Comments (11)
Hi @IzzySoft I created this pre-release which I believe now has the right certificate, is there a way to validate it or should I just release it?
https://github.com/KoalaSat/nostros/releases/tag/v0.3.3.3-beta
from nostros.
Thanks a lot! Perms updated here with description. Looking forward to the "blob-free release" then π
I'm creating the commit now π I checked again VT and now it seems to be just 1 warning, I'll check it anyways
from nostros.
There're quite often 1 or 2 engines reporting "something" lately it seems. Usually it's minor engines. And I wish there would be a link to information of what they think they found⦠But yeah, can't hurt looking, thanks for the efforts!
from nostros.
@KoalaSat any chance you'll address this? Next round in about a week will remove the apps where there was no response.
from nostros.
@IzzySoft sorry for the late reply,do you know if this is something that suddenly happened? or was it always like that?
from nostros.
@KoalaSat It probably was that way for quite a while now. I've introduced certificate pinning about a year ago β so around the time Nostros was added to my repo. Which means it was always the same key/certificate since then, as if there was a certificate change that would have popped up earlier. This is what the signing details look like:
package: name='com.nostros' versionCode='78003' versionName='v0.3.3.2-beta' platformBuildVersionName='13' platformBuildVersionCode='33' compileSdkVersion='33' compileSdkVersionCodename='13'
Verifies
Verified using v1 scheme (JAR signing): true
Verified using v2 scheme (APK Signature Scheme v2): true
Verified using v3 scheme (APK Signature Scheme v3): false
Number of signers: 1
Signer #1 certificate DN: CN=Android Debug, OU=Android, O=Unknown, L=Unknown, ST=Unknown, C=US
Signer #1 certificate SHA-256 digest: fac61745dc0903786fb9ede62a962b399f7348f0bb6f899b8332667591033b9c
Signer #1 certificate SHA-1 digest: 5e8f16062ea3cd2c4a0d547876baa6f38cabf625
Signer #1 certificate MD5 digest: 20f46148b72d8e5e5ca23d37a4f41490
Signer #1 key algorithm: RSA
Signer #1 key size (bits): 2048
Signer #1 public key SHA-256 digest: 06104aa0b28fac286bae06b08313ac69c37c35a6462853db32d2ec5fa7b1ed0e
Signer #1 public key SHA-1 digest: 88325602a013a12d5ac13516c609aa57ce9e2234
Signer #1 public key MD5 digest: 49921988ad9941656cd9b95203196f17
The DN marks it as debug certificate (that's what debug certificates use).
from nostros.
LGTM:
package: name='com.nostros' versionCode='79003' versionName='v0.3.3.3-beta' platformBuildVersionName='13' platformBuildVersionCode='33' compileSdkVersion='33' compileSdkVersionCodename='13'
Verifies
Verified using v1 scheme (JAR signing): true
Verified using v2 scheme (APK Signature Scheme v2): true
Verified using v3 scheme (APK Signature Scheme v3): false
Number of signers: 1
Signer #1 certificate DN: O=Nostros, CN=Nostros
Signer #1 certificate SHA-256 digest: 949348dc252058d67fae27d7d31f1f21a23d846906d25c8b4c16e51d691e15d7
Signer #1 certificate SHA-1 digest: ae347cad3b893168f3e3766aa7b7ea91ce1f52ed
Signer #1 certificate MD5 digest: ce08fa796b38623a83d07bab2bad0b45
Signer #1 key algorithm: RSA
Signer #1 key size (bits): 2048
Signer #1 public key SHA-256 digest: abb09b8aa163fbb3a1c2e6a591bc06e227535a1357676322d8e73076660440b5
Signer #1 public key SHA-1 digest: 0aea03c87eeccb61eb34dc6ae34c444f4f28489e
Signer #1 public key MD5 digest: 08279d6e3531abf95e54e762099662a6
Thanks, good to go I'd say! I'll then put a release note here in the local fastlane on my repo that folks need to uninstall and reinstall to switch to the new line. I've already added the new certificate to the AllowedAPKSigningKeys
for Nostros, so the update won't be rejected when it comes in. Will leave the old one up for a week or two before removing it, giving people time to check and switch.
That fine with you? Then I'd say make it a release and let me know, so I toggle my updater and put everything in place here.
from nostros.
Sounds good @IzzySoft thanks for the support!!
from nostros.
OK, done then. Scanner reports on update:
! repo/com.nostros_79003.apk declares sensitive permission(s):
android.permission.READ_EXTERNAL_STORAGE
! repo/com.nostros_79003.apk contains signature block blobs: 0x504b4453 (DEPENDENCY_INFO_BLOCK; GOOGLE)
Can you please clarify what the read/write storage is needed for, so I can add the permission to the "allow list"? As for DEPENDENCY_INFO_BLOCK
, that can easily be avoided:
android {
dependenciesInfo {
// Disables dependency metadata when building APKs.
includeInApk = false
// Disables dependency metadata when building Android App Bundles.
includeInBundle = false
}
}
For some background: that BLOB is supposed to be just a binary representation of your app's dependency tree. But as it's encrypted with a public key belonging to Google, only Google can read it β and nobody else can even verify what it really contains.
Oh, and something-something at VT complained, just to let you know. Two minor engines, most likely false positives.
from nostros.
OK, done then. Scanner reports on update:
! repo/com.nostros_79003.apk declares sensitive permission(s): android.permission.READ_EXTERNAL_STORAGE ! repo/com.nostros_79003.apk contains signature block blobs: 0x504b4453 (DEPENDENCY_INFO_BLOCK; GOOGLE)
Can you please clarify what the read/write storage is needed for, so I can add the permission to the "allow list"? As for
DEPENDENCY_INFO_BLOCK
, that can easily be avoided:android { dependenciesInfo { // Disables dependency metadata when building APKs. includeInApk = false // Disables dependency metadata when building Android App Bundles. includeInBundle = false } }
For some background: that BLOB is supposed to be just a binary representation of your app's dependency tree. But as it's encrypted with a public key belonging to Google, only Google can read it β and nobody else can even verify what it really contains.
Oh, and something-something at VT complained, just to let you know. Two minor engines, most likely false positives.
Nostros not only downloads the notes in memory but also to an internal DB. There is a feature where the user can export in a JSON file all his historic. I have also a plan to implement an import action.
I'll check DEPENDENCY_INFO_BLOCK
, thanks for the hints!
That thing on VT was weird I'll also investigate just in case π
from nostros.
Thanks a lot! Perms updated here with description. Looking forward to the "blob-free release" then π
from nostros.
Related Issues (20)
- copy text in posts (feature req.) HOT 7
- Copy npup or nevent in Direct Message doesn't work
- Since the image has already been displayed, why should the link to the image be displayed again in text? HOT 2
- unable to view invoices HOT 5
- Label/Aliases for npubs with no set name HOT 3
- feature req. remove the anti-functions in izzyondroid HOT 4
- Support nip 46 Nostr Connect HOT 2
- IzzyOnDroid incomplete HOT 28
- IzzyOnDroid incomplete
- Nostros pasted from your clipboard HOT 2
- Include open source video player HOT 6
- Include open source QR reader HOT 8
- Android navigation bar HOT 3
- question on libraries used HOT 5
- Issues loading timelines and posting notes HOT 3
- App crash in DM section HOT 2
- Add nostros to standard F-Droid repo
- Lost my followers and contacts HOT 5
- Accessibility: unlabeled buttons with talkback
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
π Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. πππ
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google β€οΈ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from nostros.