feat(android): assembleRelease + env-var signing config (#165) #185
No reviewers
Labels
No labels
bug
documentation
duplicate
e-copy
e-features
e-mobile
enhancement
f-coverage
f-forensic
f-perf
f-privacy
forensic
good first issue
help wanted
infra
invalid
phase-a
phase-b
phase-c
phase-d
phase-e
phase-f
phase-g
phase-h
priority-1
priority-2
priority-3
privacy
question
v5
v6
video-hardening
wontfix
No milestone
No project
No assignees
1 participant
Notifications
Due date
No due date set.
Dependencies
No dependencies set.
Reference: forgejo_admin/exifcleaner-web#185
Loading…
Add table
Reference in a new issue
No description provided.
Delete branch "fix/165-apk-release-signing"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Closes #165.
Summary
Local-only Android release signing, env-var driven, no keystore artifact in the repo. The maintainer keeps the
.jkson their machine (option-2 from the issue's Phase 0 table); the CI age-encrypted-in-repo variant is deferred to a follow-up.android/app/build.gradle—signingConfigs.releasereads four env vars; v1+v2+v3 enabled explicitly. When env vars are absent,assembleReleasedeliberately producesapp-release-unsigned.apk(the artifact F-Droid's build server expects). No regression on the debug path.scripts/build-apk-local.sh --release— auto-sources.envat repo root, validates all four env vars + that the keystore is readable, bind-mounts the.jksread-only at/keystore/release.jks(outside/workspace, so it cannot leak into git status, gradle output, orcap sync), runsassembleRelease. Refuses to fall back to unsigned — silent fallback would let users ship an APK that fails update-install checks on user devices without ever noticing during the build..env.sample— committed template;cp .env.sample .envis the maintainer's entry point..envis already gitignored.docs/android-signing.md(new) — keystore generation ceremony, threat model (leak vs. loss), recommended parameters (RSA 4096,-validity 36500, two distinct strong passwords), three-place offline backup checklist, SHA-256 fingerprint slot, rotation procedure, and explicit "Future work" deferring CI age-decrypt.docs/android-apk.md—## Signed release APKpromoted to a peer of## Local Docker build. CI signing note updated to point at the new section.Verification
End-to-end locally with a throwaway test keystore (generated in
/tmp/, shredded after — not the project's identity keystore):Validation behaviour:
Out of scope (follow-up)
docs/android-signing.md§ Future work. Per the issue, this PR keeps release builds deliberately manual.keytool -genkeyceremony — maintainer runs that on their own machine once offline backups are staged. The code here is ready for it.Test plan
./scripts/build-apk-local.sh(no flag) still producesapp-debug.apk— verified./scripts/build-apk-local.sh --releasewith the four env vars produces a signed APK — verifiedapksigner verifyreports v1+v2+v3 valid — verified.jks/.keystoreleft in the worktree after testing — verified37e40b3c60to098885d23bCode review
No issues found. Checked for bugs and CLAUDE.md compliance.
🤖 Generated with Claude Code
- If this code review was useful, please react with 👍. Otherwise, react with 👎.