search

Xposed-Modules-Repo / com.github.dan.nostoragerestrict

NoStorageRestrict
https://github.com/Xposed-Modules-Repo/com.github.dan.nostoragerestrict
GNU General Public License v3.0
299 stars 15 forks source link

signing issues #11

Closed IzzySoft closed 6 months ago

IzzySoft commented 6 months ago

Looks like you've changed the signing keys. Signing certificate for the previous release:

Signer #1 certificate DN: C=an, ST=an, L=an, O=an, OU=an, CN=an
Signer #1 certificate SHA-256 digest: f6964f5776ca4124d606b3acdb25be3748deebb60625d7127ab14e7c7e21bd37
Signer #1 certificate SHA-1 digest: c434cfddda4365ca4f6f10cc45548d50eb24db92
Signer #1 certificate MD5 digest: 3f205b841becebb94a8673777d66de78
Signer #1 key algorithm: RSA
Signer #1 key size (bits): 2048

Signing cert for the current release:

Signer #1 certificate DN: C=dn, ST=dn, L=dn, O=dn, OU=dn, CN=dn
Signer #1 certificate SHA-256 digest: 551353d4e096d5d117fc322dbfed42c5ae7c8f26ac1009a13edc0f39f80b4c8c
Signer #1 certificate SHA-1 digest: c0776bfa84f548004e06223b5e64ffb77e29f5dd
Signer #1 certificate MD5 digest: 3ed0eb8b62e9b0ceea8092372b180f81
Signer #1 key algorithm: RSA
Signer #1 key size (bits): 2048

Note that the hashes differ. Due to that, updates from a previous release are not possible, Android will reject the APK.

I couldn't find any note for this in the release notes. Could you please check what happened, and fix this issue? Thanks in advance!

DanGLES3 commented 6 months ago

Looks like you've changed the signing keys. Signing certificate for the previous release:

Signer #1 certificate DN: C=an, ST=an, L=an, O=an, OU=an, CN=an
Signer #1 certificate SHA-256 digest: f6964f5776ca4124d606b3acdb25be3748deebb60625d7127ab14e7c7e21bd37
Signer #1 certificate SHA-1 digest: c434cfddda4365ca4f6f10cc45548d50eb24db92
Signer #1 certificate MD5 digest: 3f205b841becebb94a8673777d66de78
Signer #1 key algorithm: RSA
Signer #1 key size (bits): 2048

Signing cert for the current release:

Signer #1 certificate DN: C=dn, ST=dn, L=dn, O=dn, OU=dn, CN=dn
Signer #1 certificate SHA-256 digest: 551353d4e096d5d117fc322dbfed42c5ae7c8f26ac1009a13edc0f39f80b4c8c
Signer #1 certificate SHA-1 digest: c0776bfa84f548004e06223b5e64ffb77e29f5dd
Signer #1 certificate MD5 digest: 3ed0eb8b62e9b0ceea8092372b180f81
Signer #1 key algorithm: RSA
Signer #1 key size (bits): 2048

Note that the hashes differ. Due to that, updates from a previous release are not possible, Android will reject the APK.

I couldn't find any note for this in the release notes. Could you please check what happened, and fix this issue? Thanks in advance!

In short, due to carelessness i've lost the old signing key, legit embarrassing tbh, i apologize for the issue and added a disclaimer on version 4

IzzySoft commented 6 months ago

Oof… so no way to verify it's really you, and not someone having taken over your repo? Unfortunately, you didn't sign your commits with your own key, so if someone had taken over those signatures from Github would look just the same…

Do we have some way to verify? For some background, please see How to keep your key safe and what measures to take for the event of loss?

(I'm AFK for the holidays, so my next reply will be delayed)

DanGLES3 commented 6 months ago

Oof… so no way to verify it's really you, and not someone having taken over your repo? Unfortunately, you didn't sign your commits with your own key, so if someone had taken over those signatures from Github would look just the same…

Do we have some way to verify? For some background, please see How to keep your key safe and what measures to take for the event of loss?

(I'm AFK for the holidays, so my next reply will be delayed)

Yeah, truly sorry about that

DanGLES3 commented 6 months ago

Oof… so no way to verify it's really you, and not someone having taken over your repo? Unfortunately, you didn't sign your commits with your own key, so if someone had taken over those signatures from Github would look just the same…

Do we have some way to verify? For some background, please see How to keep your key safe and what measures to take for the event of loss?

(I'm AFK for the holidays, so my next reply will be delayed)

Unfortunately due to my carelessness with these things I've got no way to verify my authorship over these commits and releases, best I can do is keep the source open and not commit the same mistake again

I'm a very amateurish developer and I've had no knowledge of signing things with GPG keys

IzzySoft commented 6 months ago

I've had no knowledge of signing things with GPG keys

That's really not too hard to do, and I'd really recommend you giving it a try. Here's a tutorial for this (the git book is a good reference to keep :wink:).

So can we agree you'll take good care for your current keystore from now on, and at least take a look if you could pick up signing? Then I could pick up from there again this one time, despite the missing proof, as an exception (I usually don't do that).

DanGLES3 commented 6 months ago

I've had no knowledge of signing things with GPG keys

That's really not too hard to do, and I'd really recommend you giving it a try. Here's a tutorial for this (the git book is a good reference to keep 😉).

So can we agree you'll take good care for your current keystore from now on, and at least take a look if you could pick up signing? Then I could pick up from there again this one time, despite the missing proof, as an exception (I usually don't do that).

Yes, I promise to sign my commits and take care of my keystore from now on

IzzySoft commented 6 months ago

OK, I've updated the config on my end accordingly, thanks!