search

fluttercommunity / plus_plugins

Flutter Community Plus Plugins
BSD 3-Clause "New" or "Revised" License
1.59k stars 959 forks source link

[Request]: package_info_plus needs to give SHA1, not just SHA256 #2940

Open lukehutch opened 5 months ago

lukehutch commented 5 months ago

Plugin

package_info_plus

Use case

Right now the packageInfo.buildSignature method returns a SHA256 hex string (without colon byte delimiters).

The Android ecosystem still extensively uses SHA1 hex strings (with colon byte delimeters), and sometimes SHA1, base64-encoded.

package_info_plus really needs to provide this information in more formats.

Proposal

For inspiration, please see the options available in https://pub.dev/packages/package_signature .

I'd rather not have to pull in that other package, which duplicates work of package_info_plus (which I already need).

vbuberen commented 5 months ago

Hey there. package_info_plus had SHA-1 earlier all the time, but due to some or reports recently switched to SHA-256 https://github.com/fluttercommunity/plus_plugins/pull/2835

I don't think we are going to bring back SHA-1 any time soon, so would suggest to use older version of the package instead if you need SHA-1.

lukehutch commented 5 months ago

SHA-1 is used everywhere in the Google Developer Console to restrict API keys to specific Android devices, to register builds with Google Play, etc. You really still need this as an option. SHA-1 is a lot less secure than SHA-256, but if the API or platform that you are using requires its usage, then you don't get a choice.

vbuberen commented 5 months ago

SHA-1 is used everywhere in the Google Developer Console to restrict API

Yes, this is a good catch.

if the API or platform that you are using requires its usage, then you don't get a choice.

But package_info_plus isn't the only way to get SHA-1 of the app. There are enough ways to get this info listed here, including the simplest, from my point of view, getting from the Play Console itself if we are talking about published apps: https://developers.google.com/android/guides/client-auth

Ideally, I would prefer to have SHA-1 available as it was before, but I would also like to avoid people getting issues with different scanning tools, like it was in the issue that was addressed by the PR I linked above.

CC @miquelbeltran

miquelbeltran commented 5 months ago

Personally, I'd rather remove this functionality, since it is not cross-platform, and perhaps put it in a separated package, if it doesn't exist already.

lukehutch commented 5 months ago

the simplest, from my point of view, getting from the Play Console itself

The problem was I was getting a Google Maps API rejection, and I needed to print out the SHA-1 that the apk was signed with when the app started up, so that I could determine if that was the reason that the API was failing (that the app was signed with the wrong key). This is very useful functionality when dealing with Google APIs.

Personally, I'd rather remove this functionality, since it is not cross-platform, and perhaps put it in a separated package, if it doesn't exist already.

It does exist elsewhere -- I linked that project. However, since package_info_plus already has the basic functionality, why not just extend it to also deliver the signing key hash for iOS, and make it cross-platform? The signing key is also used to lock down Apple APIs. (Although they use only one key for debug and release, unlike Android.)

vbuberen commented 5 months ago

The problem was I was getting a Google Maps API rejection, and I needed to print out the SHA-1 that the apk was signed with when the app started up, so that I could determine if that was the reason that the API was failing (that the app was signed with the wrong key).

For cases like this Gradle signing report is the best way and it is also mentioned in the guide I shared: https://developers.google.com/android/guides/client-auth#using_gradles_signing_report

lukehutch commented 5 months ago

Of course I know about the gradle signing report. But that reports the keys for every build type. I want to know at runtime what the build type was (or more specifically, what the key was that was associated with the build type) for the specific build that is currently running, so that I can verify that the wrong build type was not used for the running app.

vbuberen commented 5 months ago

In such csae just use the older version of the package_info_plus.

I have already provided the reasoning a few comments above:

Ideally, I would prefer to have SHA-1 available as it was before, but I would also like to avoid people getting issues with different scanning tools, like it was in the issue that was addressed by the PR I linked above.

TatsuUkraine commented 4 months ago

I would also like to avoid people getting issues with different scanning tools, like it was in the issue that was addressed by the PR I linked above

The problem though, that google requires to have this signature value in headers for API requests for Android apps. I personally agree that it's better to remove things that highlighting in report tools. But on the other hand - google still using sha-1 to verify that the call to the api is made from a trusted app

outdoorapps commented 3 months ago

I guess those who need SHA-1 for google authentication are stuck with version 7.0.0 until google make changes