Please sign APK using a release key

[IzzySoft]

The APK attached at releases here currently is signed using a debug key:

Signer #1 certificate DN: C=US, O=Android, CN=Android Debug
Signer #1 certificate SHA-256 digest: 51f3fc3c005e7f21a70112986b6e5b08426b2aacb5f0f1e18282cbdf059a6a12
Signer #1 certificate SHA-1 digest: ba971b989816336b5100b5f0ed401e190820f383
Signer #1 certificate MD5 digest: d614074827dad7eaa08c9583b6c8214b
Signer #1 key algorithm: RSA
Signer #1 key size (bits): 2048

Could you please sign it with a proper release key? And while on it:

SigningBlock blobs:
-------------------
0x504b4453 (DEPENDENCY_INFO_BLOCK; GOOGLE)

This can easily be avoided:

android {
    dependenciesInfo {
        // Disables dependency metadata when building APKs.
        includeInApk = false
        // Disables dependency metadata when building Android App Bundles.
        includeInBundle = false
    }
}

For some background: that BLOB is supposed to be just a binary representation of your app's dependency tree. But as it's encrypted with a public key belonging to Google, only Google can read it – and nobody else can even verify what it really contains.

Thanks in advance!

[enm10k]

Thanks for letting me know.
It has been addressed in #7.

$ apksigner verify --print-certs -v app-release.apk      
Verifies
Verified using v1 scheme (JAR signing): true
Verified using v2 scheme (APK Signature Scheme v2): true
Verified using v3 scheme (APK Signature Scheme v3): true
Verified using v3.1 scheme (APK Signature Scheme v3.1): false
Verified using v4 scheme (APK Signature Scheme v4): false
Verified for SourceStamp: false
Number of signers: 1
Signer #1 certificate DN: CN=enm10k, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown
Signer #1 certificate SHA-256 digest: 54223cbb6ff67601183470b8617d50c35bd16c07ce7519eeccddeae27caf9a06
Signer #1 certificate SHA-1 digest: a493eee9c0ba87d64bd5aeed469b98f0b89c8e14
Signer #1 certificate MD5 digest: f2a464e3b796d0eeb9ecc27ba9727ba7
Signer #1 key algorithm: RSA
Signer #1 key size (bits): 2048
Signer #1 public key SHA-256 digest: 6c2211bff0a6339ae4725b9f46859a0452d365c835af0c157e328ec625a72371
Signer #1 public key SHA-1 digest: fa8f3fa971c4b6ba27c68f4856610a9baf5d4f08
Signer #1 public key MD5 digest: 707ee0b9d1e447a5694d20a89f099d9d
WARNING: META-INF/com/android/build/gradle/app-metadata.properties not protected by signature. Unauthorized modifications to this JAR entry will not be detected. Delete or move the entry outside of META-INF/.
WARNING: META-INF/androidx.activity_activity.version not protected by signature. Unauthorized modifications to this JAR entry will not be detected. Delete or move the entry outside of META-INF/.
WARNING: META-INF/androidx.annotation_annotation-experimental.version not protected by signature. Unauthorized modifications to this JAR entry will not be detected. Delete or move the entry outside of META-INF/.
...

[IzzySoft]

Thanks, confirmed! And for your testers:

becomes available here with the next sync around 6 pm UTC, so it can be installed (and kept updated) with any F-Droid client.

If you have a proper icon to be used (currently, I only found the default Flutter icon in the repo here) please let me know and I add that. I can also send you the metadata (description etc) set up in the IoD repo using fastlane stuctures, as a PR, so you can control how your app is presented (be welcome to use my Fastlane Cheat Sheet for orientation).

Hope you like this – and welcome aboard the IzzyOnDroid repo 😃