From 95389824a0347cb0b10110644de5a4652cc934ef Mon Sep 17 00:00:00 2001
From: Nikita Gorskikh <n.gorskikh@adguard.com>
Date: Mon, 11 Apr 2022 14:21:34 +0300
Subject: [PATCH 1/2] Fix apps rejecting our cert in some cases

---
 README.md              |  3 +++
 module/module.prop     |  4 ++--
 module/post-fs-data.sh | 18 +++++++++++++-----
 3 files changed, 18 insertions(+), 7 deletions(-)

diff --git a/README.md b/README.md
index 6c695d8..439d38c 100644
--- a/README.md
+++ b/README.md
@@ -29,6 +29,9 @@ Unfortunately, this is only possible on rooted devices.
 
 If a new version comes out, repeat steps 3-5 to update the module.
 
+The module does its work during the system boot. If your AdGuard certificate changes,
+you'll have to reboot the device for the new certificate to be copied to the system store.
+
 <details>
     <summary>Illustrated instruction</summary>
 
diff --git a/module/module.prop b/module/module.prop
index c24b604..07faa93 100644
--- a/module/module.prop
+++ b/module/module.prop
@@ -1,6 +1,6 @@
 id=adguardcert
 name=AdGuard Certificate
-version=v1.1
-versionCode=2
+version=v1.2
+versionCode=3
 author=AdGuard
 description=Copies AdGuard's CA certificate from the user certificate store to the system store and forces Zygisk unmount procedures for certain browsers.
diff --git a/module/post-fs-data.sh b/module/post-fs-data.sh
index 5d87df9..35964a8 100644
--- a/module/post-fs-data.sh
+++ b/module/post-fs-data.sh
@@ -1,12 +1,20 @@
 #!/system/bin/sh
 MODDIR=${0%/*}
 
-# Android hashes the subject to get the filename, field order is significant
-# AdGuard certificate is /C=EN/O=AdGuard/CN=AdGuard Personal CA
-# The filename is then <hash>.<n> where <n> is an integer
+# Android hashes the subject to get the filename, field order is significant.
+# AdGuard certificate is "/C=EN/O=AdGuard/CN=AdGuard Personal CA".
+# The filename is then <hash>.<n> where <n> is an integer to disambiguate
+# different certs with the same hash (e.g. when the same cert is installed repeteadly).
+#
+# Due to https://github.com/AdguardTeam/AdguardForAndroid/issues/2108
+# 1. Take the last cert with our hash from the user store.
+# 2. Copy it to the system store under the name "<hash>.0".
+# 3. Remove the copied cert from `cacerts-removed`.
 AG_CERT_HASH=0f4ed297
-cp -f /data/misc/user/*/cacerts-added/${AG_CERT_HASH}.* $MODDIR/system/etc/security/cacerts
-chown -R 0:0 $MODDIR/system/etc/security/cacerts
+AG_CERT_FILE=$(ls /data/misc/user/*/cacerts-added/${AG_CERT_HASH}.* | sort | tail -n1)
+cp -f ${AG_CERT_FILE} ${MODDIR}/system/etc/security/cacerts/${AG_CERT_HASH}.0
+chown -R 0:0 ${MODDIR}/system/etc/security/cacerts
+rm -f /data/misc/user/*/cacerts-removed/${AG_CERT_HASH}.0
 
 [ "$(getenforce)" = "Enforcing" ] || exit 0
 

From 47dbc5eb2f5e32310a0495369189ba674c7857e0 Mon Sep 17 00:00:00 2001
From: Nikita Gorskikh <n.gorskikh@adguard.com>
Date: Mon, 11 Apr 2022 14:25:21 +0300
Subject: [PATCH 2/2] Improve comments

---
 module/post-fs-data.sh | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/module/post-fs-data.sh b/module/post-fs-data.sh
index 35964a8..9625a45 100644
--- a/module/post-fs-data.sh
+++ b/module/post-fs-data.sh
@@ -2,14 +2,18 @@
 MODDIR=${0%/*}
 
 # Android hashes the subject to get the filename, field order is significant.
-# AdGuard certificate is "/C=EN/O=AdGuard/CN=AdGuard Personal CA".
+# AdGuard's certificate is "/C=EN/O=AdGuard/CN=AdGuard Personal CA".
 # The filename is then <hash>.<n> where <n> is an integer to disambiguate
-# different certs with the same hash (e.g. when the same cert is installed repeteadly).
+# different certs with the same hash (e.g. when the same cert is installed repeatedly).
 #
 # Due to https://github.com/AdguardTeam/AdguardForAndroid/issues/2108
 # 1. Take the last cert with our hash from the user store.
+#    Assuming the last installed AdGuard's cert is the correct one.
 # 2. Copy it to the system store under the name "<hash>.0".
-# 3. Remove the copied cert from `cacerts-removed`.
+#    Apparently, some apps may ignore other certs.
+# 3. Remove the "<hash>.0" cert from the `cacerts-removed` directory.
+#    It might get there if it's "unchecked" in the security settings.
+#    Apps will reject certs that are in the `cacerts-removed`.
 AG_CERT_HASH=0f4ed297
 AG_CERT_FILE=$(ls /data/misc/user/*/cacerts-added/${AG_CERT_HASH}.* | sort | tail -n1)
 cp -f ${AG_CERT_FILE} ${MODDIR}/system/etc/security/cacerts/${AG_CERT_HASH}.0