Update SyncthingNative to v1.29.6 / Update debug cert to SHA256 / Prepare GPG sign (fixes #1284) (fixes #1311) (#1377)

* Update SyncthingNative to v1.29.6 * Update build.gradle.kts * Update syncthing * Update build-app.yaml * Update build-app.yaml * Update release-app.yaml * Update build-app.yaml * Update Switch-between-releases_Verify-APK-is-genuine.md * Update Switch-between-releases_Verify-APK-is-genuine.md * Update actions-setup.txt * Update release-app.yaml * Update build-app.yaml * Update build-app.yaml * Update build-app.yaml * Update build-app.yaml * Update build-app.yaml * Update Switch-between-releases_Verify-APK-is-genuine.md * Update Switch-between-releases_Verify-APK-is-genuine.md * Update Switch-between-releases_Verify-APK-is-genuine.md * Update Switch-between-releases_Verify-APK-is-genuine.md * Update App_build_and_release.cmd * Update build.gradle.kts * Create build-outputs-apk-debug.lnk * Update Switch-between-releases_Verify-APK-is-genuine.md * Update Switch-between-releases_Verify-APK-is-genuine.md * Update Switch-between-releases_Verify-APK-is-genuine.md * Update Switch-between-releases_Verify-APK-is-genuine.md * Update Switch-between-releases_Verify-APK-is-genuine.md * Update Switch-between-releases_Verify-APK-is-genuine.md * Update default.txt * Update build-app.yaml * Update build-app.yaml
2025-05-06 20:40:53 +02:00 · 2025-05-06 20:40:53 +02:00 · a4187d484a
commit a4187d484a
parent cc36ec6b14
10 changed files with 152 additions and 34 deletions
--- a/.github/workflows/actions-setup.txt
+++ b/.github/workflows/actions-setup.txt
@ -42,3 +42,5 @@ docker push ghcr.io/catfriend1/syncthing-android-builder:latest
 ### powershell "[Convert]::ToBase64String([IO.File]::ReadAllBytes(${env:USERPROFILE} + '\.android\catfriend1.jks'))" > "X:\catfriend1.jks.b64"
 ## SIGNING_PASSWORD
 ### [PWD]
+## GNUPG_SIGNING_KEY_BASE64
+### powershell "[Convert]::ToBase64String([IO.File]::ReadAllBytes('X:\Catfriend1_SECRET.asc'))" > "X:\Catfriend1_SECRET.asc.b64"
--- a/.github/workflows/build-app.yaml
+++ b/.github/workflows/build-app.yaml
@ -23,21 +23,53 @@ jobs:
          submodules: true
          fetch-depth: 0

+      - name: Get app version from build.gradle.kts
+        id: get_version
+        run: |
+          set -eu
+          VERSION_MAJOR=$(grep 'set("versionMajor"' build.gradle.kts | grep -o '[0-9]\+')
+          VERSION_MINOR=$(grep 'set("versionMinor"' build.gradle.kts | grep -o '[0-9]\+')
+          VERSION_PATCH=$(grep 'set("versionPatch"' build.gradle.kts | grep -o '[0-9]\+')
+          VERSION_WRAPPER=$(grep 'set("versionWrapper"' build.gradle.kts | grep -o '[0-9]\+')
+          VERSION="$VERSION_MAJOR.$VERSION_MINOR.$VERSION_PATCH.$VERSION_WRAPPER"
+          echo "VERSION=$VERSION" >> $GITHUB_ENV
+
+      - name: Get commit hash
+        id: get_commit_hash
+        run: |
+          set -eu
+          git config --system --add safe.directory '*'
+          COMMIT_HASH=$(git rev-parse --short --verify HEAD)
+          echo "COMMIT_HASH=$COMMIT_HASH" >> $GITHUB_ENV
+
      - name: build
        run: |
          set -eu
-          mkdir -p ~/.android
-          echo '${{ secrets.DEBUG_KEYSTORE_B64 }}' | base64 -d > ~/.android/debug.keystore
+          mkdir -p "/root/.android"
+          echo '${{ secrets.DEBUG_KEYSTORE_B64 }}' | base64 -d > "/root/.android/debug.keystore"
          git config --system --add safe.directory '*'
          java -version
          ./gradlew --no-daemon buildNative lintDebug assembleDebug

