search

cagnulein / QZCompanionNordictrackTreadmill

Companion App of QZ for Nordictrack Treadmills and Bikes
https://www.qzfitness.com/
GNU Affero General Public License v3.0
43 stars 12 forks source link

certificate issue #61

Closed IzzySoft closed 4 months ago

IzzySoft commented 10 months ago

What happened to your signing key, @cagnulein? My updater just rejected your latest APK:

"org.cagnulein.qzcompanionnordictracktreadmill_84.apk" is signed by a key that is not allowed: cf44dcb5ef1e1231bddd4194a4b8b245d1aec5cb217affba0414cb1ea5bf326d

Looks like you switched to a (different) debug key. Unfortunately you also forgot to increase versionCode, so the wrongly signed APK replaced the correct one, in effect making your app invisible in my repo as if it would not be listed.

For details on the certificate check, please see How to keep your key safe and what measures to take for the event of loss?

cagnulein commented 10 months ago

strange the apk is built from the CI here on github. I will check it

Il giorno lun 16 ott 2023 alle 20:53 Izzy @.***> ha scritto:

What happened to your signing key, @cagnulein https://github.com/cagnulein? My updater just rejected your latest APK:

"org.cagnulein.qzcompanionnordictracktreadmill_84.apk" is signed by a key that is not allowed: cf44dcb5ef1e1231bddd4194a4b8b245d1aec5cb217affba0414cb1ea5bf326d

Looks like you switched to a (different) debug key. Unfortunately you also forgot to increase versionCode, so the wrongly signed APK replaced the correct one, in effect making your app invisible in my repo as if it would not be listed.

For details on the certificate check, please see How to keep your key safe and what measures to take for the event of loss? https://f-droid.org/2023/09/03/reproducible-builds-signing-keys-and-binary-repos.html#lessons-learned-2-how-to-keep-your-key-safe-and-what-measures-to-take-for-the-event-of-loss

β€” Reply to this email directly, view it on GitHub https://github.com/cagnulein/QZCompanionNordictrackTreadmill/issues/61, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAALYWDTZGEKGSEFCLYFTLTX7V7EHAVCNFSM6AAAAAA6CUZMISVHI2DSMVQWIX3LMV43ASLTON2WKOZRHE2DKOBYG44DEMA . You are receiving this because you were mentioned.Message ID: @.***>

IzzySoft commented 10 months ago

Hope the CI doesn't create a new cert on each run? I've enabled strict checking in my repo only recently, must have been shortly after your last release before the current one. Pretty much looks like that's the case:

3.4

Signer #1 certificate DN: C=US, O=Android, CN=Android Debug
Signer #1 certificate SHA-256 digest: dc50eabd6ffdfe074ab34dbab84f14c387eb515727e55869ec20294c6b9bdc30
Signer #1 certificate SHA-1 digest: c48df6ea3b1f163c64410a844f7fa33d38a1cf13
Signer #1 certificate MD5 digest: 67595633c68496686e6955871d111b82
Signer #1 key algorithm: RSA

3.5

Signer #1 certificate DN: C=US, O=Android, CN=Android Debug
Signer #1 certificate SHA-256 digest: 1d54590357354bb2f65018ef785386d9bbb402c45b38fc310136b83340a54d80
Signer #1 certificate SHA-1 digest: 99c2d0c5f1116cf4e44d23ba2b461787cb4ed319
Signer #1 certificate MD5 digest: 86f94417ddf4544e45c0a75a50b2e730
Signer #1 key algorithm: RSA

3.6

Signer #1 certificate DN: C=US, O=Android, CN=Android Debug
Signer #1 certificate SHA-256 digest: cf44dcb5ef1e1231bddd4194a4b8b245d1aec5cb217affba0414cb1ea5bf326d
Signer #1 certificate SHA-1 digest: bc27fcecdbfe77375ac2172be752f5be1533ac92
Signer #1 certificate MD5 digest: 9865386893c85e5cb72f990957865338
Signer #1 key algorithm: RSA

That makes updates impossible for the average Jane & Joe.

Btw: any plans to switch to a release key, and drop the debug flag?

cagnulein commented 10 months ago

yes i guess the CI does this, so you have this issue from the begin, right?

