BypassRootCheckPro icon indicating copy to clipboard operation
BypassRootCheckPro copied to clipboard

Published 20 hours ago verified publisher icon gauravssnl

Certificate issue

Open IzzySoft opened this issue 1 year ago • 2 comments

It seems your APKs are signed using a debug key:

Signer #1 certificate DN: C=US, O=Android, CN=Android Debug
Signer #1 certificate SHA-256 digest: 8548d99020461707d4c02d76aeca75790439000f8711496670a08198ffe6a9ff
Signer #1 certificate SHA-1 digest: 617b7e64f6c98efde53d53634b4b4073ceb1e279
Signer #1 certificate MD5 digest: bc3085314b7c2d31a85be556eb714dc4
Signer #1 key algorithm: RSA
Signer #1 key size (bits): 2048

Would it be possible to use a proper release key instead? Further:

SigningBlock blobs:
-------------------
0x504b4453 (DEPENDENCY_INFO_BLOCK; GOOGLE)

can be easily avoided:

android {
    dependenciesInfo {
        // Disables dependency metadata when building APKs.
        includeInApk = false
        // Disables dependency metadata when building Android App Bundles.
        includeInBundle = false
    }
}

For some background: that BLOB is supposed to be just a binary representation of your app's dependency tree. But as it's encrypted with a public key belonging to Google, only Google can read it – and nobody else can even verify what it really contains.

Thanks in advance!

IzzySoft avatar Feb 08 '24 20:02 IzzySoft

@IzzySoft I have signed my app using debug key as I am not planning to release this on Play Store anytime. Another reason of using debug key is that it makes app upgrade easier and I don't need to maintain / store any private key. If anyone needs to sign the app, they can easily build and sign the APK themselves as the source code is available.

Let me know if you have any issues.

gauravssnl avatar Feb 14 '24 14:02 gauravssnl

Thanks for your answer, @gauravssnl! But apps signed using debug keys are no longer allowed in my repo, where I was about to include your app. For background, please see e.g.

If anyone needs to sign the app, they can easily build and sign the APK themselves as the source code is available.

Don't forget that not each and every human is an Android developer (while hopefully all developers are humans). So no: I couldn't even build an app.

IzzySoft avatar Feb 15 '24 09:02 IzzySoft