add("- Device platform: " + Build.CPU_ABI)
+
+        try {
+            ZipInputStream(zipUri.inputStream().buffered()).use { zi ->
+                lateinit var ze: ZipEntry
+                while (zi.nextEntry?.let { ze = it } != null) {
+                    if (ze.isDirectory)
+                        continue
+                    var name: String? = null
+                    val names = arrayOf("$arch/", "common/", "META-INF/com/google/android/update-binary")
+                    for (n in names) {
+                        ze.name.run {
+                            if (startsWith(n)) {
+                                name = substring(lastIndexOf('/') + 1)
+                            }
+                        }
+                        name ?: continue
+                        break
+                    }
+                    if (name == null && ze.name.startsWith("chromeos/"))
+                        name = ze.name
+                    name?.also {
+                        val dest = if (installDir is SuFile)
+                            SuFile(installDir, it)
+                        else
+                            File(installDir, it)
+                        dest.parentFile!!.mkdirs()
+                        SuFileOutputStream(dest).use { s -> zi.copyTo(s) }
+                    } ?: continue
+                }
+            }
+        } catch (e: IOException) {
+            console.add("! Cannot unzip zip")
+            Timber.e(e)
+            return false
+        }
+
+        val init64 = SuFile.open(installDir, "magiskinit64")
+        if (Build.VERSION.SDK_INT >= 21 && Build.SUPPORTED_64_BIT_ABIS.isNotEmpty()) {
+            init64.renameTo(SuFile.open(installDir, "magiskinit"))
+        } else {
+            init64.delete()
+        }
+        "cd $installDir; chmod 755 *".sh()
+        return true
+    }
+
+    private fun newEntry(name: String, size: Long): TarEntry {
+        console.add("-- Writing: $name")
+        return TarEntry(TarHeader.createHeader(name, size, 0, false, 420 /* 0644 */))
+    }
+
+    @Throws(IOException::class)
+    private fun handleTar(input: InputStream, output: OutputStream): OutputStream {
+        console.add("- Processing tar file")
+        val tarOut = TarOutputStream(output)
+        TarInputStream(input).use { tarIn ->
+            lateinit var entry: TarEntry
+            while (tarIn.nextEntry?.let { entry = it } != null) {
+                if (entry.name.contains("boot.img") ||
+                    (Config.recovery && entry.name.contains("recovery.img"))) {
+                    val name = entry.name
+                    console.add("-- Extracting: $name")
+                    val extract = File(installDir, name)
+                    FileOutputStream(extract).use { tarIn.copyTo(it) }
+                    if (name.contains(".lz4")) {
+                        console.add("-- Decompressing: $name")
+                        "./magiskboot decompress $extract".sh()
+                    }
+                } else {
+                    console.add("-- Copying: " + entry.name)
+                    tarOut.putNextEntry(entry)
+                    tarIn.copyTo(tarOut)
+                }
+            }
+            val boot = SuFile.open(installDir, "boot.img")
+            val recovery = SuFile.open(installDir, "recovery.img")
+            if (recovery.exists() && boot.exists()) {
+                // Install Magisk to recovery
+                srcBoot = recovery.path
+                // Repack boot image to prevent restore
+                arrayOf(
+                    "./magiskboot unpack boot.img",
+                    "./magiskboot repack boot.img",
+                    "./magiskboot cleanup",
+                    "mv new-boot.img boot.img").sh()
+                SuFileInputStream(boot).use {
+                    tarOut.putNextEntry(newEntry("boot.img", boot.length()))
+                    it.copyTo(tarOut)
+                }
+                boot.delete()
+            } else {
+                if (!boot.exists()) {
+                    console.add("! No boot image found")
+                    throw IOException()
+                }
+                srcBoot = boot.path
+            }
+        }
+        return tarOut
+    }
+
+    private fun handleFile(uri: Uri): Boolean {
+        val outStream: OutputStream
+        val outFile: MediaStoreUtils.UriFile
+
+        // Process input file
+        try {
+            uri.inputStream().buffered().use { src ->
+                src.mark(500)
+                val magic = ByteArray(5)
+                if (src.skip(257) != 257L || src.read(magic) != magic.size) {