Il giorno lun 16 ott 2023 alle 21:06 Izzy @.***> ha scritto:

Hope the CI doesn't create a new cert on each run? I've enabled strict checking in my repo only recently, must have been shortly after your last release before the current one. Pretty much looks like that's the case:

3.4

Signer #1 certificate DN: C=US, O=Android, CN=Android Debug Signer #1 certificate SHA-256 digest: dc50eabd6ffdfe074ab34dbab84f14c387eb515727e55869ec20294c6b9bdc30 Signer #1 certificate SHA-1 digest: c48df6ea3b1f163c64410a844f7fa33d38a1cf13 Signer #1 certificate MD5 digest: 67595633c68496686e6955871d111b82 Signer #1 key algorithm: RSA

3.5

Signer #1 certificate DN: C=US, O=Android, CN=Android Debug Signer #1 certificate SHA-256 digest: 1d54590357354bb2f65018ef785386d9bbb402c45b38fc310136b83340a54d80 Signer #1 certificate SHA-1 digest: 99c2d0c5f1116cf4e44d23ba2b461787cb4ed319 Signer #1 certificate MD5 digest: 86f94417ddf4544e45c0a75a50b2e730 Signer #1 key algorithm: RSA

3.6

Signer #1 certificate DN: C=US, O=Android, CN=Android Debug Signer #1 certificate SHA-256 digest: cf44dcb5ef1e1231bddd4194a4b8b245d1aec5cb217affba0414cb1ea5bf326d Signer #1 certificate SHA-1 digest: bc27fcecdbfe77375ac2172be752f5be1533ac92 Signer #1 certificate MD5 digest: 9865386893c85e5cb72f990957865338 Signer #1 key algorithm: RSA

That makes updates impossible for the average Jane & Joe.

Btw: any plans to switch to a release key, and drop the debug flag?

β€” Reply to this email directly, view it on GitHub https://github.com/cagnulein/QZCompanionNordictrackTreadmill/issues/61#issuecomment-1765111535, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAALYWBKHMYSV5ZFSHS5PPTX7WARZAVCNFSM6AAAAAA6CUZMISVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTONRVGEYTCNJTGU . You are receiving this because you were mentioned.Message ID: @.*** com>

IzzySoft commented 10 months ago

That could be, yes – but I only noticed once strict checking was enabled. Given the APK size, your app is among those where I kept the latest release(s) and dropped older ones that had "offending keys".

IzzySoft commented 10 months ago

So did you find the culprit, @cagnulein? I see another release with the next debug key :cry:

cagnulein commented 10 months ago

no i didn't check yet, it's on my todo list but i have more urgent things now :(

Il giorno ven 20 ott 2023 alle 01:10 Izzy @.***> ha scritto:

So did you find the culprit, @cagnulein https://github.com/cagnulein? I see another release with the next debug key 😒

β€” Reply to this email directly, view it on GitHub https://github.com/cagnulein/QZCompanionNordictrackTreadmill/issues/61#issuecomment-1771824178, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAALYWAB3NMOGK3HLOZCXBDYAGXN5AVCNFSM6AAAAAA6CUZMISVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTONZRHAZDIMJXHA . You are receiving this because you were mentioned.Message ID: @.*** com>

IzzySoft commented 10 months ago

I see. Then I'll disable updates here for now and restore the last version with the matching certificate (to get rid of the continuous warning whenever I build an index here). Please keep me updated about progress.

cagnulein commented 10 months ago

Thanks, I will.

Roberto Viola Software engineer and open source enthusiast http://robertoviola.cloud

Il giorno ven 20 ott 2023 alle ore 09:43 Izzy @.***> ha scritto:

I see. Then I'll disable updates here for now and restore the last version with the matching certificate (to get rid of the continuous warning whenever I build an index here). Please keep me updated about progress.

β€” Reply to this email directly, view it on GitHub https://github.com/cagnulein/QZCompanionNordictrackTreadmill/issues/61#issuecomment-1772243067, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAALYWDFB4HLG2D2B266TD3YAITRBAVCNFSM6AAAAAA6CUZMISVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTONZSGI2DGMBWG4 . You are receiving this because you were mentioned.Message ID: @.*** com>

IzzySoft commented 10 months ago

My monthly reminder popped up again, so I hope you don't mind the ping: Any progress made?

cagnulein commented 10 months ago

hi thanks, nope, not yet. autumn and winter are busy seasons for an indoor workout app :)

Il giorno mer 1 nov 2023 alle 17:32 Izzy @.***> ha scritto:

My monthly reminder popped up again, so I hope you don't mind the ping: Any progress made?

