Wrong signing key used?
IzzySoft opened this issue · 10 comments
Seems you (accidentally) used the wrong key to sign your latest release (v1.6.0):
Signer #1 certificate DN: C=US, O=Android, CN=Android Debug
Signer #1 certificate SHA-256 digest: b7f8f930495108b98fccf0c2eedb288182a49f2b5a9055e62292abb35299edb8
Signer #1 certificate SHA-1 digest: b9d1fb1650c513e784f62a37aa9db73cc6fa29dd
Signer #1 certificate MD5 digest: 9a0ae4c7cbc14cd1afdaba90a8b74dd7
Signer #1 key algorithm: RSA
Signer #1 key size (bits): 2048
That's a debug key.Checking the last version I had here before (v1.0.0), it's a debug key as well – just a different one:
Signer #1 certificate DN: C=US, O=Android, CN=Android Debug
Signer #1 certificate SHA-256 digest: ef4a7b8f4a0235e079f2aa9246cb58727f7e1eb240e6ffa5e3e459fd157d8bdd
Signer #1 certificate SHA-1 digest: add3d15f65a07fb11b402283bbb2bccaeeac1df5
Signer #1 certificate MD5 digest: e373b2c6cf41ff6e46ec553dea5dd25d
Signer #1 key algorithm: RSA
Signer #1 key size (bits): 2048
Is that related to #28 – and do you by any chance generate a new debug key with every release? That would be bad as it makes updates impossible (key mismatch; Android will refuse updates then). Any chance this will be fixed in the near future – and you'll be using a proper release key?
PS: as this is a security issue (debug key; also see https://gitlab.com/IzzyOnDroid/repo/-/issues/477 where it resurfaced during a scan) I'll have to remove your app from my repo if we cannot solve this by having the APKs signed with a proper release key. I've set myself a reminder for 2024-02-10 for that should we be unable to solve it here.
Thanks! Looking forward to the next release then.
Thanks! Looking forward to the next release then.
done
Thanks! Switching to the new signature here then (signatures in my repo are pinned to guarantee updates come from the correct signer).
My scanner reported another finding, though: your app requests android.permission.MANAGE_EXTERNAL_STORAGE. What is that needed for that SAF (Storage Access Framework) cannot cover? This permission is usually reserved to file managers and the likes.
Oh, and btw: You still use the very same versionName. That should be increased with each new release, otherwise Android doesn't see it as an update. Can you please do so here (or where you maintain version information – most likely somewhere else as the versionName there is different from what the APK shows) for future releases – increase the number behind the +?
Thanks! Switching to the new signature here then (signatures in my repo are pinned to guarantee updates come from the correct signer).
My scanner reported another finding, though: your app requests
android.permission.MANAGE_EXTERNAL_STORAGE. What is that needed for that SAF (Storage Access Framework) cannot cover? This permission is usually reserved to file managers and the likes.
apps use that for accessing files from storage, which can be sent to connected server
Oh, and btw: You still use the very same
versionName. That should be increased with each new release, otherwise Android doesn't see it as an update. Can you please do so here (or where you maintain version information – most likely somewhere else as theversionNamethere is different from what the APK shows) for future releases – increase the number behind the+?
let me update this too
apps use that for accessing files from storage, which can be sent to connected server
Not necessarily: "accessing files from storage" can be done via SAF (it's called Storage Access Framework for a reason 😉) So why use an excessive permission? Sure you can kill a fly with atomics, but usually a swatter does the job well enough (and with less side-effects). It's a potential security risk, and e.g. PlayStore wouldn't allow you to upload your app with that.
let me update this too
Thanks!
Thanks! So how was the view when you looked? 😉