v3.0.0 is unusable

[ppagdev]

OS: GrapheneOS (Android 14)

For starters, I can't update the app to ^3.0.0 because of a "package conflict", which from my understanding likely means you changed the package name. Maybe not but I digress.

After uninstalling the app and then installing the latest version the installation does finish successfully. However, the app icon is not on my launcher/app drawer and I can't open it from anywhere else either. Upon trying to open the app nothing happens, at least nothing that I can see.

Reverting back to an earlier version is the only way I've found to be able to use the app. Which is a shame because this update sounds exactly like what this app was missing.

I may be doing something wrong here, so I apologize if that's the case.

Thanks in advance!

[looowizz]

Hi!

I'm very new to android development but I was looking at this but did a quick search. I found this StackOverflow post and changed these lines in the AndroidManifest.xml file and rebuilt the app in Android Studio which seemed to fix this issue on my device:

<intent-filter> <action android:name="android.intent.action.MAIN" /> <category android:name="android.intent.category.LAUNCHER" /> <data android:scheme="https" android:host="tabslite.com" /> </intent-filter>

to this:

<intent-filter> <action android:name="android.intent.action.MAIN" /> <category android:name="android.intent.category.LAUNCHER" /> </intent-filter> <intent-filter> <data android:scheme="https" android:host="tabslite.com" /> <action android:name="android.intent.action.VIEW" /> <category android:name="android.intent.category.DEFAULT" /> <category android:name="android.intent.category.BROWSABLE" /> </intent-filter>

Hopfully this helps the dev!

[ppagdev]

Hopefully the comment above helps, yes! Regardless I've found that the issue is specific to v3.0.0 on github releases. The latest version of the app on Google's app repository works well and doesn't display this issue. So it seems the best way to handle this would simply be to keep the github release up to date with the play store release, or to clearly state somewhere, such as the github readme or using the tag feature in github releases, for example, that the github version is not the latest version.

[IzzySoft]

because of a "package conflict"

It seems the signing key was changed from a debug key (previous version) to a proper release key (current version):

Previous version:

Signer #1 certificate DN: CN=Android, OU=Android, O=Google Inc., L=Mountain View, ST=California, C=US
Signer #1 certificate SHA-256 digest: 12a66f5c7295fa228d891b3c2cb813de98ea217f697764bed80f2b9b0bde1082
Signer #1 certificate SHA-1 digest: 4558974971ca09259b9973ff92884db467465856
Signer #1 certificate MD5 digest: 567e580fd94d44cb14b6e62b7a93c6bf
Signer #1 key algorithm: RSA
Signer #1 key size (bits): 4096

Current version:

Signer #1 certificate DN: CN=Caleb Gregory, OU=TabsLite, O=More Than Solitaire, L=Bloomington, ST=MN, C=01
Signer #1 certificate SHA-256 digest: 49805b385aa97f725a3722d3d195de84a376104aad26bdfb08d52a59cbcb9747
Signer #1 certificate SHA-1 digest: efac615d3ed217a59a4ac5c9c0f4cac57992e4de
Signer #1 certificate MD5 digest: 29aa3fde909b0c739e4336b6b404806f
Signer #1 key algorithm: RSA
Signer #1 key size (bits): 2048

@cullub can you confirm – and add it to the notes on the release? Also, given the above, should I wait taking this release into my repo until the above has been verified?

[cullub]

Hi there,

Yes, please wait to include this till I've confirmed this. It'll be a while though since I'm out of town. If you do end up including changes early, the latest version is actually a more updated version than 3.0.0, I just haven't updated the GitHub release yet. You should be able to build yourself if you'd like or I'll update that release when I get to investigating this as well.

Thanks,

Caleb

[cullub]

Also if anyone wants to try out the actual latest in the repo, feel free to install the latest version from Google Play. There were definitely some bugs in 3.0.0 due to the major rewrite (still a couple minor ones in the latest) and I forgot to update the GitHub release when I finished fixing most of them. Sorry about that!

[IzzySoft]

Yes, please wait to include this till I've confirmed this.

Will do. Feel free to give me a ping when done. Your app is set to monthly update-check with my repo currently, so I might come back here after the next run on 2024-03-01 should I have not heard from you. Before I adjusted the config here, the update will be rejected anyway as the signature does not match (certificate is "pinned" here), so it won't "go live" by itself :wink:

[IzzySoft]

Updater yelled again (monthly update kicked in), so I kindly ask if there's any news on this, @cullub?

[IzzySoft]

@cullub any news? Next step would be disabling update check here completely; I don't want to have this pop up every month here :wink:

[cullub]

Hi there @IzzySoft @Lewis719 @ppagdev ! Thanks for your patience -- good news! I just created a draft release of v3.4.1 here: https://github.com/More-Than-Solitaire/Tabs-Lite/releases/tag/v3.4.1. It should be good to go but I'm doing some internal testing this time before publishing the release, like I should've done last time.

