signing key changed?

[IzzySoft]

The APK at release 1.5.1 is signed with a different key as was used in the past:

1.5:

Signer #1 certificate DN: CN=nikita, OU=nikita, O=nikita, L=Luhansk, ST=?, C=?
Signer #1 certificate SHA-256 digest: 3c2281c6c17309bb46259cc426543f95d53a64eb24d2e5a275ba6d6924f864ba
Signer #1 certificate SHA-1 digest: aed004f84e02a4766292b2d264e80795e0af2b03
Signer #1 certificate MD5 digest: 93392f5395662aeb2de420ea985b6420
Signer #1 key algorithm: RSA
Signer #1 key size (bits): 2048

1.5.1:

Signer #1 certificate DN: CN=Nikita Yfh, OU=Unknown, O=No, L=Unknown, ST=Unknown, C=Unknown
Signer #1 certificate SHA-256 digest: 1c3910cff51fe67339a92a30a4eedf0108daa973852e0bacfb2d1e81933c6998
Signer #1 certificate SHA-1 digest: c813744441eed6f7763d5326c81cbc7d92bd1d38
Signer #1 certificate MD5 digest: 62bc7f05d38aad0f59d690346f6fafe0
Signer #1 key algorithm: RSA
Signer #1 key size (bits): 2048

I found no hint to that either in the release notes nor in the issues here – nor in commit messages or the Readme. As this prevents updates and could mean "enemy action" (someone else impersonating you got access to your repo), it's not just a "convenience question" but rather a security issue as well. May I ask what happened?

[nikita-yfh]

Yes, I lost the last signing key

[IzzySoft]

Oof. So any chance of a remedy, so we at least can definitely rule out "enemy action"? For some background, please see: How to keep your key safe and what measures to take for the event of loss?

[IzzySoft]

@nikita-yfh ^^ no chance – or just missed my question?

[nikita-yfh]

I didn't keep the key in the git repository. I changed it when my computer hard drive failed. Therefore, there is no way I can get the old key.

[IzzySoft]

Oof. So no way of proof then. Will you at least take precautions for the future, as outlined in the article? Have backups of the key, signing your commits?

[IzzySoft]

Please take good care for the current keystore :wink: