APK for download

[IzzySoft]

Thanks for making your app available here! Could you please also attach a signed APK to the release(s), for those who cannot compile themselves? Thanks in advance!

[IzzySoft]

Thanks for having added the APK! Looks fine so far, no "offending" (proprietary) libraries according to our scanners. However, one thing they reported was:

SigningBlock blobs:
-------------------
0x504b4453 (DEPENDENCY_INFO_BLOCK; GOOGLE)

which you can easily avoid with a tiny modification of your build.gradle:

android {
    dependenciesInfo {
        // Disables dependency metadata when building APKs.
        includeInApk = false
        // Disables dependency metadata when building Android App Bundles.
        includeInBundle = false
    }
}

For some background: that BLOB is supposed to be just a binary representation of your app's dependency tree. But as it's encrypted with a public key belonging to Google, only Google can read it – and nobody else can even verify what it really contains. More details can be found e.g. here: Ramping up security: additional APK checks are in place with the IzzyOnDroid repo.

I've also tried to verify if it is a reproducible build, but failed to build in the first step: looks like your gradle-wrapper does not verify (wrong or not-matching distributionSha256Sum, you might wish to fix that. For now I've worked around that by "injecting" the specified Gradle-8.4 directly into the "build recipe" (didn't want to take an unverified one). Build worked fine with that – and indeed it is reproducible, congrats!

So now I will add your app to the IzzyOnDroid repo. It just missed today's sync by an hour, so it will show up here with the next sync tomorrow. Be welcome to pick a badge to link there e.g. from your Readme – and welcome aboard!

PS: small hint for your fastlane full_description.txt. If you could have an empty line before the bullet point list, it would render perfectly as Markdown. For the initial release here, I've adjusted it that way manually for you to see:

Screenshot is from our staging area. And the green shield you see there indicates your app is RB. So for now, enjoy!

[IzzySoft]

@tibarj you seem to miss my comments, but here's another one: your new release (v1.0.1) was not built from a clean tree of the commit the tag points to, but right before committing that one (as can be seen by the embedded commit hash). Please take care to always build from a clean tree after having committed.

PS: But don't replace the APK there now as it is already distributed. Rather remember it for future releases :wink:

[IzzySoft]

PPS: The updater at the IzzyOnDroid repo just dropped your app due to a double-error here:

Binary files repo/tibarj.tranquilstopwatch_1.apk and repo/tibarj.tranquilstopwatch_1.0.1.apk differ
2024-08-06 19:44:35,950 WARNING: "tibarj.tranquilstopwatch_1.apk" is signed by a key that is not allowed:
fe13fdfa891cc18426e6a361f2839067201a672b5cadd2bbddea8ce25d39a199

Looks like you forgot to increase versionCode with your new release (so the APK from the previous release was overwritten) – and then also changed the signing key? The latter is considered a potentially security risk (which is why AllowedAPKSigningKeys are pinned at the IzzyOnDroid repo. It also makes updates impossible as Android would not accept the new APK, see How to keep your key safe and what measures to take for the event of loss?)

Also seems you confuse my issue here with your RFP at F-Droid (guess that's why you don't answer here): F-Droid and IzzyOnDroid are two separate entities, just using the same protocol so to say. So I'd much appreciate you answer my questions here instead of there :wink:

As we're just at the very start here, I've adjusted the config at IzzyOnDroid and pinned your new signing key. Please stick to it. And make sure you have a good fallback should the key get lost – e.g. make good backups of it, and start signing your commits so you have another proof. A future change might not go as easy otherwise.

[tibarj]

ok thank you i will be careful

[IzzySoft]

Thanks! Should you have questions, we gladly help where we can.