Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Certificate issue #51

Open
IzzySoft opened this issue Feb 5, 2024 · 3 comments
Open

Certificate issue #51

IzzySoft opened this issue Feb 5, 2024 · 3 comments

Comments

@IzzySoft
Copy link

IzzySoft commented Feb 5, 2024

A scan (see here for details and background) just revealed the APKs at your releases are signed using a debug key. As that has security implications, may I ask you to please switch to a proper release key, and provide the corresponding APK signed with it? Thanks in advance!
@IzzySoft
Copy link
Author

@ErfanRht yesterday's update still comes signed with a debug key. Additionally, my scanner reported the declaration of some sensible permissions which are not 100% clear why they are needed:

android.permission.RECORD_AUDIO android.permission.READ_EXTERNAL_STORAGE

plus the presence of a BLOB in the signing block: DEPENDENCY_INFO_BLOCK. This latter one is easy to get rid of:

android {
    dependenciesInfo {
        // Disables dependency metadata when building APKs.
        includeInApk = false
        // Disables dependency metadata when building Android App Bundles.
        includeInBundle = false
    }
}

For some background: that BLOB is supposed to be just a binary representation of your app's dependency tree. But as it's encrypted with a public key belonging to Google, only Google can read it – and nobody else can even verify what it really contains.

@IzzySoft
Copy link
Author

Houston, we've got another problem: you've done the unthinkable and DECREASED versionCode – so your shiny new version 3.0.1 will reach nobody (actually, it gets downloaded by my updater as the tag is newer, and then deleted as the versionCode is older than what's already in the repo):

package: name='com.example.movielab' versionCode='1' versionName='3.0.1'

Most like location of the error is here:

version: 3.0.1

No versionCode specified to Flutter means using the default of 1. That error was introduced with this commit: 58a9847 almost 2 years ago, when the +2 versionCode suffix was removed instead of being increased.

I've disabled updates for your app in my repo for now. Can you please fix this and provide an updated APK either for 3.0.1 as replacement or via a newer tag/release, whichever seems more fitting for you?

PS: I still wonder why those updates from 9/2022 pop up right now – "yesterday's update" actually was quite older but just was pulled in yesterday. But that's a different issue altogether. One important thing to point out is that apps using a debug key will be removed from my repo soon – unless they switched to a proper release key for signing.

@IzzySoft
Copy link
Author

IzzySoft commented Mar 7, 2024

Well, no response at all so there's no remedy. I'll hence remove the app from my repo now. Should you one day decide to address the issue and have properly signed & versioned APKs ready, be welcome to give me a ping so I can see to reestablish the listing. Thanks!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@IzzySoft