-      - uses: actions/upload-artifact@v4
-        with:
-          name: syncthing-android-debug.apk
-          path: app/build/outputs/apk/debug/app-debug.apk
+      - name: prepare-artifacts
+        shell: bash
+        run: |
+          set -eu
+          mv "app/build/outputs/apk/debug/app-debug.apk" "app/build/outputs/apk/debug/com.github.catfriend1.syncthingandroid_debug_v${{ env.VERSION }}_${{ env.COMMIT_HASH }}.apk"

      - uses: actions/upload-artifact@v4
+        with:
+          name: com.github.catfriend1.syncthingandroid_debug_v${{ env.VERSION }}_${{ env.COMMIT_HASH }}.apk
+          path: app/build/outputs/apk/debug/com.github.catfriend1.syncthingandroid_debug_v${{ env.VERSION }}_${{ env.COMMIT_HASH }}.apk
+
+      - uses: actions/upload-artifact@v4
+        with:
+          name: reports
+          path: |
+            app/build/reports/**
+
+      - if: false
+        uses: actions/upload-artifact@v4
        with:
          name: reports-and-libs
          path: |
--- a/.github/workflows/release-app.yaml
+++ b/.github/workflows/release-app.yaml
@ -33,30 +33,52 @@ jobs:
            exit 1
          fi

+      - name: Get app version from build.gradle.kts
+        id: get_version
+        run: |
+          set -eu
+          VERSION_MAJOR=$(grep 'set("versionMajor"' build.gradle.kts | grep -o '[0-9]\+')
+          VERSION_MINOR=$(grep 'set("versionMinor"' build.gradle.kts | grep -o '[0-9]\+')
+          VERSION_PATCH=$(grep 'set("versionPatch"' build.gradle.kts | grep -o '[0-9]\+')
+          VERSION_WRAPPER=$(grep 'set("versionWrapper"' build.gradle.kts | grep -o '[0-9]\+')
+          VERSION="$VERSION_MAJOR.$VERSION_MINOR.$VERSION_PATCH.$VERSION_WRAPPER"
+          echo "VERSION=$VERSION" >> $GITHUB_ENV
+
+      - name: Get commit hash
+        id: get_commit_hash
+        run: |
+          set -eu
+          COMMIT_HASH=$(git rev-parse --short --verify HEAD)
+          echo "COMMIT_HASH=$COMMIT_HASH" >> $GITHUB_ENV
+
      - name: build_release
        env:
          SYNCTHING_RELEASE_KEY_ALIAS: Syncthing-Fork
          SIGNING_PASSWORD: '${{ secrets.SIGNING_PASSWORD }}'
          SYNCTHING_RELEASE_STORE_FILE: '${{ runner.temp }}/signing-keystore.jks'
-          # SYNCTHING_RELEASE_PLAY_ACCOUNT_CONFIG_FILE: '${{ runner.temp }}/google-play-secrets.json'
        shell: bash
        run: |
          set -eu
          echo '${{ secrets.SIGNING_KEYSTORE_JKS_BASE64 }}' | base64 -d > "$SYNCTHING_RELEASE_STORE_FILE"
-          # echo '${{ secrets.GOOGLE_PLAY_SECRETS_BASE64 }}' | base64 -d > "$SYNCTHING_RELEASE_PLAY_ACCOUNT_CONFIG_FILE"
          java -version
-          # TODO: Readd publishReleaseBundle if google play works again, or
-          # remove everything related to publishing to google play.
          ./gradlew --no-daemon buildNative lintRelease assembleRelease bundlegplay
-          # rm "$SYNCTHING_RELEASE_STORE_FILE" "$SYNCTHING_RELEASE_PLAY_ACCOUNT_CONFIG_FILE"
+          rm "$SYNCTHING_RELEASE_STORE_FILE"