+                    console.add("! Invalid input file")
+                    return false
+                }
+                src.reset()
+                outStream = if (magic.contentEquals("ustar".toByteArray())) {
+                    outFile = MediaStoreUtils.getFile("magisk_patched.tar")
+                    handleTar(src, outFile.uri.outputStream())
+                } else {
+                    // Raw image
+                    srcBoot = File(installDir, "boot.img").path
+                    console.add("- Copying image to cache")
+                    FileOutputStream(srcBoot).use { src.copyTo(it) }
+                    outFile = MediaStoreUtils.getFile("magisk_patched.img")
+                    outFile.uri.outputStream()
+                }
+            }
+        } catch (e: IOException) {
+            console.add("! Process error")
+            Timber.e(e)
+            return false
+        }
+
+        // Patch file
+        if (!patchBoot())
+            return false
+
+        // Output file
+        try {
+            val patched = SuFile.open(installDir, "new-boot.img")
+            if (outStream is TarOutputStream) {
+                val name = if (srcBoot.contains("recovery")) "recovery.img" else "boot.img"
+                outStream.putNextEntry(newEntry(name, patched.length()))
+            }
+            withStreams(SuFileInputStream(patched), outStream) { src, out -> src.copyTo(out) }
+            patched.delete()
+
+            console.add("")
+            console.add("****************************")
+            console.add(" Output file is written to ")
+            console.add(" $outFile ")
+            console.add("****************************")
+        } catch (e: IOException) {
+            console.add("! Failed to output to $outFile")
+            Timber.e(e)
+            return false
+        }
+
+        return true
+    }
+
+    private fun patchBoot(): Boolean {
+        var srcNand = ""
+        if ("[ -c $srcBoot ] && nanddump -f boot.img $srcBoot".sh().isSuccess) {
+            srcNand = srcBoot
+            srcBoot = File(installDir, "boot.img").path
+        }
+
+        var isSigned = false
+        try {
+            SuFileInputStream(srcBoot).use {
+                isSigned = SignBoot.verifySignature(it, null)
+                if (isSigned) {
+                    console.add("- Boot image is signed with AVB 1.0")
+                }
+            }
+        } catch (e: IOException) {
+            console.add("! Unable to check signature")
+            return false
+        }
+
+        if (!("KEEPFORCEENCRYPT=${Config.keepEnc} KEEPVERITY=${Config.keepVerity} " +
+                "RECOVERYMODE=${Config.recovery} sh update-binary " +
+                "sh boot_patch.sh $srcBoot").sh().isSuccess) {
+            return false
+        }
+
+        if (srcNand.isNotEmpty()) {
+            srcBoot = srcNand
+        }
+
+        val job = Shell.sh(
+            "./magiskboot cleanup",
+            "mv bin/busybox busybox",
+            "rm -rf magisk.apk bin boot.img update-binary",
+            "cd /")
+
+        val patched = File(installDir, "new-boot.img")
+        if (isSigned) {
+            console.add("- Signing boot image with verity keys")
+            val signed = File(installDir, "signed.img")
+            try {
+                withStreams(SuFileInputStream(patched), signed.outputStream().buffered()) {
+                    input, out -> SignBoot.doSignature("/boot", input, out, null, null)
+                }
+            } catch (e: IOException) {
+                console.add("! Unable to sign image")
+                Timber.e(e)
+                return false
+            }
+
+            job.add("mv -f $signed $patched")
+        }
+        job.exec()
+        return true
+    }
+
+    private fun flashBoot(): Boolean {
+        if (!"direct_install $installDir $srcBoot".sh().isSuccess)
+            return false
+        "run_migrations".sh()
+        return true
+    }
+
+    private suspend fun postOTA(): Boolean {
+        val bootctl = SuFile("/data/adb/bootctl")
+        try {
+            withStreams(service.fetchBootctl().byteStream(), SuFileOutputStream(bootctl)) {
+                it, out -> it.copyTo(out)
+            }
+        } catch (e: IOException) {
+            console.add("! Unable to download bootctl")
+            Timber.e(e)
+            return false
+        }
+
+        "post_ota ${bootctl.parent}".sh()
+
+        console.add("***************************************")
+        console.add(" Next reboot will boot to second slot!")
