Open IzzySoft opened 9 months ago
@ErfanRht yesterday's update still comes signed with a debug key. Additionally, my scanner reported the declaration of some sensible permissions which are not 100% clear why they are needed:
android.permission.RECORD_AUDIO android.permission.READ_EXTERNAL_STORAGE
plus the presence of a BLOB in the signing block: DEPENDENCY_INFO_BLOCK
. This latter one is easy to get rid of:
android {
dependenciesInfo {
// Disables dependency metadata when building APKs.
includeInApk = false
// Disables dependency metadata when building Android App Bundles.
includeInBundle = false
}
}
For some background: that BLOB is supposed to be just a binary representation of your app's dependency tree. But as it's encrypted with a public key belonging to Google, only Google can read it – and nobody else can even verify what it really contains.
Houston, we've got another problem: you've done the unthinkable and DECREASED versionCode
– so your shiny new version 3.0.1 will reach nobody (actually, it gets downloaded by my updater as the tag is newer, and then deleted as the versionCode
is older than what's already in the repo):
package: name='com.example.movielab' versionCode='1' versionName='3.0.1'
Most like location of the error is here:
version: 3.0.1
No versionCode
specified to Flutter means using the default of 1
. That error was introduced with this commit: 58a98479b240c7e0f51c6a26d4b233dae2273107 almost 2 years ago, when the +2
versionCode
suffix was removed instead of being increased.
I've disabled updates for your app in my repo for now. Can you please fix this and provide an updated APK either for 3.0.1 as replacement or via a newer tag/release, whichever seems more fitting for you?
PS: I still wonder why those updates from 9/2022 pop up right now – "yesterday's update" actually was quite older but just was pulled in yesterday. But that's a different issue altogether. One important thing to point out is that apps using a debug key will be removed from my repo soon – unless they switched to a proper release key for signing.
Well, no response at all so there's no remedy. I'll hence remove the app from my repo now. Should you one day decide to address the issue and have properly signed & versioned APKs ready, be welcome to give me a ping so I can see to reestablish the listing. Thanks!
A scan (see here for details and background) just revealed the APKs at your releases are signed using a debug key. As that has security implications, may I ask you to please switch to a proper release key, and provide the corresponding APK signed with it? Thanks in advance!