search

fibelatti / photo-widget

Photo Widget is as simple as it can be: an Android home screen widget to display a photo or collection of photos. It is a free, no-ads, open source alternative for people who want to customize their home screen with their favorite photos.
Apache License 2.0
102 stars 7 forks source link

List app on IzzyOnDroid #67

Closed fibelatti closed 3 months ago

fibelatti commented 3 months ago

Hi @IzzySoft!

I'm looking to have this app listed on IzzyOnDroid, same as https://github.com/fibelatti/pinboard-kotlin. I believe I have all required setup in place, would you be able to help with this?

IzzySoft commented 3 months ago

same as

speaking of the same:

SigningBlock blobs:
-------------------
0x504b4453 (DEPENDENCY_INFO_BLOCK; GOOGLE)

Easily solved (for both apps) by modifying your build.gradle.kts:

android {
    dependenciesInfo {
        // Disables dependency metadata when building APKs.
        includeInApk = false
        // Disables dependency metadata when building Android App Bundles.
        includeInBundle = false
    }
}

For some background: that BLOB is supposed to be just a binary representation of your app's dependency tree. But as it's encrypted with a public key belonging to Google, only Google can read it – and nobody else can even verify what it really contains.

Now for this app, there's this:

Number of signers: 1
Signer #1 certificate DN: CN=Android, OU=Android, O=Google Inc., L=Mountain View, ST=California, C=US
Signer #1 certificate SHA-256 digest: 6a5745a5c4d01552bd7e371f6ee17198cef3b6e5e36ff9eb4211f581cad63c26
Signer #1 certificate SHA-1 digest: 9c32bcf8b2ca69d6423b64208bc50c68289a77ee
Signer #1 certificate MD5 digest: 6ad0bc00754d22b38889d28db2f933f9
Signer #1 key algorithm: RSA
Signer #1 key size (bits): 4096

It's signed by a ~debug~ Google PlayStore key, ~which is not permitted~. May I hand the "same as" back to you to have this app signed by ~a proper~ your own release key, same as you did for the other (not necessarily the very same key, though that would be fine too, but a release key)? Apart from those two points, scan results look fine.

Edit: mistaken Google's PlayStore key for a debug key (only difference in the DN is the debug key says "Android debug" instead of just "Android", and has no "Google Inc." IIRC). But as long as you let Google sign, we cannot be sure what they put in that you didn't intend. Like that dependency blob. So would you consider switching to your own key for signing here? No prob if you want to have both APKs attached as long as they follow a stable naming pattern then (e.g. *_google-signed* for the Google signed one).

fibelatti commented 3 months ago

@IzzySoft thanks for getting back to me so quickly! No problem at all, I'll make the necessary adjustments and let you know once they're done. I was attaching the universal APK from GPC for convenience, but I'll start uploading one signed with my own key instead.

fibelatti commented 3 months ago

@IzzySoft I believe this release addresses all issues, could you verify that please?

IzzySoft commented 3 months ago

Thanks! I assume I should pin my updater to the tags ending with -floss then? Did that for now. Alternative would be attaching both APKs to the same tag/release, and having the floss in the corresponding file name (e.g. *-foss-release.apk). Just let me know which method to go with so I adjust the YAML for your app here correspondingly.

Meanwhile:

image

Yeah, your changelog is too long. Limit is 500 chars – and they are called "per-release changelogs" because they do only contain changes for the current release, not for the previous ones as well :stuck_out_tongue_winking_eye: I took the freedom to cut off everything starting with "Previously" – cut-off doesn't look nice :wink:

The app doesn't require any permissions

image

Only 1 permission (the last one is an AndroidX bogus and not a real permission).

So: Welcome aboard with your second app. Grab a coffee and pick a badge for your Readme if you like; the app will go live with the next sync around 6 pm UTC :smiley:

fibelatti commented 3 months ago

@IzzySoft not really, the only one I've added the suffix this time was that there was no reason for a version bump yet as I had just released 1.8.3. Starting with the next one (either v1.8.4 or v1.9.0 I'll use the same tag to release on both stores, and I'll only upload the APK signed with my own key.

Thanks for the heads-up about the change log, I'll keep that in mind going forward as I was unaware of that limitation. Thanks for managing that on my behalf for this one.

I'll also update the metadata to correctly reflect the permissions and add the badge to this repo as well.

Once again, thanks for your help!

IzzySoft commented 3 months ago

Once again, thanks for your help!

Gladly given! For a reference on Fastlane structures and limits, see e.g. the IzzyOnDroid Fastlane Documentation should you need help with that.

I've removed the suffix again for the tags; as there'll be a single APK only, no other specs are needed. Should you one day require a tag/release that should not be picked up, either mark it as pre-release or use a specific tag name (e.g. replacing the leading v by some other latter; the updater is currently set to only watch tags where the names match v<versionName>, with "newer versions" being determined according to semantic versioning).

Enjoy!