+        console.add("***************************************")
+        return true
+    }
+
+    private fun String.sh() = Shell.sh(this).to(console, logs).exec()
+    private fun Array<String>.sh() = Shell.sh(*this).to(console, logs).exec()
+    private fun String.fsh() = ShellUtils.fastCmd(this)
+    private fun Array<String>.fsh() = ShellUtils.fastCmd(*this)
+
+    protected fun doPatchFile(patchFile: Uri) = extractZip() && handleFile(patchFile)
+
+    protected fun direct() = findImage() && extractZip() && patchBoot() && flashBoot()
+
+    protected suspend fun secondSlot() =
+        findSecondaryImage() && extractZip() && patchBoot() && flashBoot() && postOTA()
+
+    protected fun fixEnv(zip: Uri): Boolean {
+        installDir = SuFile("/data/adb/magisk")
+        Shell.su("rm -rf /data/adb/magisk/*").exec()
+        zipUri = zip
+        return extractZip() && Shell.su("fix_env").exec().isSuccess
+    }
+
+    @WorkerThread
+    protected abstract suspend fun operations(): Boolean
+
+    open suspend fun exec() = withContext(Dispatchers.IO) { operations() }
+}
+
+sealed class MagiskInstaller(
+    file: Uri,
+    console: MutableList<String>,
+    logs: MutableList<String>
+) : MagiskInstallImpl(file, console, logs) {
+
+    override suspend fun exec(): Boolean {
+        val success = super.exec()
+        if (success) {
+            console.add("- All done!")
+        } else {
+            Shell.sh("rm -rf $installDir").submit()
+            console.add("! Installation failed")
+        }
+        return success
+    }
+
+    class Patch(
+        file: Uri,
+        private val uri: Uri,
+        console: MutableList<String>,
+        logs: MutableList<String>
+    ) : MagiskInstaller(file, console, logs) {
+        override suspend fun operations() = doPatchFile(uri)
+    }
+
+    class SecondSlot(
+        file: Uri,
+        console: MutableList<String>,
+        logs: MutableList<String>
+    ) : MagiskInstaller(file, console, logs) {
+        override suspend fun operations() = secondSlot()
+    }
+
+    class Direct(
+        file: Uri,
+        console: MutableList<String>,
+        logs: MutableList<String>
+    ) : MagiskInstaller(file, console, logs) {
+        override suspend fun operations() = direct()
+    }
+
+}
+
+class EnvFixTask(
+    private val zip: Uri
+) : MagiskInstallImpl() {
+    override suspend fun operations() = fixEnv(zip)
+
+    override suspend fun exec(): Boolean {
+        val success = super.exec()
+        LocalBroadcastManager.getInstance(context).sendBroadcast(Intent(EnvFixDialog.DISMISS))
+        Utils.toast(
+            if (success) R.string.reboot_delay_toast else R.string.setup_fail,
+            Toast.LENGTH_LONG
+        )
+        if (success)
+            UiThreadHandler.handler.postDelayed(5000) { reboot() }
+        return success
+    }
+}

app/src/main/java/com/topjohnwu/magisk/core/tasks/PatchAPK.kt

@@ -0,0 +1,139 @@
+package com.topjohnwu.magisk.core.tasks
+
+import android.content.Context
+import android.os.Build.VERSION.SDK_INT
+import android.widget.Toast
+import com.topjohnwu.magisk.R
+import com.topjohnwu.magisk.core.Config
+import com.topjohnwu.magisk.core.Const
+import com.topjohnwu.magisk.core.Info
+import com.topjohnwu.magisk.core.isRunningAsStub
+import com.topjohnwu.magisk.core.utils.AXML
+import com.topjohnwu.magisk.core.utils.Keygen
+import com.topjohnwu.magisk.data.network.GithubRawServices
+import com.topjohnwu.magisk.ktx.get
+import com.topjohnwu.magisk.ktx.writeTo
+import com.topjohnwu.magisk.utils.Utils
+import com.topjohnwu.magisk.view.Notifications
+import com.topjohnwu.signing.JarMap
+import com.topjohnwu.signing.SignApk
+import com.topjohnwu.superuser.Shell
+import kotlinx.coroutines.Dispatchers
+import kotlinx.coroutines.GlobalScope
+import kotlinx.coroutines.launch
+import kotlinx.coroutines.withContext
+import timber.log.Timber
+import java.io.File
+import java.io.FileOutputStream
+import java.io.IOException
+import java.security.SecureRandom
+
+object PatchAPK {
+
+    private const val ALPHA = "abcdefghijklmnopqrstuvwxyz"
+    private const val ALPHADOTS = "$ALPHA....."
