signature issues about atmosweather HOT 12 CLOSED

I can confirm, @atticuscornett is who he says he is. He contacted me on another platform to inform me. He is the primary administrator of this repo.

from atmosweather.

I do not have a PGP key for commits at this time - may set one up in the near future. As for verifying my identity, @Djtpj is probably the most suitable person as he has contributed to this repo, I have worked with him on other another repo (mimacro), and I have numerous other lines of contact with him. If this works for you, I will ask him to confirm my identity on this strand.

Thanks for your patience with me - this is my first and only app I've ever done app signing for so I've got a lot to learn and this shouldn't happen again in the future. Happy holidays!

from atmosweather.

Thanks again for your patience!

from atmosweather.

My apologies - I added a warning to the website, but I forgot to add one to the release notes. To be honest, I am not entirely sure why the signature has changed - I believe it has to do with the migration from Cordova to CapacitorJS. I am using the same key file as previous versions and that is the only thing that has changed relating to Android building.

from atmosweather.

Funny. Then nothing should have changed. Can you test what happens if you sign an APK manually? And then maybe also list the keys in your keystore (not that Capacitor just created a new key)? I'm no Android dev and have no idea how Capacitor works, maybe you can configure that (first thing I'd look for is the "alias" defined for the key to use – especially if the keystore holds more than one key). It would be much preferable to stick with the original key, for obvious reasons.

from atmosweather.

I should clarify - I build the app manually using Android Studio. However, CapacitorJS uses ProGuard (and adds quite a few Gradle files) and I am unsure how that effects building the app. I will look at the keystore and double check that there aren't multiple keys in it.

from atmosweather.

After investigating further, it appears that the current version of Atmos Weather is using the correct keystore and the keystore only has one key. The keystore has not been modified since August of 2022 so nothing should have changed. I can only assume that I had somehow been signing with the incorrect keystore for all versions of Atmos before April. (This is made more confusing by the fact that I don't know what keystore I could have been using before, as the only other keystore on my computer was an incomplete test file with missing information from 2021.)

Also, I remembered that I had to uninstall and reinstall Android Studio a few weeks ago to get it to update properly, and that meant I had to reconfigure app signing. This is probably when the app signature changed.

TLDR: I had been using an unknown incorrect app signature for months and just fixed it with the latest releases. I do not know how I had been signing previously so I cannot revert to the old signature.

from atmosweather.

Oof. That makes it tricky. If I understand correctly, that "other" keystore is no longer available to you? For some background of my question, please see: How to keep your key safe and what measures to take for the event of loss?

from atmosweather.

That is correct, I can no longer access the other keystore - I had created it simply to learn how to make a keystore, and as such, took no precautions to backup the file or the keystore password. It was never supposed to be used for actual app signing. I do have backup copies and information for the correct keystore, but that is unfortunately of no help because it seems I have not been using it previously.

from atmosweather.

That's bad. Does any of the other verification methods work? You didn't sign your commits, so that's no option either. We didn't establish any separate secure communications channel either. That would leave a person we both know to trust confirming it's really you. No offense meant, but someone could have taken over your Github account and impersonate you.

Do you have a PGP/GPG key? Then I'd strongly recommend you at least start using it for signing your commits (or at least the releases) from know on. Is it signed by someone who could act as your "proof"? Even better then. If we have no way for verification, it becomes tricky…

We'll find a way. But for the next 5..6 days I won't be able to attend the issue as I'm "occupied otherwise". We'll see then in the last days of this year, starting around next Thursday.

from atmosweather.

First apologies for the delayed response, I was visiting family over the holidays…

For reference: this is the related chapter from the git book, explaining how to set up a key and signing. And yes, if @Djtpj could confirm, that would help.

Meanwhile, thanks for your wishes – and my wishes in return: may the coming year bring you lots of real good things and happenings!

from atmosweather.

Thanks @Djtpj – updates enabled again then and the new certificate hash white-listed. v2.0.0 should show up with the next sync around 7 pm UTC.

@atticuscornett you might wish to pick a badge to link to your app in my repo e.g. from your Readme then 😃

from atmosweather.