-          # echo '${{ secrets.GNUPG_SIGNING_KEY_BASE64 }}' | base64 -d | gpg --import
-          # cd app/build/outputs/apk/release
-          # sha256sum app-release.apk | gpg --clearsign > sha256sum.txt.asc
+      - name: prepare-artifacts
+        shell: bash
+        run: |
+          set -eu
+          #
+          mv "app/build/outputs/apk/release/app-release.apk" "app/build/outputs/apk/release/com.github.catfriend1.syncthingandroid_release_v${{ env.VERSION }}_${{ env.COMMIT_HASH }}.apk"
+          mv "app/build/outputs/bundle/gplay/app-gplay.aab" "app/build/outputs/bundle/gplay/com.github.catfriend1.syncthingandroid_gplay_v${{ env.VERSION }}_${{ env.COMMIT_HASH }}.aab"
+          #
+          cd "app/build/outputs/apk/release"
+          echo '${{ secrets.GNUPG_SIGNING_KEY_BASE64 }}' | base64 -d | gpg --import
+          sha256sum "com.github.catfriend1.syncthingandroid_release_v${{ env.VERSION }}_${{ env.COMMIT_HASH }}.apk" | gpg --clearsign > sha256sum.txt.asc

      - uses: ncipollo/release-action@v1
        with:
-          artifacts: "app/build/outputs/apk/release/*.apk,app/build/outputs/bundle/gplay/*.aab"
+          artifacts: "app/build/outputs/apk/release/*.apk,app/build/outputs/apk/release/*.asc,app/build/outputs/bundle/gplay/*.aab"
          artifactErrorsFailBuild: true
          bodyFile: "app/src/main/play/release-notes/en-US/default.txt"
          prerelease: ${{ contains('-rc.', github.ref_name) }}
--- a/App_build_and_release.cmd
+++ b/App_build_and_release.cmd
@ -5,7 +5,7 @@ cd /d "%SCRIPT_PATH%"
 cls
 REM
 REM Script Consts.
-SET CLEANUP_BEFORE_BUILD=1
+SET CLEANUP_BEFORE_BUILD=0
 REM
 REM Runtime Variables.
 IF NOT DEFINED ANDROID_SDK_ROOT SET "ANDROID_SDK_ROOT=%SCRIPT_PATH%..\syncthing-android-prereq"
--- a/app/build-outputs-apk-debug.lnk
+++ b/app/build-outputs-apk-debug.lnk
--- a/app/build.gradle.kts
+++ b/app/build.gradle.kts
@ -1,6 +1,3 @@
-import org.gradle.configurationcache.extensions.capitalized
-
-
 plugins {
    id("com.android.application")
    id("com.github.ben-manes.versions")
@ -152,7 +149,8 @@ task<Exec>("postBuildScript") {

 project.afterEvaluate {
    android.buildTypes.forEach {
-        tasks.named("merge${it.name.capitalized()}JniLibFolders") {
+        val capitalizedName = it.name.replaceFirstChar { ch -> ch.uppercase() }
+        tasks.named("merge${capitalizedName}JniLibFolders") {
            dependsOn(":syncthing:buildNative")
        }
    }
--- a/app/src/main/play/release-notes/en-US/default.txt
+++ b/app/src/main/play/release-notes/en-US/default.txt
@ -1,2 +1,10 @@
-Update SyncthingNative to v1.29.5
-Build using CI
+Upgrade notes:
+The backup folder location UI preference on the settings screen is now relative to the internal storage root. Before, it was interpreted relative to the "(int-stor)/backups" folder. Please review that setting if you upgrade from a previous release.
+
+Notes:
+We will now prefer CI builds over builds done on a personal device.
+Debug APK signing was upgraded from SHA1 to SHA256 signing.
+We are preparing for GPG signed release artifacts.
+
+Changes:
+Update SyncthingNative to v1.29.6
--- a/build.gradle.kts
+++ b/build.gradle.kts
@ -7,7 +7,7 @@ buildscript {
        set("ndkVersionShared", "28.0.13004108")
        set("versionMajor", 1)
        set("versionMinor", 29)
-        set("versionPatch", 5)
+        set("versionPatch", 6)
        set("versionWrapper", 0)
    }

--- a/syncthing/src/github.com/syncthing/syncthing
+++ b/syncthing/src/github.com/syncthing/syncthing
@ -1 +1 @@
-Subproject commit f0b666269b6bdd1e8000e56e421367260e807479
+Subproject commit 0bf21d9db21b9e94327b8d385cc9818b50cc8a14
--- a/wiki/Switch-between-releases_Verify-APK-is-genuine.md
+++ b/wiki/Switch-between-releases_Verify-APK-is-genuine.md
@ -1,10 +1,39 @@
-Syncthing-Fork "Wrapper for Syncthing" has three release channels:
+Syncthing-Fork "Wrapper for Syncthing" has these release channels:

-1. [GitHub](https://github.com/Catfriend1/syncthing-android/releases/latest) release page, e. g. com.github.catfriend1.syncthingandroid_1.0.0.1_7d59e75.apk
+<b>1. F-Droid release build</b>

-2. F-Droid client or [website](https://f-droid.org/packages/com.github.catfriend1.syncthingandroid/), e. g. com.github.catfriend1.syncthingandroid_fdroid_1.0.0.1_7d59e75.apk
+* <b>"COMMON USER" - please choose this!</b>
+* Published on [F-Droid](https://f-droid.org/packages/com.github.catfriend1.syncthingandroid/) and [GitHub release page](https://github.com/Catfriend1/syncthing-android/releases/latest)
+* File name is like: com.github.catfriend1.syncthingandroid_fdroid_1.29.6.0_7d59e75.apk
+* Certificate hash: yei5Ybhe9jZNx7NG4WE9MgjnfsPqbHCzUhHvfedPEuU=
+* Signing Certificate SHA256 Fingerprint: <details>C9:E8:B9:61:B8:5E:F6:36:4D:C7:B3:46:E1:61:3D:32:08:E7:7E:C3:EA:6C:70:B3:52:11:EF:7D:E7:4F:12:E5</details>
+
+<b>2. GitHub release build</b>
+
+* If you don't like to use F-Droid for some reason, please choose this!
+* Only published on [GitHub release page](https://github.com/Catfriend1/syncthing-android/releases/latest)
+* File name is like: com.github.catfriend1.syncthingandroid_release_1.29.6.0_7d59e75.apk
+* Certificate hash: +OAnc7gs9+lKqwFiAp9XiF/wcg+uwQxrzvSfffjJSpk=
+* Signing Certificate SHA256 Fingerprint: <details>F8:E0:27:73:B8:2C:F7:E9:4A:AB:01:62:02:9F:57:88:5F:F0:72:0F:AE:C1:0C:6B:CE:F4:9F:7D:F8:C9:4A:99</details>
+
+<b>3. Google Play release build</b>
+
+* Published by [nel0x](https://github.com/nel0x) at [Google Play Store](https://play.google.com/store/apps/details?id=com.github.catfriend1.syncthingandroid)
+* May contain limited functionality due to play policies.
+* It's an appetizer for your family and friends to start their Syncthing experience.
+* File name is like: com.github.catfriend1.syncthingandroid_gplay_1.29.6.0_7d59e75.aab
+* Certificate hash: +OAnc7gs9+lKqwFiAp9XiF/wcg+uwQxrzvSfffjJSpk=
+* Signing Certificate SHA256 Fingerprint: <details>F8:E0:27:73:B8:2C:F7:E9:4A:AB:01:62:02:9F:57:88:5F:F0:72:0F:AE:C1:0C:6B:CE:F4:9F:7D:F8:C9:4A:99</details>
+
+<b>4. GitHub debug build</b>
+
+* Only published on GitHub
+* Can be obtained by looking at the [action workflow builds](https://github.com/Catfriend1/syncthing-android/actions) and artifacts.
+* It's for maintainers, contributors who require a second installation of the app on their phone for testing purposes.
+* File name is like: com.github.catfriend1.syncthingandroid_debug_1.29.6.0_7d59e75.apk
+* Certificate hash: x9QGpAqFQXg1+79ADsY1k0uBrj7+W1HF+PN3BunPZrM=
+* Signing Certificate SHA256 Fingerprint: <details>C7:D4:06:A4:0A:85:41:78:35:FB:BF:40:0E:C6:35:93:4B:81:AE:3E:FE:5B:51:C5:F8:F3:77:06:E9:CF:66:B3</details>

-3. [Google Play Store](https://play.google.com/store/apps/details?id=com.github.catfriend1.syncthingandroid), e. g. com.github.catfriend1.syncthingandroid_gplay_1.0.0.1_7d59e75.apk

