FossifyOrg / Phone

A handy phone call manager with phonebook, number blocking and multi-SIM support
https://www.fossify.org
GNU General Public License v3.0
555 stars 47 forks source link

signing options #43

Open IzzySoft opened 10 months ago

IzzySoft commented 10 months ago

I just found the release (didn't you want to ping me when the next app is available, @naveensingh?) – great, so I can include phone with my repo as well! However, the pre-inclusion scan brought up this:

SigningBlock blobs:
-------------------
0x504b4453 (DEPENDENCY_INFO_BLOCK; GOOGLE)

Not sure how you sign your APKs, but my guess is AndroidStudio, which includes that blob by default. I've heard there's an option to disable that; alternatively, signing with apksigner avoids this as well.

You can find some background on that dependency info block (and other blobs in signing blocks) here, I'll hopefully set up a proper documentation soon. In short, this is supposed to be just the dependency tree in binary form, but it's encrypted so no one but Google can really read it. As one could even hide payload in such blobs (details behind my link), it's better avoided.

No pressure, no ultimatum or whatever – this is just a hint. And it most likely affects the builds of your other apps as well. This additional check was just included with my repo yesterday, and only with the pre-inclusion checks for now, which is why it didn't show up earlier with any app.

Thanks for checking, evaluating – and hopefully, adjusting :wink:

PS: May I ask why phone requires android.permission.WRITE_EXTERNAL_STORAGE? Minimum Android version is 6, so I guess you're using SAF for file system access when needed?

image

(Going live with the next sync around 7 pm UTC – and for formatting of the description, I already gave you the hint for HTML; again please let me know when you switch to that so I adjust my updater accordingly)

naveensingh commented 10 months ago

@IzzySoft

Thanks for the detailed info! From now on, I'll remove the encrypted dependency info from foss releases. As per the docs, the following should do the job:

android {
    dependenciesInfo {
        includeInApk = false
    }
}

May I ask why phone requires android.permission.WRITE_EXTERNAL_STORAGE?

It was added back in 2021 for importing/exporting blocked numbers (not by me). I'll investigate the 'why' and remove it.

didn't you want to ping me when the next app is available, @naveensingh?

Ma bad! I assumed you might have some sort of automation script running for interesting projects. I'll notify you when the next app is available and when I update the description format.

IzzySoft commented 10 months ago

Thanks for filling the missing piece on signing for me! And of course for checking on that permission!

I assumed you might have some sort of automation script running for interesting projects

I do have, but that ignores forks – intentionally, as there are far too many abandoned and otherwise useless forks which would blow up the result list beyond being useful. So I'm happy when being pointed to useful ones – or even essential ones like yours!

I'll notify you when the next app is available and when I update the description format.

Thanks, much appreciated! And in less than an hour, the "green suite" will have 5 apps in my repo :star_struck: As discussed earlier, those will also be marked for "keep" once they show up at F-Droid.org. And you can already pick a badge for their README linking to their page in my repo if you wish :smiley: