Open lukehutch opened 5 months ago
Hey there. package_info_plus
had SHA-1 earlier all the time, but due to some or reports recently switched to SHA-256 https://github.com/fluttercommunity/plus_plugins/pull/2835
I don't think we are going to bring back SHA-1 any time soon, so would suggest to use older version of the package instead if you need SHA-1.
SHA-1 is used everywhere in the Google Developer Console to restrict API keys to specific Android devices, to register builds with Google Play, etc. You really still need this as an option. SHA-1 is a lot less secure than SHA-256, but if the API or platform that you are using requires its usage, then you don't get a choice.
SHA-1 is used everywhere in the Google Developer Console to restrict API
Yes, this is a good catch.
if the API or platform that you are using requires its usage, then you don't get a choice.
But package_info_plus
isn't the only way to get SHA-1 of the app. There are enough ways to get this info listed here, including the simplest, from my point of view, getting from the Play Console itself if we are talking about published apps: https://developers.google.com/android/guides/client-auth
Ideally, I would prefer to have SHA-1 available as it was before, but I would also like to avoid people getting issues with different scanning tools, like it was in the issue that was addressed by the PR I linked above.
CC @miquelbeltran
Personally, I'd rather remove this functionality, since it is not cross-platform, and perhaps put it in a separated package, if it doesn't exist already.
the simplest, from my point of view, getting from the Play Console itself
The problem was I was getting a Google Maps API rejection, and I needed to print out the SHA-1 that the apk was signed with when the app started up, so that I could determine if that was the reason that the API was failing (that the app was signed with the wrong key). This is very useful functionality when dealing with Google APIs.
Personally, I'd rather remove this functionality, since it is not cross-platform, and perhaps put it in a separated package, if it doesn't exist already.
It does exist elsewhere -- I linked that project. However, since package_info_plus
already has the basic functionality, why not just extend it to also deliver the signing key hash for iOS, and make it cross-platform? The signing key is also used to lock down Apple APIs. (Although they use only one key for debug and release, unlike Android.)
The problem was I was getting a Google Maps API rejection, and I needed to print out the SHA-1 that the apk was signed with when the app started up, so that I could determine if that was the reason that the API was failing (that the app was signed with the wrong key).
For cases like this Gradle signing report is the best way and it is also mentioned in the guide I shared: https://developers.google.com/android/guides/client-auth#using_gradles_signing_report
Of course I know about the gradle signing report. But that reports the keys for every build type. I want to know at runtime what the build type was (or more specifically, what the key was that was associated with the build type) for the specific build that is currently running, so that I can verify that the wrong build type was not used for the running app.
In such csae just use the older version of the package_info_plus
.
I have already provided the reasoning a few comments above:
Ideally, I would prefer to have SHA-1 available as it was before, but I would also like to avoid people getting issues with different scanning tools, like it was in the issue that was addressed by the PR I linked above.
I would also like to avoid people getting issues with different scanning tools, like it was in the issue that was addressed by the PR I linked above
The problem though, that google requires to have this signature value in headers for API requests for Android apps. I personally agree that it's better to remove things that highlighting in report tools. But on the other hand - google still using sha-1 to verify that the call to the api is made from a trusted app
I guess those who need SHA-1 for google authentication are stuck with version 7.0.0 until google make changes
Plugin
package_info_plus
Use case
Right now the
packageInfo.buildSignature
method returns a SHA256 hex string (without colon byte delimiters).The Android ecosystem still extensively uses SHA1 hex strings (with colon byte delimeters), and sometimes SHA1, base64-encoded.
package_info_plus
really needs to provide this information in more formats.Proposal
For inspiration, please see the options available in https://pub.dev/packages/package_signature .
I'd rather not have to pull in that other package, which duplicates work of
package_info_plus
(which I already need).