β€” Reply to this email directly, view it on GitHub https://github.com/cagnulein/QZCompanionNordictrackTreadmill/issues/61#issuecomment-1789273218, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAALYWFL5ZL4OOQUESV6VV3YCJ2QPAVCNFSM6AAAAAA6CUZMISVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTOOBZGI3TGMRRHA . You are receiving this because you were mentioned.Message ID: @.*** com>

IzzySoft commented 10 months ago

OK, understood :wink: Hope you don't mind another ping when my updater reminds me again (Dec 1st), should it not be resolved by then?

cagnulein commented 10 months ago

absolutely! please keep it :)

Il giorno mer 1 nov 2023 alle 21:20 Izzy @.***> ha scritto:

OK, understood πŸ˜‰ Hope you don't mind another ping when my updater reminds me again (Dec 1st), should it not be resolved by then?

β€” Reply to this email directly, view it on GitHub https://github.com/cagnulein/QZCompanionNordictrackTreadmill/issues/61#issuecomment-1789619236, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAALYWDAXBJMBVNRG7UJ34LYCKVJ3AVCNFSM6AAAAAA6CUZMISVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTOOBZGYYTSMRTGY . You are receiving this because you were mentioned.Message ID: @.*** com>

stale[bot] commented 9 months ago

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

IzzySoft commented 9 months ago

Oof… your bot is faster than you as it doesn't need sleep… You might need to tell it that it made the wrong decision with adding that label :wink:

Edit: Looks like I've convinced it already (thought so before hitting the button, but I wasn't sure).

cagnulein commented 9 months ago

done ;)

IzzySoft commented 9 months ago

Thanks! As my "update bot" again fetched a release with the wrong signature: what are the chances we get this solved before new years eve – or did your "autumn and winter" above mean you won't make it before spring? I had set your app to "static" (which means "monthly checks" instead of daily ones, to have a reminder), but it starts to get a little annoying :wink:

cagnulein commented 9 months ago

sorry but i don't have time for this now, as i said these months (yes i mean till march) are a nightmare for me.

if you want you can remove it until i will fix it

thanks again

Il giorno ven 1 dic 2023 alle 21:26 Izzy @.***> ha scritto:

Thanks! As my "update bot" again fetched a release with the wrong signature: what are the chances we get this solved before new years eve – or did your "autumn and winter" above mean you won't make it before spring? I had set your app to "static" (which means "monthly checks" instead of daily ones, to have a reminder), but it starts to get a little annoying πŸ˜‰

β€” Reply to this email directly, view it on GitHub https://github.com/cagnulein/QZCompanionNordictrackTreadmill/issues/61#issuecomment-1836732443, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAALYWCYERRTM5LICSCAB43YHI4O3AVCNFSM6AAAAAA6CUZMISVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTQMZWG4ZTENBUGM . You are receiving this because you were mentioned.Message ID: @.*** com>

IzzySoft commented 9 months ago

Nah, and apologies: I misunderstood your statement when reading it the first time. I'll simply disable updates now entirely (so "none" instead of "static") and set a different reminder flag (comparable to a "due date") to ask you again in… say middle of April? Or name another date you feel comfortable with, just so we don't forget. No pressure – I just wanted to figure how to best deal with this. Makes no sense to annoy you every month just because my updater annoyed me :see_no_evil:

cagnulein commented 9 months ago

eheheh ok mid april sounds fine to me! thanks for understanding, much appreciated Have a great weekend!

Il giorno ven 1 dic 2023 alle 21:36 Izzy @.***> ha scritto:

Nah, and apologies: I misunderstood your statement when reading it the first time. I'll simply disable updates now entirely (so "none" instead of "static") and set a different reminder flag (comparable to a "due date") to ask you again in… say middle of April? Or name another date you feel comfortable with, just so we don't forget. No pressure – I just wanted to figure how to best deal with this. Makes no sense to annoy you every month just because my updater annoyed me πŸ™ˆ

β€” Reply to this email directly, view it on GitHub https://github.com/cagnulein/QZCompanionNordictrackTreadmill/issues/61#issuecomment-1836743674, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAALYWA6J5TMAWAJ3UTTJBLYHI5WPAVCNFSM6AAAAAA6CUZMISVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTQMZWG42DGNRXGQ . You are receiving this because you were mentioned.Message ID: @.*** com>

IzzySoft commented 9 months ago

You too – and done!

cagnulein commented 8 months ago

@IzzySoft i'm working on this on these days. I will keep you updated!

IzzySoft commented 4 months ago

Eh… my reminder popped up again and confused me. Guess we simply forgot to close this issue – and I can remove the reminder? Or did I miss something? Proper cert seems in place now. (checks the linked PR) Yeah, looks like I just forgot to remove the reminder. Closing here then; should I indeed have missed something, feel free to reopen :wink:

And thanks again!