The certificate will be the release certificate, which I guess is different than the previous one I used here on GitHub. It'll be the same certificate as the v3.0.0 build.

[IzzySoft]

Ah, light at the horizon – thanks! Cert seems to be the one pointed out above, so this looks good from that point. Waiting for your "go" then, which hopefully will come before this month is up and my updater fetches "something else" again as it skips pre-releases :see_no_evil:

[IzzySoft]

I take it the "closure notification" is intended to be the confirmation you've mentioned?

[IzzySoft]

OK, taking a closer look…

! repo/com.gbros.tabslite_3430.apk contains signature block blobs: 0x504b4453 (DEPENDENCY_INFO_BLOCK; GOOGLE)

That can easily be avoided:

android {
    dependenciesInfo {
        // Disables dependency metadata when building APKs.
        includeInApk = false
        // Disables dependency metadata when building Android App Bundles.
        includeInBundle = false
    }
}

For some background: that BLOB is supposed to be just a binary representation of your app's dependency tree. But as it's encrypted with a public key belonging to Google, only Google can read it – and nobody else can even verify what it really contains.

Next: signing key is 49805b385aa97f725a3722d3d195de84a376104aad26bdfb08d52a59cbcb9747 as listed above. Currently pinned key is 12a66f5c7295fa228d891b3c2cb813de98ea217f697764bed80f2b9b0bde1082 however, so the update won't be accepted – and even if I change to the new key, everybody had to uninstall and reinstall the app as direct updates wouldn't be permitted. Which can't be helped, alright: we must get away from that old Google key – so once we switch to that I'll ad a proper release note on my end.

Now, to confirm the new key is legit, could you please take the very same APK, signed with the previous (Google) key, and make it available e.g. here at the issue so I can compare? For background on the procedure of switching keys, please see How to keep your key safe and what measures to take for the event of loss?

Thanks!

[cullub]

I take it the "closure notification" is intended to be the confirmation you've mentioned?

Yep!

Happy to update that dependency blob issue. Seems pretty simple so I'll just do that and bump the bugfix version.

I honestly don't remember how I generated the APK with that old key. I thought I used the same process (Android Studio Build > Generate Release Build or something along those lines) both times.

[IzzySoft]

Thanks for the update – and for taking care of that blob! So for "making sure its you" and hence the key-switch being legit: can you provide two APKs built from the same commit, one signed with the old and the other with the new key, so I can use the reproducible build tools to compare? Of course only needed if I understood correctly that the last build uses the correct key, and not that the switch was an accident. In the latter case just let me know when the correct APK is up :wink:

[cullub]

Ah I see, I must've used to download the Google Play apk and published that rather than publishing directly from my own build. I've attached the current build from Google Play which I think is what you're looking for.

3430.zip

[IzzySoft]

Sorry, those two don't match up. I bet you've uploaded the AAB to PlayStore? That results in a quite different APK. But yeah, the signature of that matches the one from the APKs in my repo.

Signer #1 certificate DN: CN=Android, OU=Android, O=Google Inc., L=Mountain View, ST=California, C=US
Signer #1 certificate SHA-256 digest: 12a66f5c7295fa228d891b3c2cb813de98ea217f697764bed80f2b9b0bde1082
Signer #1 certificate SHA-1 digest: 4558974971ca09259b9973ff92884db467465856
Signer #1 certificate MD5 digest: 567e580fd94d44cb14b6e62b7a93c6bf
Signer #1 key algorithm: RSA
Signer #1 key size (bits): 4096

As you've let Google create the key for you, you probably have no chance to use that key yourself for signing as they won't let you have it. So comparison cannot be done this way. Your commits are not signed, so that cannot be used for confirmation either. You're also the only committer as far as I can see, so no other contributor who can vouch. So what is left that we can use to make sure?

I strongly recommend you start signing your commits (and then sign every commit), so there's at least something for the future. And also to get a proper SSL cert for your website (which currently uses a self-signed one); thanks to organizations like LetsEncrypt that's not too difficult to achieve (oh, if one accepts that cert, the only thing showing up is a "Site not found"? OK, then this seems obsolete; I was hoping to find something for confirmation from your org's website; your org's account here at Github who owns this repo states "Check out our website at morethansolitaire.org.", so maybe you get that fixed, too :wink:).

[cullub]

Yeah lol sorry that website never really got finished and then I gave up on that to work on something else. I could always shoot you an email from the @morethansolitaire.org domain (or the @tabslite.com domain if you'd like) since I run that too.

And yes, I uploaded the .aab to the play store so I guess that wouldn't work, sorry! I'll look into signing commits and maybe if we're lucky I'll get that website back up at some point (but don't hold your breath for now).

[IzzySoft]

Yes, please do that. Can't hurt doing it from both. o e at least have a "surface check" in place. You can get my address multiple ways; easiest is probably combining the facts you see when hovering over my avatar wit your moue (o check my accounts page here): <nickname (the short one)> at <accountname (the longer one)> dot DE (the country named there) :wink: Please include the package name of your app (and maybe a link to this issue), so I can connect things easier and faster.

