Please also update the release apk

[linsui]

You updated the version code but the apk still has version code 3 so that it's not reproducible. Please also update it, thanks!

[pastthepixels]

Oh, right! Sorry I forgot about that, my bad! Especially since I made this release a lot harder since I forgot to update the version code.

[linsui]

The apk is updated now but the signature is also changed... Did you lose your key?

[pastthepixels]

Yeah, something happened to it and I wasn't able to use it, so I had to create a new one. Sorry if that messed up anything! This key should be backed up now, so hopefully I shouldn't have the same problem again

[linsui]

No worry, it's pretty common. Maybe you want to have a look at https://f-droid.org/en/2023/09/03/reproducible-builds-signing-keys-and-binary-repos.html.

[pastthepixels]

No worry, it's pretty common. Maybe you want to have a look at https://f-droid.org/en/2023/09/03/reproducible-builds-signing-keys-and-binary-repos.html.

Thanks for linking this! I think one of the things I needed to do was rebuild an older version with the new key so they can be compared. I'm not sure if I've done this right, but I updated the release of 1.0.2 with a build with the new key alongside the old one. Hope that helps!

[linsui]

I sent an email to you. Could you please reply the email for confirmation?

[IzzySoft]

Just for completeness:

$ rbtest app-release.apk app-release-old-key.apk 
RB confirmed.

Which means the APKs attached to the 1.0.2 release are identical. Further, checking the signatures:

$ sigcheck app-release.apk 
package: name='io.github.pastthepixels.freepaint' versionCode='3' versionName='1.0.2' platformBuildVersionName='13' platformBuildVersionCode='33' compileSdkVersion='33' compileSdkVersionCodename='13'
Verifies
Verified using v1 scheme (JAR signing): false
Verified using v2 scheme (APK Signature Scheme v2): true
Verified using v3 scheme (APK Signature Scheme v3): false
Number of signers: 1
Signer #1 certificate DN: C=CA, ST=Alberta, CN=PastThePixels
Signer #1 certificate SHA-256 digest: bb214577a74f822c69d335b8fbc5e44bc5fd223cc7eab87c825841eca86bebe4
Signer #1 certificate SHA-1 digest: 07cbdbcf004b4f9cc7d9d98f60254b25bf20a029
Signer #1 certificate MD5 digest: d33df5771c76e509cabdcd8fb3d2372e
Signer #1 key algorithm: RSA
Signer #1 key size (bits): 2048

$ sigcheck app-release-old-key.apk 
package: name='io.github.pastthepixels.freepaint' versionCode='3' versionName='1.0.2' platformBuildVersionName='13' platformBuildVersionCode='33' compileSdkVersion='33' compileSdkVersionCodename='13'
Verifies
Verified using v1 scheme (JAR signing): false
Verified using v2 scheme (APK Signature Scheme v2): true
Verified using v3 scheme (APK Signature Scheme v3): false
Number of signers: 1
Signer #1 certificate DN: CN=PastThePixels
Signer #1 certificate SHA-256 digest: ce416aaee9a8b4325cea2a0b1fe30eea2d5ebf55924eb100e51bdf61b16c47df
Signer #1 certificate SHA-1 digest: 2dcc74fac3c4f02fc9a7ade2d94aca22b4bf2736
Signer #1 certificate MD5 digest: ab920af6c6178c6ca0ecb777716359f2
Signer #1 key algorithm: RSA
Signer #1 key size (bits): 2048

F-Droid metadata say:

AllowedAPKSigningKeys: ce416aaee9a8b4325cea2a0b1fe30eea2d5ebf55924eb100e51bdf61b16c47df

Which matches the SHA-256 of the "old-key" APK. So whoever signed that one has proven they are in possession of the private key. If that was a "malevolent actor" they must be a little "off" raising suspicion by changing the signing key and thus raising suspicion :zany_face:

@pastthepixels replying to that email cannot hurt and would give additional confirmation – but to me the stronger proof is that these APKs match up. Thanks!

