Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Certificate issue #21

Open
IzzySoft opened this issue Feb 9, 2024 · 7 comments
Open

Certificate issue #21

IzzySoft opened this issue Feb 9, 2024 · 7 comments

Comments

@IzzySoft
Copy link
Contributor

IzzySoft commented Feb 9, 2024

A scan (see here for details and background) just revealed the APKs at your releases are signed using a debug key. As that has security implications, may I ask you to please switch to a proper release key, and provide the corresponding APK signed with it? Thanks in advance!

@dgudim
Copy link
Owner

dgudim commented Feb 9, 2024

Hey, thanks for reminding. I know about the debug keys situation and will switch to proper ones once the export/import settings function is working properly.

@IzzySoft
Copy link
Contributor Author

IzzySoft commented Feb 9, 2024

Thanks! Please give me a ping when the release-key signed APK(s) is/are available, as I then need to pin the new certificate hash here in my repo at that point.

@IzzySoft
Copy link
Contributor Author

IzzySoft commented Mar 9, 2024

Hi @dgudim, may I kindly ask for an ETA? End of this month, the last debug APK should be gone from my repo, so I ask for orientation here.

@dgudim
Copy link
Owner

dgudim commented Mar 9, 2024

Oh, I am kinda busy with life right now. Can you just leave it in the repos for now please? I'll try to get to it ASAP

@IzzySoft
Copy link
Contributor Author

I'll try as long as possible. But I cannot prolong that forever – that issue needs to be closed, which can only be done when it's solved. What's needed here is just:

  • creating a proper release key if you don't have one yet
  • taking the unsigned APK and sign it with that key
  • making the resulting APK available here.

If it helps you I can dig up "step by step guides" to creating the key and signing with it. I'm no Android dev, so I don't know that off-hand. If that would help you, let me know what you're using. You can sign with apksigner of course, but IDEs like Android Studio or IntelliJ IDEA have that stuff integrated, so you might prefer a specific path here.

@IzzySoft
Copy link
Contributor Author

@dgudim last call unfortunately now: end of month remaining "debug APKs" will be removed here. So if we have no proper replacement, that would mean your app "disappearing" from the repo. Can of course be reestablished later, once the APK becomes available – but there will be a gap then.

@IzzySoft
Copy link
Contributor Author

IzzySoft commented Apr 5, 2024

I've kept it as long as I could, but sadly need to take action now; hope you'll understand that. The app will be gone from my repo with the next sync around 6 pm UTC. Please reach out to me once you have a fixed APK ready, so we can bring it back again. Meanwhile, all the best for you!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants