Closed IzzySoft closed 4 weeks ago
vishal2376
commented
1 month ago @IzzySoft Thanks for notifying me.
Actually, I lost my old signing key.
A few months ago, I switched to my new laptop. I backed up everything, but when I checked for the old keys yesterday, I couldn’t find them anywhere. I had already erased my old laptop, so I created a new signing key
IzzySoft
commented
1 month ago Sounds true – but how can we prove that, and rule out a "hostile takeover"? See: How to keep your key safe and what measures to take for the event of loss?
And btw, it would be good to mention the fact of key change in the release notes, so less tech-savvy people don't despair when they fail to update and know they have to uninstall first. Also, if there's a migration path to export/import settings and data, you could name that.
vishal2376
commented
1 month ago @IzzySoft I replied to your email to confirm it's me.
IzzySoft
commented
4 weeks ago I replied to your email to confirm it's me.
Thanks a lot! I can confirm having received your reply (which with Gmail isn't always sure, as pointed out above). So we can consider it "verified" now and I'll initiate the "roll-over":
I didn't know about commit signing, but I will try it next time.
Thanks! I have set up an alias with my local Git to ensure each of my commits is signed unless I explicitly say not to sign. That way I cannot forget. Might be an idea you wish to adopt: git config --global alias.ci commit -S :wink:
I also updated about key changes in release notes
Thanks a lot!
PS: Just manually triggered an update, and the scanner yields:
! repo/com.vishal2376.snaptick_9.apk contains signature block blobs: 0x504b4453 (DEPENDENCY_INFO_BLOCK; GOOGLE)Easy to avoid by adding a few lines to your build.gradle for the next releases:
android {
dependenciesInfo {
// Disables dependency metadata when building APKs.
includeInApk = false
// Disables dependency metadata when building Android App Bundles.
includeInBundle = false
}
}For some background: that BLOB is supposed to be just a binary representation of your app's dependency tree. But as it's encrypted with a public key belonging to Google, only Google can read it – and nobody else can even verify what it really contains. More details can be found e.g. here: Ramping up security: additional APK checks are in place with the IzzyOnDroid repo.
Last question: are you other apps affected as well?
vishal2376
commented
4 weeks ago Last question: are you other apps affected as well?
Yeah, I also lost my Git Coach App key. But I might not release any updates in the future (most probably). These are my apps on IzzyOnDroid.
You can remove Scroll Block as i am no longer owner of this app, and also it contains many bugs.
IzzySoft
commented
4 weeks ago But I might not release any updates in the future (most probably).
OK, so we deal with that if/when the day comes.
You can remove Scroll Block as i am no longer owner of this app, and also it contains many bugs.
Do I read this correctly as "author requested to remove the app"? Then I'd of course comply :wink:
What happened to your signing key?
Until the previous release, you've used this:
Today's release has this one instead:
That means, direct updates won't be possible (as Android will not accept it) – and also that the APK was rejected by the updater at IzzyOnDroid. I cannot find a hint in the release notes either. As your commits are not signed, a key change might indicate a "hostile take-over" of your Github account – so rejecting the APK is a security measure.
Can you please help us solve this issue? Until then, updates for Snaptick have been disabled at IzzyOnDroid.
Thanks in advance!