 The signing on these release channels differ, so if you wish to change to a different channel:

@ -16,14 +45,41 @@ The signing on these release channels differ, so if you wish to change to a diff
  * Complete the welcome wizard
  * Open the drawer on the left side > Import & Export > Import configuration

-To verify your downloaded APK, compare the certificate hash of the APK to the one's listed below. It has to match one of them to indicate you have a genuine version of the app.
+To verify your downloaded APK, compare the certificate hash of the APK to the one's listed above. It has to match one of them to indicate you have a genuine version of the app. Here is a quick way of getting the certificate hash out of an APK file on Linux:

-1. GitHub APK: dQAnHXvlh80yJgrQUCo6LAg4294=
+```
+keytool -list -printcert -jarfile "/path/to/release.apk" | grep "SHA256: " | cut -d " " -f 3 | xxd -r -p | openssl base64
+#
+# Alternative
+## https://sisik.eu/cert
+```

-2. F-Droid APK: nyupq9aU0x6yK8RHaPra5GbTqQY=
+Future releases might be signed with GPG. Here is the public key which allows you to verify a release is "genuine". This happens under the assumption that the build process on GitHub Actions was not tampered with.

-3. Google Play APK: dQAnHXvlh80yJgrQUCo6LAg4294=
+Public key: Catfriend1
+```
+-----BEGIN PGP PUBLIC KEY BLOCK-----

-Here is a quick way of getting the certificate hash out of an APK file on Linux:
+mDMEaBogpxYJKwYBBAHaRw8BAQdAwmm+DaidLg6ywZR6hGaYccNN2b9KdXSAxG5k
+uQ3tBzy0OUNhdGZyaWVuZDEgPDE2MzYxOTEzK0NhdGZyaWVuZDFAdXNlcnMubm9y
+ZXBseS5naXRodWIuY29tPoiZBBMWCgBBFiEEKue4YzEYcJQ2hvieVyYqmI5VFYQF
+AmgaIKcCGwMFCQWkqPkFCwkIBwICIgIGFQoJCAsCBBYCAwECHgcCF4AACgkQVyYq
+mI5VFYREswD/WNLLZlO/4K12PwFHEHEg7W1Rcge7tbMPbFCIM9DIhPIBAOeXtEA9
+9LkmDWv+TlYZ4gdk/tuAZKiOPl2gx1yMqdYGuDgEaBogpxIKKwYBBAGXVQEFAQEH
+QB7NWczPOLSQIMDIxx4mbAJWnhNBBccFJKOJHSnusgZMAwEIB4h+BBgWCgAmFiEE
+Kue4YzEYcJQ2hvieVyYqmI5VFYQFAmgaIKcCGwwFCQWkqPkACgkQVyYqmI5VFYRw
+jQD/a2Fx/Nls5+ZvvyUqlX7oFERf6v+eYoi/0qB5em5ce6sA/AsnYRyBbd5gdHgb
+VUTQ/RYTeUCdkM1SuArDflF0rIwP
+=c0Mr
+-----END PGP PUBLIC KEY BLOCK-----
+```

-* keytool -printcert -jarfile "/path/to/release.apk" | grep "SHA1: " | cut -d " " -f 3 | xxd -r -p | openssl base64
+Notes:
+
+```
+# Generate SHA256 hash
+powershell "$hex = 'C7:D4:06:A4:0A:85:41:78:35:FB:BF:40:0E:C6:35:93:4B:81:AE:3E:FE:5B:51:C5:F8:F3:77:06:E9:CF:66:B3'; $hexBytes = $hex.Split(':') | ForEach-Object { $_.PadLeft(2, '0') }; $hexClean = ($hexBytes -join ''); $bytes = for ($i = 0; $i -lt $hexClean.Length; $i += 2) { [Convert]::ToByte($hexClean.Substring($i, 2), 16) }; [Convert]::ToBase64String($bytes)"
+
+# Decode SHA256 hash
+powershell "$base64 = 'x9QGpAqFQXg1+79ADsY1k0uBrj7+W1HF+PN3BunPZrM='; $bytes = [System.Convert]::FromBase64String($base64); $hex = ($bytes | ForEach-Object { $_.ToString('X2') }) -join ':'; $hex"
+```