Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Certificate issue #2

Open
IzzySoft opened this issue Feb 8, 2024 · 2 comments
Open

Certificate issue #2

IzzySoft opened this issue Feb 8, 2024 · 2 comments

Comments

@IzzySoft
Copy link

IzzySoft commented Feb 8, 2024

It seems your APKs are signed using a debug key:

Signer #1 certificate DN: C=US, O=Android, CN=Android Debug
Signer #1 certificate SHA-256 digest: 8548d99020461707d4c02d76aeca75790439000f8711496670a08198ffe6a9ff
Signer #1 certificate SHA-1 digest: 617b7e64f6c98efde53d53634b4b4073ceb1e279
Signer #1 certificate MD5 digest: bc3085314b7c2d31a85be556eb714dc4
Signer #1 key algorithm: RSA
Signer #1 key size (bits): 2048

Would it be possible to use a proper release key instead? Further:

SigningBlock blobs:
-------------------
0x504b4453 (DEPENDENCY_INFO_BLOCK; GOOGLE)

can be easily avoided:

android {
    dependenciesInfo {
        // Disables dependency metadata when building APKs.
        includeInApk = false
        // Disables dependency metadata when building Android App Bundles.
        includeInBundle = false
    }
}

For some background: that BLOB is supposed to be just a binary representation of your app's dependency tree. But as it's encrypted with a public key belonging to Google, only Google can read it – and nobody else can even verify what it really contains.

Thanks in advance!
@gauravssnl
Copy link
Owner

@IzzySoft I have signed my app using debug key as I am not planning to release this on Play Store anytime. Another reason of using debug key is that it makes app upgrade easier and I don't need to maintain / store any private key. If anyone needs to sign the app, they can easily build and sign the APK themselves as the source code is available.

Let me know if you have any issues.

@IzzySoft
Copy link
Author

Thanks for your answer, @gauravssnl! But apps signed using debug keys are no longer allowed in my repo, where I was about to include your app. For background, please see e.g.

If anyone needs to sign the app, they can easily build and sign the APK themselves as the source code is available.

Don't forget that not each and every human is an Android developer (while hopefully all developers are humans). So no: I couldn't even build an app.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@IzzySoft @gauravssnl