search

petabyt / fudge

Unofficial app to pair with Fujifilm cameras
https://danielc.dev/fudge/
GNU General Public License v2.0
91 stars 4 forks source link

signing issue #7

Closed IzzySoft closed 1 year ago

IzzySoft commented 1 year ago

your latest release is signed using a key different from the one in place before:

WARNING: "dev.danielc.fujiapp_2.apk" is signed by a key that is not allowed:
5995c87f0ba43a21d14f715598eb716f399951a9a3f4e7af62a89c3adb9f5e17

I found no corresponding note on the release. May I ask what happened? Note that updates won't make it into my repo until the issue has been resolved.

PS: If you wonder about the file name, that is your app-release.apk being automatically renamed to <packageName>_<versionCode>.apk so it can co-exist with the others.

petabyt commented 1 year ago

I don't recall doing anything differently, I signed with the key I had saved and the username/password checked out.

obfusk commented 1 year ago

@IzzySoft it looks like your repo contains the APK from this release: https://github.com/petabyt/fudge/releases/tag/0.0.4

Note that the APK is named app-debug.apk instead of app-release.apk. It is signed with an Android debug key:

Signer #1 certificate DN: C=US, O=Android, CN=Android Debug
Signer #1 certificate SHA-256 digest: d1b093191c4b9eb1477ab3f2db5bd4b5a7edfd16ae91c256d397cd965c67f9fc

Subsequent releases are signed with a non-debug key:

Signer #1 certificate DN: C=US, ST=North Carolina, L=Greensboro, O=Based Technologies Co, CN=Daniel Cook
Signer #1 certificate SHA-256 digest: 5995c87f0ba43a21d14f715598eb716f399951a9a3f4e7af62a89c3adb9f5e17
obfusk commented 1 year ago

And I'm guessing your repo didn't pick up a new release until now as the version code/name only changed for the latest one:

$ repro-apk binres fastid *.apk
package=dev.danielc.fujiapp versionCode=2 versionName=0.1.0 <- latest (tag 0.1.0)
package=dev.danielc.fujiapp versionCode=1 versionName=0.1.0-beta
package=dev.danielc.fujiapp versionCode=1 versionName=0.1.0-beta
package=dev.danielc.fujiapp versionCode=1 versionName=0.1.0-beta <- debug key (tag 0.0.4)
package=dev.danielc.fujiapp versionCode=1 versionName=1.0 <- debug key
package=dev.danielc.fujiapp versionCode=1 versionName=1.0 <- debug key
package=dev.danielc.fujiapp versionCode=1 versionName=1.0 <- debug key (tag 0.0.1)
IzzySoft commented 1 year ago

Good find @obfusk – thanks! Yes, if there's no other APK, that one is used as "last resort" (otherwise it is ignored)¹. And I see the releases before that are also just having debug builds – that was when the app was added to my repo probably (checked: right, app was added 2023-07-13, so 0.0.4 was the first one). Newer versions then have release builds, so those were picked by my updater. 0.0.4-pre was ignored because according to semantic versioning it should be the one preceding 0.0.4 which already was here. So the issue should have come up with 0.0.5-pre – not sure why that one was never fetched (probably as it has the same versionName and versionCode as the one that was already there).

Sounds conclusive to me, especially with the history posted by @obfusk. I'll then declare the "release key" to be the valid one for now and all future releases, removing the hash of the debug key. Note that whoever had the old one installed needs to uninstall and re-install to receive updates.

¹ that is because for some apps my repo has only the debug ones for their testers