Certificate issue
IzzySoft opened this issue · 7 comments
A scan (see here for details and background) just revealed the APKs at your releases are signed using a debug key. As that has security implications, may I ask you to please switch to a proper release key, and provide the corresponding APK signed with it? Thanks in advance!
Thx for letting know, I'll see when i get some free time and do the necessary edits for signed release builds
Thanks!
So did you have a chance, @Martinvlba? I'm now in the final cleanup round; end of this month the last debugkey-signed APKs must be gone. Would be great if yours could be replaced until then – otherwise it will be gone from my repo at least for the time being and we'd need to reestablish the listing later then.
Not meant as pressure, just as orientation. I'll push your app to the end of the list once more for now.
Would it be okay if i include public release key for automated workflow releases?
so fdroid checks wont tag any issues with neoterm apk's
I'm not entirely sure what you mean by that – partly because I'm no Android dev, and partly because this is not about F-Droid but about your app in my repo.
What is needed here are releases signed by a release key. IIRC, that would require the private key – which most likely should rather not leave your "safe". I know there are some ways with "secret variables" or such – but not ever having used CI, especially not Githubs, I cannot tell, sorry.
@Martinvlba last call now. End of month, remaining "debug APKs" will be removed from my repo.
Sorry to say so, but time's up: apps signed by debug keys are removed now. So is NeoTerm, effective with the next sync around 6 pm UTC. Please give me a ping should you have the issue tackled, so we can relist the app. Meanwhile, all the best for you!