And it's not that I don't trust you – it's just that I cannot know it's really you :wink: Which those mails would help with. Thanks!

[cullub]

Just sent. And no worries, I get it!

[IzzySoft]

Received both copies, thanks! Initializing the transition now, stay tuned…

[IzzySoft]

$ iod repo get com.gbros.tabslite
com.gbros.tabslite: looking for 'https://api.github.com/repos/More-Than-Solitaire/Tabs-Lite/releases'
com.gbros.tabslite: checking tag 'v3.4.3'
com.gbros.tabslite: lastRelNo set to '3.4.3', checking for files
com.gbros.tabslite: Upstream file date (2024-04-06 17:46) is newer than ours (2022-02-21 01:00).
com.gbros.tabslite: returning ['3.4.3','https://github.com/More-Than-Solitaire/Tabs-Lite/releases/download/v3.4.3/TabsLite.v3.4.3.apk',1712418400]
com.gbros.tabslite: 2.3.0/3.4.3, https://github.com/More-Than-Solitaire/Tabs-Lite/releases: https://github.com/More-Than-Solitaire/Tabs-Lite/releases/download/v3.4.3/TabsLite.v3.4.3.apk
- Grabbing update for com.gbros.tabslite: OK
- Checking 'repo/com.gbros.tabslite_3430.apk' for libraries and malware …
- Checking the app's AndroidManifest.xml …
! repo/com.gbros.tabslite_3430.apk contains signature block blobs: 0x504b4453 (DEPENDENCY_INFO_BLOCK; GOOGLE)
com.gbros.tabslite: check if repo contains FUNDING.yml
com.gbros.tabslite: looking for 'https://api.github.com/repos/More-Than-Solitaire/Tabs-Lite/contents/.github'
com.gbros.tabslite: Github reports "Not Found" for https://api.github.com/repos/More-Than-Solitaire/Tabs-Lite/contents/.github
com.gbros.tabslite: looking for 'https://api.github.com/repos/More-Than-Solitaire/Tabs-Lite/contents/'
com.gbros.tabslite: looking for 'https://api.github.com/repos/More-Than-Solitaire/.github/contents/'
com.gbros.tabslite: no FUNDING.yml detected.
com.gbros.tabslite: no Fastlane configured, skipping Fastlane check.

Hm… Maybe you can address that DEPENDENCY_INFO_BLOCK with a future release?

android {
    dependenciesInfo {
        // Disables dependency metadata when building APKs.
        includeInApk = false
        // Disables dependency metadata when building Android App Bundles.
        includeInBundle = false
    }
}

For some background: that BLOB is supposed to be just a binary representation of your app's dependency tree. But as it's encrypted with a public key belonging to Google, only Google can read it – and nobody else can even verify what it really contains.

MaintainerNotes:
  AppAdded: 2022-01-02
  Todo: 2024-05-20 remove 2300.apk and signing key 12a66f
  Method: github-release
  GHSki--Pre: 1
  Status:
    - 2023-07-13 UCM Tags => Static (last release 2/2022, last commit 12/2022)
    - 2024-02-01 new release but signed with a different key. Added question to the related issue at https://github.com/More-Than-Solitaire/Tabs-Lite/issues/83
    - 2024-04-20 new signing key SHA-256 confirmed via both official mail addresses today (see the issue for details), UCM Static => Tags as regular releases are in place again

AllowedAPKSigningKeys:
  - 12a66f5c7295fa228d891b3c2cb813de98ea217f697764bed80f2b9b0bde1082
  - 49805b385aa97f725a3722d3d195de84a376104aad26bdfb08d52a59cbcb9747

(UCM Static means UpdateCheckMode set to monthly as the source seems to be "Static", i.e. rarely updated).

metadata/com.gbros.tabslite/en-US/changelogs/3430.txt:

signing key was changed, so to update from a previous version you will need to uninstall the app, the reinstall it freshly.

OK, all done. Result:

Nice thingy with the per-release changelogs, huh? Maybe you want to set up fastlane structures here in your repo, so those would be checked and pulled together with each release? I can send you a PR with what's set up here currently, so you can build upon that. And for orientation, be welcome to my Fastlane Cheat Sheet :smiley:

Oh, another keyword you might have seen in the update log above: FUNDING.yml. In case it would apply to you.

[cullub]

Yeah having a PR to get me started would be helpful, otherwise it'll be a while till I get around to that most likely! Yay, glad we got it figured out! Yep, I'm working on the BLOB issue, but I'm also trying to add a (much requested) import/export feature as well. I'll look into the funding.yml as well. Thanks!

[cullub]

FYI I added a new issue for the fastlane stuff so I can track it: https://github.com/More-Than-Solitaire/Tabs-Lite/issues/105

[IzzySoft]

Thanks! Will prepare the PR then (and reference the other issue, before this one here gets too long).