Update Android build #6103
Update Android build #6103
Conversation
kevlahnota
commented
Sep 8, 2024
•
kevlahnota
commented
- Java 11
- targetSDK 33
- add modded uber-apk-signer.jar for signing cert
|
Awesome! Some thoughts:
|
|
@kevlahnota would be nice if we could implement #4977 in this update |
Just push a new release / update the plugin https://github.com/Card-Forge/android-maven-plugin |
kevlahnota
changed the title
|
@kevlahnota for Signing, checkout ~~ https://github.com/MuntashirAkon/apksig-android ~~ |
kevlahnota
changed the title
Reverted to sdk 29, seems target sdk 33 and above somehow don't allow installation without proper signature/signing on latest android version (tested with android 14) |
From android sdk 30 and above, the resources.arsc needs to be uncompressed inside the apk, the rest have no problem being compressed. Then you need to zipalign and sign with v2 and it will install fine. I have a working build on my local computer but It's a hassle to manually fix those things. Yes it's requirement for playstore but using latest sdk stops the nagging popup that the apk is outdated and latest sdk supports more java api (sdk 34 uses java 17) |
kevlahnota
changed the title
| @@ -89,7 +89,7 @@ jobs: | |||
| d=$(date +%m-%d) | |||
| # Replace date in forge-gui-mobile/src/forge/Forge.java | |||
| sed -i -e "s/-SNAPSHOT/-SNAPSHOT-${d}/g" forge-gui-mobile/src/forge/Forge.java | |||
| mvn -U -B -P android-release-build,android-release-sign install -e -Dsign.keystore=forge.keystore -Dsign.alias=Forge -Dsign.storepass=${{ secrets.SIGN_STORE_PASS }} -Dsign.keypass=${{ secrets.SIGN_STORE_PASS }} -Dcardforge-repo.username=${{ secrets.FTP_USERNAME }} -Dcardforge-repo.password=${{ secrets.FTP_PASSWORD }} -Dandroid.sdk.path=/usr/local/lib/android/sdk -Dandroid.buildToolsVersion=30.0.3 -Dmaven.test.skip=true | |||
| mvn -U -B -P android-release-build install -e -Dcardforge-repo.username=${{ secrets.FTP_USERNAME }} -Dcardforge-repo.password=${{ secrets.FTP_PASSWORD }} -Dandroid.sdk.path=/usr/local/lib/android/sdk -Dandroid.buildToolsVersion=33.0.2 -Dmaven.test.skip=true | |||
There was a problem hiding this comment.
Signing isn't needed anymore?
There was a problem hiding this comment.
It's included on the android pom file, it will sign with v2, v3 on install phase using the modded signer
<plugin>
<artifactId>exec-maven-plugin</artifactId>
<version>3.4.1</version>
<groupId>org.codehaus.mojo</groupId>
<executions>
<execution>
<id>SignV2</id>
<phase>install</phase>
<goals>
<goal>exec</goal>
</goals>
</execution>
</executions>
<configuration>
<workingDirectory>${pom.basedir}</workingDirectory>
<executable>java</executable>
<arguments>
<argument>-jar</argument>
<argument>${pom.basedir}/tools/uber-apk-signer.jar</argument>
<argument>-a</argument>
<argument>${pom.basedir}/target/</argument>
<argument>--ks</argument>
<argument>forge.keystore</argument>
<argument>--ksAlias</argument>
<argument>Forge</argument>
<argument>--ksKeyPass</argument>
<argument>forge72</argument>
<argument>--ksPass</argument>
<argument>forge72</argument>
<argument>--debug</argument>
</arguments>
</configuration>
</plugin>
There was a problem hiding this comment.
Are those keystore passwords just placeholders for testing?
There was a problem hiding this comment.
check publish.bat in android module.
There was a problem hiding this comment.
Knowing that the keystore credentials have already been in a publicly visible file for the last 9 years isn't doing much to mitigate my concern... Someone would still need the keystore itself to do anything malicious but if those are the actual passwords then that's a layer of security that isn't doing anything.
There was a problem hiding this comment.
If the github actions template works on the pom file, feel free to update it since I don't know how those variable interact from github to maven via pom file
There was a problem hiding this comment.
I'll admit I don't know much about that either, and the credentials would need to be changed by someone with more access than me anyway. I could open an issue for it but I'm hesitant to give security problems more visibility than necessary. It's probably not a huge problem in the short term though.