+
+    private const val APP_ID = "com.topjohnwu.magisk"
+    private const val APP_NAME = "Magisk Manager"
+
+    // Some arbitrary limit
+    const val MAX_LABEL_LENGTH = 32
+
+    private fun genPackageName(): CharSequence {
+        val random = SecureRandom()
+        val len = 5 + random.nextInt(15)
+        val builder = StringBuilder(len)
+        var next: Char
+        var prev = 0.toChar()
+        for (i in 0 until len) {
+            next = if (prev == '.' || i == len - 1) {
+                ALPHA[random.nextInt(ALPHA.length)]
+            } else {
+                ALPHADOTS[random.nextInt(ALPHADOTS.length)]
+            }
+            builder.append(next)
+            prev = next
+        }
+        if (!builder.contains('.')) {
+            // Pick a random index and set it as dot
+            val idx = random.nextInt(len - 1)
+            builder[idx] = '.'
+        }
+        return builder
+    }
+
+    fun patch(
+        context: Context,
+        apk: String, out: String,
+        pkg: CharSequence, label: CharSequence
+    ): Boolean {
+        try {
+            val jar = JarMap.open(apk)
+            val je = jar.getJarEntry(Const.ANDROID_MANIFEST)
+            val xml = AXML(jar.getRawData(je))
+
+            if (!xml.findAndPatch(APP_ID to pkg.toString(), APP_NAME to label.toString()))
+                return false
+
+            // Write apk changes
+            jar.getOutputStream(je).write(xml.bytes)
+            val keys = Keygen(context)
+            SignApk.sign(keys.cert, keys.key, jar, FileOutputStream(out))
+        } catch (e: Exception) {
+            Timber.e(e)
+            return false
+        }
+
+        return true
+    }
+
+    private suspend fun patchAndHide(context: Context, label: String): Boolean {
+        val dlStub = !isRunningAsStub && SDK_INT >= 28 && Const.Version.atLeast_20_2()
+        val src = if (dlStub) {
+            val stub = File(context.cacheDir, "stub.apk")
+            val svc = get<GithubRawServices>()
+            try {
+                svc.fetchFile(Info.remote.stub.link).byteStream().use {
+                    it.writeTo(stub)
+                }
+            } catch (e: IOException) {
+                Timber.e(e)
+                return false
+            }
+            stub.path
+        } else {
+            context.packageCodePath
+        }
+
+        // Generate a new random package name and signature
+        val repack = File(context.cacheDir, "patched.apk")
+        val pkg = genPackageName()
+        Config.keyStoreRaw = ""
+
+        if (!patch(context, src, repack.path, pkg, label))
+            return false
+
+        // Install the application
+        if (!Shell.su("adb_pm_install $repack").exec().isSuccess)
+            return false
+
+        Config.suManager = pkg.toString()
+        Config.export()
+        Shell.su("pm uninstall $APP_ID").submit()
+
+        return true
+    }
+
+    fun hideManager(context: Context, label: String) {
+        val progress = Notifications.progress(context, context.getString(R.string.hide_manager_title))
+        Notifications.mgr.notify(Const.ID.HIDE_MANAGER_NOTIFICATION_ID, progress.build())
+        GlobalScope.launch {
+            val result = withContext(Dispatchers.IO) {
+                patchAndHide(context, label)
+            }
+            if (!result)
+                Utils.toast(R.string.hide_manager_fail_toast, Toast.LENGTH_LONG)
+            Notifications.mgr.cancel(Const.ID.HIDE_MANAGER_NOTIFICATION_ID)
+        }
+    }
+}

app/src/main/java/com/topjohnwu/magisk/core/tasks/RepoUpdater.kt

@@ -0,0 +1,119 @@
+package com.topjohnwu.magisk.core.tasks
+
+import com.squareup.moshi.JsonClass
+import com.topjohnwu.magisk.core.Const
+import com.topjohnwu.magisk.core.model.module.Repo
+import com.topjohnwu.magisk.data.database.RepoDao
+import com.topjohnwu.magisk.data.network.GithubApiServices
+import com.topjohnwu.magisk.ktx.synchronized
+import kotlinx.coroutines.*
+import timber.log.Timber
+import java.net.HttpURLConnection
+import java.text.SimpleDateFormat
+import java.util.*
+import kotlin.collections.HashSet
+
+class RepoUpdater(
+    private val api: GithubApiServices,
+    private val repoDB: RepoDao
+) {
+
+    private fun String.trimEtag() = substring(indexOf('\"'), lastIndexOf('\"') + 1)
+
+    private suspend fun forcedReload(cached: MutableSet<String>) = coroutineScope {
+        cached.forEach {
+            launch {
+                val repo = repoDB.getRepo(it)!!
