Certificate issue #244
Comments
|
For reasons of compatibility between the very first versions of the application that were distributed within the national parks, and between the RC versions and the final versions, we use the same keystore. |
|
Oof. No offense meant, but that somehow reminds me of cars that come with a long pole attached to their fronts to keep them compatible with horse carts 🙊 But yes, I'm aware that switching signing keys (as well as changing package names) is nothing one should do lightly. But maybe we can find a workable solution to the problem.
Now, wouldn't that solve the issue? The update could be properly signed, and the suggestion include a hint to uninstall and reinstall (with proper data export/import where needed). The new versions can still share the same keystore, just the new one with release keys. If that for some reason beyond my understanding would not work (or not with a "hard cut"): what is affected is only the signing, right? So you could maybe have a separate APK signed with the debug key (as you have now), and the one signed with the release key named I cannot outline what I don't fully understand, not being an Android dev, but there's also a thing called "key rotation" (supported from Android 9 upwards) in signing scheme v3. Maybe one of those options can be applied? Please note that once the above linked issue has been completed in processing, apps using debug keys will no longer be allowed in my repo. So the ones remaining after the deadline (in March) will have to be removed. With apps which are still actively maintained (like yours) that would be really sad – so I hope we can find a way to keep Occtax in. |
|
Yes, sorry about that, |
|
Thanks, @sgrimault! Yes, I see the problem (and thanks to your details, now also understand it a lot better). As you're looking into it, I will definitely mark an exception for Occtax should the "deadline" arrive and you're not yet ready. I'm confident we'll find a solution there. I hope no park runs pre-Android-9 devices, so key rotation is an option. Though I've never seen a key rotation in practice (and thus have neither experience with it nor can provide help/details for it), it sounds like that would be the most transparent approach. |
|
Sorry to complain again, but the scanner in my repo just reported for today's update: Location permissions are clear by the app's purpose, so I just added them to your app's "allow list": android.permission.ACCESS_COARSE_LOCATION: needed to record the location of observance
android.permission.ACCESS_FINE_LOCATION: needed to record the location of observanceBut could you please clarify storage and especially Btw, that android {
dependenciesInfo {
// Disables dependency metadata when building APKs.
includeInApk = false
// Disables dependency metadata when building Android App Bundles.
includeInBundle = false
}
}For some background: that BLOB is supposed to be just a binary representation of your app's dependency tree. But as it's encrypted with a public key belonging to Google, only Google can read it – and nobody else can even verify what it really contains. |
|
Hello @IzzySoft, |
Thanks a lot!
Thanks! Can we go without the self-updater for the variant intended for my repo? Self-updaters are not in accordance with the inclusion criteria there (see IzzyOnDroid App Inclusion Criteria for details) as they bypass all checks performed in the repo (same with F-Droid.org by the way – though they rarely even notice the presence of a self-updater unless reported to them as they lack the proper scans). The relevant part of the inclusion criteria (wording is almost identical to F-Droid's):
An example for "explicit user consent", if you prefer that path (I'm aware that your app is a bit special in this concern, including instance version and app version needing to match each other, so I'll give you that option right ahead and not keep it back as "last resort" as I'd usually do):
First screen is before the update check itself is enabled. Who declines there won't see the second one ever as no checks means no updates found. Second screen is when the check was enabled and an update was found. Screenshots are from the RiMusic app if you wonder. Your phrasing will most likely differ, concerning "instance specialties". But if you could at least ask the consent, it would be much appreciated. |
|
In this case, we could consider the following approach, using Android flavors: |
This is the part where I miss some pieces. If there's a general "binding" between app version and instance, does this make sense? For whom would this build be useful?
That would depend. If both share the very same |
|
The idea I've come up with is to have two distinct build phases, one dedicated to deploying the application via GeoNature, the second via F-Droid. Actually, the application relies heavily on the APIs exposed by GeoNature, and since GeoNature is also evolving on its side, it's possible that a slightly older version will be deployed. So we're going to make available a version of the application that's not necessarily up to date, but compatible with this instance of GeoNature. Hence a deployment controlled by GeoNature. What's currently missing is a mapping table between compatible versions of GeoNature and versions of the application. This will enable the application to notify the user if it is configured with an instance of GeoNature that is too old. |
|
So the basic problem exists already now: if a newer version is available via my repo, the F-Droid client will offer the upgrade. The app itself cannot control that and intervene.
This means there's a message from the server to the app saying when and what version is available for update? My repo currently keeps the latest 3 versions. Would that match the needs? Or might there even older versions be required? If so, maybe the opt-in self-updater would make more sense as with that it's possible to choose which update strategy should be followed. |
|
On start-up, the application can perform a few small operations if it has network access:
It is up to the administrator of the GeoNature instance to provide a more recent version of the application. There's no way of knowing how national parks configure their GeoNature instances. Generally speaking, we always push for the most recent versions. But nothing is guaranteed! What do you mean by "opt-in self-updater" ? Something like that ? Somewhere, this is already the case. Once the application has done its startup check and detected a new version, it simply notifies the user that a new version is available. It's up to the user to perform the update at any time. |
|
I'm inclined to say your app is a very specific use-case, and we should keep things simple. So as long as it's clear to users where those updates are coming from when they're announced, and they are free to choose to accept them or rather update via their F-Droid client, that should be fine. I don't want to put too much burden onto your shoulders for this – it's not that there is much choice. And two different versions here would just cause confusion and add complications. What do you think? That a way we can go?
