Certificate issue

[IzzySoft]

A scan (see here for details and background) just revealed the APKs at your releases are signed using a debug key. As that has security implications, may I ask you to please switch to a proper release key, and provide the corresponding APK signed with it? Thanks in advance!

[youndon]

Check it out my last release if made it right about signed debug, because I don't remember that I did setting release configurations, And I don't know why exactly this issue happened?
Sorry about late answer.

[IzzySoft]

Check it out my last release if made it right about signed debug

That's still a debug build using a debug key.

because I don't remember that I did setting release configurations

Which is exactly the issue I'm reporting here 😉 You should have 😉 You were always using a debug key for signing. It just occurred to me know when I explicitly looked for it.

• Why debug certificate is not safe to sign android APKs?
• issues when using local debug keystore

Sorry about late answer.

Better late then never 🙈 We all have a live beyond our hobbies, so all fine, thanks!

[youndon]

I usually deleted META-INF resources from my application source if I guessed that's the problem was.
About local debug keystore I don't have any.
Also if this edit didn't help I will reoptimize my entire project.

[IzzySoft]

It's still signed with a debug key:

package: name='city.zouitel.jetnote' versionCode='412' versionName='4.1.2' platformBuildVersionName='14' platformBuildVersionCode='34' compileSdkVersion='34' compileSdkVersionCodename='14'
Verifies
Verified using v1 scheme (JAR signing): false
Verified using v2 scheme (APK Signature Scheme v2): true
Verified using v3 scheme (APK Signature Scheme v3): false
Number of signers: 1
Signer #1 certificate DN: C=US, O=Android, CN=Android Debug
Signer #1 certificate SHA-256 digest: e8e6bf4824b637b9e18862762e776ff817b0885735f6980cce3bb9260a1738c8
Signer #1 certificate SHA-1 digest: 2f162e72a80f1aa0439e43e011a24e84b69712fb
Signer #1 certificate MD5 digest: 52a82c361f0f538745e377681f809c1e
Signer #1 key algorithm: RSA
Signer #1 key size (bits): 2048
Signer #1 public key SHA-256 digest: 3d4ab459b54e7d02eff4e6f5c9a203dc2dce30edab198f5ef4d9a7a594d72827
Signer #1 public key SHA-1 digest: 2db7077751f522e4fccbcda38d6d082db6bb4bd7
Signer #1 public key MD5 digest: 7e92de5a9c4ac975b2b568cbaf6d2f9e

Note the O=Android, CN=Android Debug – or did you intentionally use that as DN for your release key? If so, that's a real bad idea as it might trigger other scanners as well and only cause headaches. And it also has debugging set explicitly:

<application android:theme="@7F14026B" android:label="JetNote" android:icon="@7F100000" android:name="city.zouitel.jetnote.NoteApplication" android:debuggable="true" android:allowBackup="false" …

Note the android:debuggable="true".

I don't know what you use for signing, but maybe these few links can help you:

• android-generate-keystores.md
• Sign your app | Android Studio (you'll need the "app signing key" here, not the upload one for PlayStore).

[youndon]

Ok, I see that because my custom configuration of the version catalog, if I guess that right it could be the unsupported naming of those configures, And that's what I changed in my last release.
Or because of the custom configures itself, So may I need to wipe it at once as last option.

[IzzySoft]

I don't know what configuration you mean, but it's not about the code in the repo here – but about how you sign the APK once it's built. What do you use for that? Android Studio? Or something else? I'm not an Android dev myself, so I can just give some hints here but cannot help with the real process, sorry.

[youndon]

I supposed restored default settings of my android studio, So hint my if everything is okay.

[IzzySoft]

It clearly says "debug" there in the file name. You need to create a signed release, not a debug build. Sorry, but I'm not an Android dev, so I cannot tell you the steps needed. But a quick search on the net brings this as first result: Build your app for release to users | Android Studio and How to build and find a release APK or Bundle in Android ... as second. Third result is a step-by-step guide with annotated screenshots, here. Maybe one of those can help you?

[IzzySoft]

So do we have a chance here? Thanks for all your efforts so far, but if there's no release-key signed APK I'll have to unlist the app from the repo.

[youndon]

Hi Izzy check it out my last release, I suppose there is change.

[IzzySoft]

Not really:

package: name='city.zouitel.jetnote' versionCode='501' versionName='5.0.1' platformBuildVersionName='14' platformBuildVersionCode='34' compileSdkVersion='34' compileSdkVersionCodename='14'
Verifies
Verified using v1 scheme (JAR signing): false
Verified using v2 scheme (APK Signature Scheme v2): true
Verified using v3 scheme (APK Signature Scheme v3): false
Number of signers: 1
Signer #1 certificate DN: C=US, O=Android, CN=Android Debug
Signer #1 certificate SHA-256 digest: e8e6bf4824b637b9e18862762e776ff817b0885735f6980cce3bb9260a1738c8
Signer #1 certificate SHA-1 digest: 2f162e72a80f1aa0439e43e011a24e84b69712fb
Signer #1 certificate MD5 digest: 52a82c361f0f538745e377681f809c1e
Signer #1 key algorithm: RSA
Signer #1 key size (bits): 2048

It's still the same debug key as last time that was used for signing. Did you try the advice from the tutorials I've linked above? Further, my scanner reports:

! repo/city.zouitel.jetnote_501.apk declares sensitive permission(s):
  android.permission.CAMERA android.permission.RECORD_AUDIO
  android.permission.READ_EXTERNAL_STORAGE android.permission.READ_MEDIA_AUDIO
! repo/city.zouitel.jetnote_501.apk contains signature block blobs: 0x504b4453 (DEPENDENCY_INFO_BLOCK; GOOGLE)

Camera is described as being used to include images with the notes. What for are the other permissions needed? As for DEPENDENCY_INFO_BLOCK, this is easily avoided:

android {
    dependenciesInfo {
        // Disables dependency metadata when building APKs.
        includeInApk = false
        // Disables dependency metadata when building Android App Bundles.
        includeInBundle = false
    }
}

For some background: that BLOB is supposed to be just a binary representation of your app's dependency tree. But as it's encrypted with a public key belonging to Google, only Google can read it – and nobody else can even verify what it really contains.

[youndon]

I don't know why or how but I know where this problem began, It's began when I updated the AGP from 7.x to 8.x.
In fact I can make a unsinging release but it wot be able to run it in my android studio or even run the apk file.
I'll keep trying to find any solution, an till then I will upload a debuggable releases (as indispensable option).
thank you for understanding.

[IzzySoft]

You can try the unsigned APK, and sign it e.g. using apksigner – outside Studio. Have you tried that?

[IzzySoft]

@youndon end of this month, remaining "debug APKs" will be removed from my repo. So had you a chance to try signing with apksigner? I just tried it with your latest APK (replaced your signature in the process), and it worked fine. Installed the resulting APK to my test device without any issues, starts fine there.

So will you give that a try before I have to remove your app from my repo? I'd really like to keep it there.

[youndon]

Sorry for ignore your last comment I don't open my studio this days, And Yes actually I will use this tool you mentioned to me, Just wait for me two more days.

[IzzySoft]

I did wait, but can't any longer. So very last call now: can you get it fixed this weekend? Else I'll have to remove the app on Sunday, and we have to bring it back when you're ready.

[IzzySoft]

Well, unfortunately time's up now. Yours was the last app remaining, it will now be removed from the IzzyOnDroid repo. Be welcome to apply for "revival" once you have the APKs signed with a proper release key.

No bad feelings, no personal grudge – this is a simple technical necessity.