+                try {
+                    repo.update()
+                    repoDB.addRepo(repo)
+                } catch (e: Repo.IllegalRepoException) {
+                    Timber.e(e)
+                }
+            }
+        }
+    }
+
+    private suspend fun loadRepos(
+        repos: List<GithubRepoInfo>,
+        cached: MutableSet<String>
+    ) = coroutineScope {
+        repos.forEach {
+            // Skip submission
+            if (it.id == "submission")
+                return@forEach
+            launch {
+                val repo = repoDB.getRepo(it.id)?.apply { cached.remove(it.id) } ?: Repo(it.id)
+                try {
+                    repo.update(it.pushDate)
+                    repoDB.addRepo(repo)
+                } catch (e: Repo.IllegalRepoException) {
+                    Timber.e(e)
+                }
+            }
+        }
+    }
+
+    private enum class PageResult {
+        SUCCESS,
+        CACHED,
+        ERROR
+    }
+
+    private suspend fun loadPage(
+        cached: MutableSet<String>,
+        page: Int = 1,
+        etag: String = ""
+    ): PageResult = coroutineScope {
+        runCatching {
+            val result = api.fetchRepos(page, etag)
+            result.run {
+                if (code() == HttpURLConnection.HTTP_NOT_MODIFIED)
+                    return@coroutineScope PageResult.CACHED
+
+                if (!isSuccessful)
+                    return@coroutineScope PageResult.ERROR
+
+                if (page == 1)
+                    repoDB.etagKey = headers()[Const.Key.ETAG_KEY].orEmpty().trimEtag()
+
+                val repoLoad = async { loadRepos(body()!!, cached) }
+                val next = if (headers()[Const.Key.LINK_KEY].orEmpty().contains("next")) {
+                    async { loadPage(cached, page + 1) }
+                } else {
+                    async { PageResult.SUCCESS }
+                }
+                repoLoad.await()
+                return@coroutineScope next.await()
+            }
+        }.getOrElse {
+            Timber.e(it)
+            PageResult.ERROR
+        }
+    }
+
+    suspend fun run(forced: Boolean) = withContext(Dispatchers.IO) {
+        val cached = HashSet(repoDB.repoIDList).synchronized()
+        when (loadPage(cached, etag = repoDB.etagKey)) {
+            PageResult.CACHED -> if (forced) forcedReload(cached)
+            PageResult.SUCCESS -> repoDB.removeRepos(cached)
+            PageResult.ERROR -> Unit
+        }
+    }
+}
+
+private val dateFormat: SimpleDateFormat =
+    SimpleDateFormat("yyyy-MM-dd'T'HH:mm:ss'Z'", Locale.US).apply {
+        timeZone = TimeZone.getTimeZone("UTC")
+    }
+
+@JsonClass(generateAdapter = true)
+data class GithubRepoInfo(
+    val name: String,
+    val pushed_at: String
+) {
+    val id get() = name
+
+    @Transient
+    val pushDate = dateFormat.parse(pushed_at)!!
+}