search

stingle / stingle-photos-android

Stingle Photos is an open-source, end-to-end encrypted media gallery application that provides backup, sharing and cross-platform sync functionality without sacrificing convenience.
https://stingle.org
GNU General Public License v3.0
314 stars 28 forks source link

2.10 wont install, different signature. #138

Closed Kreuger closed 1 year ago

Kreuger commented 1 year ago

Hey all. Cant install the latest update because the signature doesnt match.

alexamiryan commented 1 year ago

Hello. From which source are you trying to install it? It was the same key that used to sign previous build.

Kreuger commented 1 year ago

From Fdroid and directly off here. As you can see below. Screenshot_20230402-103058

alexamiryan commented 1 year ago

Just dumped signatures and certificate digests for both versions. Here are the results:

v52 - 2.10.0
Signer #1 certificate DN: CN=Alex Amiryan, OU=Dev, O=Stingle
Signer #1 certificate SHA-256 digest: ad29416ff8ae9dd1ec50b834cce0bf2e89663ff99c35783877de4224afbffc92
Signer #1 certificate SHA-1 digest: 074e7d5a9caad97e2aa730f8c571ef0b719d6524
Signer #1 certificate MD5 digest: 7b602194e964fb484b8040d618361151
Signer #1 key algorithm: RSA
Signer #1 key size (bits): 2048
Signer #1 public key SHA-256 digest: ec7f6576b119fc89684052bfcfc742cd192135dcbccebd8bb5a25b1bf32030f6
Signer #1 public key SHA-1 digest: febd5d124f2ee0f63ce166858b46e7e6bdac7c5e
Signer #1 public key MD5 digest: 883f37d747ff14591ee7dd7dbbcfe0d1

v51 - 2.9.0
Signer #1 certificate DN: CN=Alex Amiryan, OU=Dev, O=Stingle
Signer #1 certificate SHA-256 digest: ad29416ff8ae9dd1ec50b834cce0bf2e89663ff99c35783877de4224afbffc92
Signer #1 certificate SHA-1 digest: 074e7d5a9caad97e2aa730f8c571ef0b719d6524
Signer #1 certificate MD5 digest: 7b602194e964fb484b8040d618361151
Signer #1 key algorithm: RSA
Signer #1 key size (bits): 2048
Signer #1 public key SHA-256 digest: ec7f6576b119fc89684052bfcfc742cd192135dcbccebd8bb5a25b1bf32030f6
Signer #1 public key SHA-1 digest: febd5d124f2ee0f63ce166858b46e7e6bdac7c5e
Signer #1 public key MD5 digest: 883f37d747ff14591ee7dd7dbbcfe0d1

As you can see they are the same. F-Droid and Play Store haven't rolled out updates yet. From where have you downloaded the APK file? Be careful it maybe modified!

Kreuger commented 1 year ago

I use Obtainium to grab it directly from here, if not from FDroid.

Edit: Here is the signature for one currently installed.

Screenshot_20230402-154243

So maybe the issue is that 2.9 is signed by fdroid. And the ones here om github are signed by you and I will have to wait for fdroid to get the update.

alexamiryan commented 1 year ago

Yes, exactly. F-Droid builds app from sources and signs it with their key. What I post here with the release is signed by me 😀

Kreuger commented 1 year ago

So just as a follow up, how can I remove that old one without losing my data?

alexamiryan commented 1 year ago

If everything is backed up, you can delete the app reinstall it. If not, then you will loose data. In any case I would suggest to wait for the F-Droid update.

Kreuger commented 1 year ago

Will do. Thanks.