That's a little different if I understand it correctly. It would be bound to PlayStore and just trigger updates from there. Depending on how far back you'd need to go, that might not be working with my repo, as I only keep up to 3 versions here. With your app currently being around 7 MB per APK, I could of course add an exception and keep 4. If your self-updater uses my repo as source, all checks would be applied so there cannot be any objections from my end.
I'd count that as opt-in then. Remaining question then would just be where the update is taken from. The notification is sent by the instance, so the part of "checking a potentially non-free source" is not there. So how would the install process be then? I get a notification from the instance, and then look where? Download from inside the app and self-install (which would need that permission) – or check the app manager of my choice (the F-Droid app, or some other app store) to install the version the notification recommended? |
|
No, the application currently relies on the Geonature instance to which it points. If we don't distinguish between the current version of the application (managed by GeoNature) and the one coming from F-Droid, we must :
In this way, the application can be updated transparently, either from GeoNature (if the version on GeoNature is more recent) or from F-Droid (if the version on F-Droid is more recent). |
|
And with the new version becoming available in my repo within 24h of your making it available here, it won't be "older" in my repo – just the same or newer than what the instance offers. OK, got it. So what do you propose how we shall proceed here? I'm open to compromises, but debug builds would be a bit critical. Having a releasekey-signed APK here with the same |
|
So what did we decide on now, @sgrimault? End of the month I wanted to have that issue closed. |
|
Hello @IzzySoft , I suggest you to start with the simple solution of combining the two certificates (the current one, shared between the different versions of the application, and the new one, which will meet the F-DRoid requirements). |
How would I do that? Are you planning to dual-sign? I know there can be multiple signatures on a single APK file, but I've never seen such an APK – nor do I know how fdroidserver would handle that. I can give that a try if you have such an APK of course. And then sit in the conflict how I should deal with the mix of a "release signature" and a "debug signature" on the same APK file 🙈 Thanks for the offer of the "unofficial" version – but I unfortunately won't find time for testing (drowning in multiple other tasks currently).
Thanks for letting me know! So what will 2.7.0 then be signed with? Do you plan switching certs for that? |
|
It's the simplest solution I can implement quickly, and we can also test it to see if combining the two certificates works. If the two-certificate approach works, then future version 2.7.0 will carry the current certificate plus the new one, and subsequent versions can then do without the current certificate (replaced by the new one). The only constraint is that this approach only works on Android 9-based terminals. |
|
Hello @IzzySoft, So I did a few tests by signing the APK with the current certificate and then making a "new version" that uses the new certificate (with key rotation) and then successfully updated the currently installed application: creating rotation lineage file: apksigner rotate --out SigningCertificateLineage.debug.release --old-signer --ks debug.keystore --new-signer --ks release.keystoresigning APK with rotation data: apksigner sign --ks debug.keystore --next-signer --ks release.keystore --lineage SigningCertificateLineage.debug.release --in occtax-2.7.0-rc8-generic-debug.apk --out occtax-2.7.0-rc8-generic-debug.rotate.apkThe following APK with new certificat with rotation data: |
|
Sounds good! I took a look at the APK, but it shows only a single signer and has the debug flag active. Do you want to provide me a release APK with key rotation active, so I add that to the repo and we can see if a) it's accepted by fdroidserver and b) by fdroidclient, so c) it can be updated to via fdroid? (apologies for my delayed answer, I had a short "vacation break") |
|
Yes, no worries :) The "rc" version I provided you with contains the elements for debugging, but not the "release" version. After checking we can see that v3 scheme is being used: $ apksigner verify -v ../occtax-2.7.0-rc8-generic-release.rotate.apk
Verifies
Verified using v1 scheme (JAR signing): false
Verified using v2 scheme (APK Signature Scheme v2): true
Verified using v3 scheme (APK Signature Scheme v3): true
Verified using v4 scheme (APK Signature Scheme v4): false
Verified for SourceStamp: false
Number of signers: 1 |
|
OK, you're using a newer version of Some notes:
so adding this APK to my repo should work straight away, but I'm not sure if the APK would install over an existing older one. Android should accept it I guess, but fdroidclient might not offer to:
Going by that graph, it would only check using v3 and thus think the signature does not match. But we can give it a try if you wish. So if you want to, here's what we could try:
Depending on where we end up, we'd decide how to continue. If all works well I'd suggest keeping this configuration for a month or so (if possible), then drop the old key and play the game again. If that works out fine as well, I'd remove the old key (and any APKs left signed with only that) on my end, and we call our case closed successful. Waiting for your signal before doing anything here. But looking forward to the experiment eagerly 🤪 |
|
yes, I've done a few tests and the update goes smoothly from a previous version to the new one signed with the new certificate. |
|
Yupp, that matches what I thought. Shall I take that rc8 APK from above, or is there a "final release" one coming? |
|
I'd rather wait a little longer and get an official "GO" from the national parks. There are still some small issues to be addressed for the future 2.7. |
|
Just give me a ping when ready. I somehow got eager to see how fdroidserver (and client) handle that 😜 |
|
Did the rangers report back meanwhile? 😉 |
|
I've released version 2.7.0-rc8 which contains the latest corrections based on feedback. I'm waiting for new feedback on this version. |
From the parks, or from me? By the file name it's a debug build. Will that become a release build when ready? IIRC, the other ones (at least when not marked pre-release) were release builds. |
|
From the parks. |
A scan (see here for details and background) just revealed the APKs at your releases are signed using a debug key. As that has security implications, may I ask you to please switch to a proper release key, and provide the corresponding APK signed with it? Thanks in advance!
The text was updated successfully, but these errors were encountered: