Sign Releases

[VirtCode]

The built APKs on the releases page should be signed with a proper key (not a debug key). Additionally these builds should not have the debug flag enabled.

[IzzySoft]

I second this. For some background, please see:

• Why debug certificate is not safe to sign android APKs?
• issues when using local debug keystore

As you've already self-assigned this (err, I just see: self-reported even), @VirtCode – is there any ETA for a properly signed APK? Asking as your app is listed in my repo. Thanks for taking care!

[VirtCode]

I've actually planned to do some work on this next week, so I'll also do this first then. An ETA would thus be some time next week, probably around monday or tuesday.

[VirtCode]

It took a bit longer than expected but the new releases should now be signed with my release key. I've also created a proper new release containing the few small bug fixes since the last version. You can find the built binary here.

Let me know if you still need a build with the debug key or something similar (allthough I think I might have already accidentally signed previous APKs with different keys?).

Btw, I also uploaded some rudimentary screenshots to the repository, so the listing in your repo wouldn't look as empty.

[IzzySoft]

Thanks, that looks a lot better! I've pulled that in and added the certificate hash to the "allow list" for your app (will drop the old one in a month, removing older APKs along). Now the only things my scanner complains about are:

! repo/ch.virt.smartphonemouse_5.apk declares sensitive permission(s): android.permission.ACCESS_FINE_LOCATION
! repo/ch.virt.smartphonemouse_5.apk contains signature block blobs: 0x504b4453 (DEPENDENCY_INFO_BLOCK; GOOGLE)

May I ask what ACCESS_FINE_LOCATION is needed for? I have a vague idea, but prefer hearing from you :wink: As for DEPENDENCY_INFO_BLOCK, that's easy to get rid of:

android {
    dependenciesInfo {
        // Disables dependency metadata when building APKs.
        includeInApk = false
        // Disables dependency metadata when building Android App Bundles.
        includeInBundle = false
    }
}

For some background: that BLOB is supposed to be just a binary representation of your app's dependency tree. But as it's encrypted with a public key belonging to Google, only Google can read it – and nobody else can even verify what it really contains.

[VirtCode]

The ACCESS_FINE_LOCATION permission is required to discover Bluetooth devices on Android 11 or lower. The App needs to discover devices in order to connect to unpaired devices. On newer versions there are different permissions for that, but I currently want to keep supporting Android 9-11 for a while.

As for that signature block, I've rebuilt the app locally with the fix and uploaded a new binary to the current release.

[VirtCode]

I've seen that version 1.4.1 is available in the repository (though still with the signature blob, but that's not very important), so I think I can close this as completed. Thank you so much for having my app in your repository!

[IzzySoft]

still with the signature blob, but that's not very important

Well, I'd say it should not be ignored: it's a blob and we cannot look inside, so who can tell what is in there? See this POC (which we recently expanded), one can put anything into such signing block blobs and it would go mostly undetected.

But looking at your build.gradle I see you've disabled it. Looking at the release, it seems you've replaced the existing APK so maybe my updater just got the previous one. Confirmed by downloading and checking the currently attached one; so with the next release the blob should be gone then.

Looking again: that APK was already replaced in my repo, strange. (checks code) Ah, thanks for discovering a bug in my code :see_no_evil: Fixed, now a rescan also removes this when it was there before. :rofl:

Thank you so much for having my app in your repository!

Gladly! I thank you for providing it, and for caring! :star_struck: