tuhinpal
commented
5 months ago It is now signed with a release key! Thank you so much!
I would love to include the app in F-Droid.
Open IzzySoft opened 5 months ago
tuhinpal
commented
5 months ago It is now signed with a release key! Thank you so much!
I would love to include the app in F-Droid.
IzzySoft
commented
5 months ago Confirmed:
package: name='com.tuhin.cash_compass' versionCode='1' versionName='0.1.2' platformBuildVersionName='14' platformBuildVersionCode='34' compileSdkVersion='34' compileSdkVersionCodename='14'
Verifies
Verified using v1 scheme (JAR signing): true
Verified using v2 scheme (APK Signature Scheme v2): true
Verified using v3 scheme (APK Signature Scheme v3): false
Number of signers: 1
Signer #1 certificate DN: CN=Tuhin Kanti Pal, OU=Open Source, O=T Projects, L=Bolpur, ST=West Bengal, C=IN
Signer #1 certificate SHA-256 digest: 1a5cde00fec1bdb2ecc29feb8716f502b22c4610698c2bfb7f17865f0e66ba07
Signer #1 certificate SHA-1 digest: 7dbe89862a6493215c945d6ce70926c22e908437
Signer #1 certificate MD5 digest: a3faad2b1e139c6453729b65190caec1
Signer #1 key algorithm: RSA
Signer #1 key size (bits): 2048As for versionCode='1': Please remember to increase this for each release you make. versionCode is what Android uses internally to tell versions apart – so if it was not increased, Android (and F-Droid clients as well) will ignore the new version thinking it is already installed.
I'll now integrate your app with my repo. And here comes what my scanner complains:
! repo/com.tuhin.cash_compass_1.apk declares sensitive permission(s):
android.permission.READ_EXTERNAL_STORAGE
! repo/com.tuhin.cash_compass_1.apk contains signature block blobs: 0x504b4453 (DEPENDENCY_INFO_BLOCK; GOOGLE)I guess you'll take care for that DEPENDENCY_INFO_BLOCK with the next release then, which is totally fine: currently, that's only a warning – though for the reasons outlined above, I'll probably raise its level to "serious warning" soon :wink:
Just wondering: while setting up metadata for your app, I wanted to grab the icon from the Readme – but I can't as downloading it results in a 0 byte file; it seems to be on some "private storage". I had that a few times in the past already; maybe you can tell me what's behind that? A bit strange to "protect" material in a FOSS repo that way (not saying you did so intentionally, it rather looks like some Github thingy). Same with the screenshots btw, so I cannot add them to the repo either. All those image files are linked to something called private-user-images.githubusercontent.com.
So for now, this is what it will look like (screenshot from staging, will go live with the next sync):
And from the package details:
What are the storage permissions needed/used for? If you let me know, I can add an explanation and put them to the "green list". After the next sync (around 7 pm UTC) you can then find your app here. This is not the "official F-Droid.org repo", but the largest (and best known / most wide spread) 3rd party repo, pre-configured with most 3rd party F-Droid clients (e.g. Droid-ify and NeoStore, where it is even enabled by default).
So welcome aboard! I can send you the metadata I've set up here via PR in Fastlane format, so you could update e.g. the screenshots and maybe even add more elements, like featureGraphic or per-release changelogs. Be welcome to use my Fastlane Cheat Sheet for guidance with that. Fastlane is the de-facto standard for this task btw – and if established here, my updater would check and sync that whenever it pulls in a new release of your app.
tuhinpal
commented
5 months ago versionCode='1': NotedDEPENDENCY_INFO_BLOCK: Will do itprivate-user-images.githubusercontent.com, it is Github asset proxy. Hover on your' sent images and see the url. Actual image url you can get from readme.md.storage permissions is used for storing the SQLite db. Ref: https://github.com/tuhinpal/cash_compass/blob/main/lib/helpers/db.dartIzzySoft
commented
5 months ago Actual image url you can get from readme.md.
Unfortunately not. I tried that and it resulted in a 0 byte file with wget, and an empty page when pasting the link into the browser's address bar. Same for the screenshots.
Oof. Just tried again to make a screenshot, and now it works? What crazy stuff is that? Second time now. Seems it needs multiple tries. Now wget can retrieve it, too. Very strange… OK, will update the graphics now with proper ones. (Done)
storage permissions is used for storing the SQLite db
Where do you store that that you need storage permissions for that? Usually this database goes into the app's "private storage" (app data) and thus does not need storage permissions.
tuhinpal
commented
5 months ago You are right. Actually I made the project 8 months back and didn't touch it. I am not sure why i added the permissions, maybe because of export and import feature.
IzzySoft
commented
5 months ago Thanks a lot! Then all should look fine with the next release. Shall we wait for that to confirm, and close this issue then?
Thanks for making your app freely available under a FOSS license! Could you please also sign the APK using a release key? Currently, it's signed by a debug key:
For technical background, see e.g.
While on it, my scanner also reported:
This can easily be avoided:
For some background: that BLOB is supposed to be just a binary representation of your app's dependency tree. But as it's encrypted with a public key belonging to Google, only Google can read it – and nobody else can even verify what it really contains.
Thanks in advance!