[IzzySoft]

Oof. Correcting the above: As v1.0.2 was the last one correctly confirmed via

Binaries: https://github.com/pastthepixels/FreePaint/releases/download/v%v/app-release.apk

adding another APK with the NEW key there doesn't prove anything. Can you provide an APK for 1.1.0, signed with the old key? Any developer can build older releases and sign them with their key. What we need is proof that you're in possession of the original key as well – i.e. not signing older releases with the new key, but newer releases with the old key.

[linsui]

I got the reply:

Hey!

Yes, I can confirm that my account wasn't compromised and I do own the new key. I'm so sorry for making you do all this because I lost my old key -- honestly the tiresome work you all do at F-Droid is amazing and I am really grateful to have it.

Thank you,

PastThePixels

[IzzySoft]

And it seems we have no other means of verification left (no offense meant of course!):

• commits are not signed (except for those releases signed via Github GUI, which cannot count in this context). Might be a good idea you adopt this at least for future commits, @pastthepixels
• no "independent means of contact" (Matrix, XMPP etc) were established before the incident
• no person to vouch for you (who can have you confirm "in person" it's really you having written this answer and making those releases, etc) – or is there someone with established trust who could do that?

Apologies for our "insisting" – but we have a responsibility here, so we need to make it as "safe & sound" as we can.

[pastthepixels]

Oof. Correcting the above: As v1.0.2 was the last one correctly confirmed via

Binaries: https://github.com/pastthepixels/FreePaint/releases/download/v%v/app-release.apk

adding another APK with the NEW key there doesn't prove anything. Can you provide an APK for 1.1.0, signed with the old key? Any developer can build older releases and sign them with their key. What we need is proof that you're in possession of the original key as well – i.e. not signing older releases with the new key, but newer releases with the old key.

I'm really sorry to say this but I don't! I have the keystore file but I can't recover the password. It's totally understandable by the way why all these security measures are in place, it's part of the reason why I use F-Droid. It's totally on me for my silly mistake -- but on the plus side I have signed commits now, and have backups of my new key. I don't have a person to vouch for me, but I'll see if I can recover the password and I'll send any updates if I do.

[IzzySoft]

I have signed commits now, and have backups of my new key.

:+1: So now you're be much better prepared – though hopefully such a situation won't hit you again. You've just proven a saying in a rather unexpected meaning:

Why does a lightning flash never hit the same place twice? – Because it's no longer there after the first hit.

With signed commits ad proper backups (including your GPG keys I hope) now there, that flash can't hit you the same way again.

I'll see if I can recover the password and I'll send any updates if I do.

That would be much appreciated, thanks! We'll meanwhile see what we can do over at F-Droid. Need to discuss it among the maintainers at least.

[TotallyAvailable]

Jumping in from a kinda semi related discussion...

Given that your app listing does include a personal website/domain, has there been any kind of verification of ownership been performed as part of the inclusion (like with donation links(? might be thinking about something else here)).

Adding a file or reference on demand might add further trust.

Edit: I certainly couldn't have made this one sentence sound any worse...given the discussion we've just had. I'll even end up removing it.

And if that's of no use in this case, maybe future events or inclusions might be salvageable by adding another "trusted" entry to work with.

If all of this has already been considered internally, forget what I just said.

[linsui]

https://gitlab.com/fdroid/fdroiddata/-/merge_requests/14020 We have update it. :)

[pastthepixels]

Sorry for getting back so late! I couldn't recover my key -- but since 1.1.0's on F-Droid now I hope it shouldn't be much of a problem.

Jumping in from a kinda semi related discussion...

Given that your app listing does include a personal website/domain, has there been any kind of verification of ownership been performed as part of the inclusion (like with donation links(? might be thinking about something else here)).

Adding a file or reference on demand might add further trust.

Edit: I certainly couldn't have made this one sentence sound any worse...given the discussion we've just had. I'll even end up removing it.

And if that's of no use in this case, maybe future events or inclusions might be salvageable by adding another "trusted" entry to work with.

If all of this has already been considered internally, forget what I just said.

I don't think I actually had to verify my domain name when initially adding my app to F-Droid. I'll have a look to see if there's a way I can do that for the future.

[linsui]

We don't have that requirement. It's just another layer of trust. ;)