Open IzzySoft opened 1 month ago
PS: getting further down the report, I see there are multiple more issues, keeping the update from showing up and being accepted. First, it seems like the signing key changed. Previous version had:
Signer #1 certificate DN: CN=Cameron Ryan-Pears, O=The Cacophony Project, L=Christchurch, ST=Canterbury, C=NZ
Signer #1 certificate SHA-256 digest: 4f916c7158295371b8c983bd3207a5ad2adc171c6c80c19e87d566d3c54e0e7e
Signer #1 certificate SHA-1 digest: a7998c1e2a674c21fa04ba875bf7f694615b01a1
Signer #1 certificate MD5 digest: 478db086efb890cd944faf8c3fff3cae
Signer #1 key algorithm: RSA
Signer #1 key size (bits): 2048
Current version has:
Signer #1 certificate DN: O=The Cacophony Project
Signer #1 certificate SHA-256 digest: 13c580e2d6f19d636be2785d82d3a12c0dc43d15185b8a54197e618d8188b2e5
Signer #1 certificate SHA-1 digest: dbbf9a8b639a251ff4d1f3271e5ff509e9a56334
Signer #1 certificate MD5 digest: f11f5fcb8193efebf7d997c7e224d2af
Signer #1 key algorithm: RSA
Signer #1 key size (bits): 2048
That makes Android reject the update (and my repo does the same, as signing keys are pinned there). Looking for an explanation, I checked the releases – no comment there. So I checked its commit – and oops, that commit is not there either: the source code is missing:
So this release was dropped. Btw, it seems the app was dropped from F-Droid altogether, their badge in your Readme points to a 404 page.
Nice to see a new update! My scanner just reported on it:
RECORD_AUDIO
and the location permissions are clear. But could you please clarify whatREAD_PHONE_STATE
and storage (app requestsWRITE_EXTERNAL_STORAGE
, soREAD_EXTERNAL_STORAGE
is granted implicitly) are needed for?As for
DEPENDENCY_INFO_BLOCK
, that can easily be avoided:For some background: that BLOB is supposed to be just a binary representation of your app's dependency tree. But as it's encrypted with a public key belonging to Google, only Google can read it – and nobody else can even verify what it really contains.
While on it: it would be great if there could be a FOSS build flavor coming without the proprietary components – especially without those not needed for the app's functionality, like Crashlytics and Firebase Analytics. Any plans for that? Thanks in advance!