Require dedicated release signing for APK builds

This commit is contained in:
Joe Julian
2026-04-18 22:00:56 -07:00
parent 92a7853258
commit 0dfaeef7bf
6 changed files with 76 additions and 9 deletions
+9 -3
View File
@@ -45,8 +45,8 @@ Use this skill together with the installed `android-emulator-debug` skill. That
## Build Workflow ## Build Workflow
1. Verify the JDK/SDK paths match the known working environment. 1. Verify the JDK/SDK paths match the known working environment.
2. Build with `make apk`. 2. Build with `make apk` for debug validation, or `make apk-release` when validating production signing behavior.
3. If `make apk` fails, inspect the effective `JAVA_HOME`, `ANDROID_SDK_ROOT`, and `ANDROID_NDK_ROOT` before changing code. 3. If the build fails, inspect the effective `JAVA_HOME`, `ANDROID_SDK_ROOT`, and `ANDROID_NDK_ROOT` before changing code.
4. If the problem is Android-only, avoid desktop-only conclusions from `go test ./...`. 4. If the problem is Android-only, avoid desktop-only conclusions from `go test ./...`.
Typical local build: Typical local build:
@@ -55,6 +55,12 @@ Typical local build:
JAVA_HOME=/usr/lib/jvm/java-25-openjdk make apk JAVA_HOME=/usr/lib/jvm/java-25-openjdk make apk
``` ```
Typical local release build:
```sh
JAVA_HOME=/usr/lib/jvm/java-25-openjdk make apk-release
```
## Emulator Workflow ## Emulator Workflow
1. Reuse an existing emulator session if one is already running. 1. Reuse an existing emulator session if one is already running.
@@ -79,7 +85,7 @@ adb shell dumpsys window | rg 'mCurrentFocus|mFocusedApp'
## Validation Checklist ## Validation Checklist
- APK builds successfully with `make apk`. - APK builds successfully with the intended target: `make apk` for debug validation or `make apk-release` for release-signing validation.
- App launches to `org.julianfamily.keepassgo/org.gioui.GioActivity`. - App launches to `org.julianfamily.keepassgo/org.gioui.GioActivity`.
- Screenshot shows the expected screen, not just a black frame. - Screenshot shows the expected screen, not just a black frame.
- `logcat` shows no app crash or Android runtime fatal error. - `logcat` shows no app crash or Android runtime fatal error.
+7 -1
View File
@@ -52,11 +52,17 @@ The installed package version must correspond to the committed source, not a dir
Use the repo's known-good local JDK unless the environment already proves otherwise: Use the repo's known-good local JDK unless the environment already proves otherwise:
```sh ```sh
JAVA_HOME=/usr/lib/jvm/java-25-openjdk make apk JAVA_HOME=/usr/lib/jvm/java-25-openjdk make apk-release
``` ```
If that JDK is unavailable on the current host, use the working replacement already established for the machine and say so in the closeout. If that JDK is unavailable on the current host, use the working replacement already established for the machine and say so in the closeout.
- `ship it` must use the dedicated release keystore flow, not Gio's implicit debug or temporary signing path.
- The default local release-signing paths are:
`~/.config/keepassgo/android-release.keystore`
`~/.config/keepassgo/android-release.pass`
- If those files are unavailable, stop and fix signing instead of shipping a differently signed APK.
### 4. Zip The APK ### 4. Zip The APK
- Create the ZIP under the globally required temporary secret-safe directory. - Create the ZIP under the globally required temporary secret-safe directory.
+6 -3
View File
@@ -135,11 +135,14 @@ jobs:
shell: bash shell: bash
run: | run: |
set -euo pipefail set -euo pipefail
signkey_path="$(mktemp)" mkdir -p build/ci-signing
trap 'rm -f -- "$signkey_path"' EXIT signkey_path="$(pwd)/build/ci-signing/android-release.keystore"
signpass_path="$(pwd)/build/ci-signing/android-release.pass"
trap 'rm -f -- "$signkey_path" "$signpass_path"' EXIT
printf '%s' '${{ secrets.APK_SIGNKEY_B64 }}' | base64 -d > "$signkey_path" printf '%s' '${{ secrets.APK_SIGNKEY_B64 }}' | base64 -d > "$signkey_path"
printf '%s' '${{ secrets.APK_SIGNPASS }}' > "$signpass_path"
export APP_VERSION="$(git describe --tags --always --dirty)" export APP_VERSION="$(git describe --tags --always --dirty)"
make apk SIGNKEY="$signkey_path" SIGNPASS='${{ secrets.APK_SIGNPASS }}' make apk-release RELEASE_SIGNKEY="$signkey_path" RELEASE_SIGNPASS_FILE="$signpass_path"
cp build/keepassgo.apk "${DIST_DIR}/keepassgo.apk" cp build/keepassgo.apk "${DIST_DIR}/keepassgo.apk"
- name: Upload CI artifacts - name: Upload CI artifacts
+21
View File
@@ -6,11 +6,22 @@ Build the APK with:
make apk make apk
``` ```
Build the release-signed APK with:
```sh
make apk-release
```
`make apk` uses a local Java 25 install when `JAVA_HOME` points to one. `make apk` uses a local Java 25 install when `JAVA_HOME` points to one.
If the host does not have a working Java 25 install, it falls back to the If the host does not have a working Java 25 install, it falls back to the
repo-managed Docker image in `packaging/docker/android-apk/`, which also builds repo-managed Docker image in `packaging/docker/android-apk/`, which also builds
with Java 25. with Java 25.
`make apk` remains a developer build path and may use Gio's default debug or
ephemeral signing behavior if no explicit signing key is provided.
`make apk-release` is the production-signing path and fails unless a dedicated
release keystore and password file are present.
Environment: Environment:
- `ANDROID_SDK_ROOT` defaults to `/opt/android-sdk`. - `ANDROID_SDK_ROOT` defaults to `/opt/android-sdk`.
@@ -23,6 +34,13 @@ Environment:
- `APK_VERSION` overrides the packaged app version. - `APK_VERSION` overrides the packaged app version.
- `ANDROID_MIN_SDK` overrides the minimum supported Android SDK. - `ANDROID_MIN_SDK` overrides the minimum supported Android SDK.
- `ANDROID_TARGET_SDK` overrides the target Android SDK. - `ANDROID_TARGET_SDK` overrides the target Android SDK.
- `RELEASE_SIGNKEY` overrides the release keystore path used by `make apk-release`.
- `RELEASE_SIGNPASS_FILE` overrides the password file path used by `make apk-release`.
Default release-signing paths:
- `~/.config/keepassgo/android-release.keystore`
- `~/.config/keepassgo/android-release.pass`
Installed machine prerequisites expected by this repo: Installed machine prerequisites expected by this repo:
@@ -38,6 +56,9 @@ The repo tracks `gogio` as a Go tool, and the local build runs through:
go tool gogio -target android ./cmd/keepassgo ... go tool gogio -target android ./cmd/keepassgo ...
``` ```
The release target wraps `make apk` and injects explicit signing credentials so
local release builds and CI use the same stable key.
The Android build uses the branded icon asset at: The Android build uses the branded icon asset at:
- `internal/assets/keepassgo-icon.png` - `internal/assets/keepassgo-icon.png`
+22 -2
View File
@@ -12,6 +12,8 @@ ANDROID_MIN_SDK ?= 28
ANDROID_TARGET_SDK ?= 35 ANDROID_TARGET_SDK ?= 35
SIGNKEY ?= SIGNKEY ?=
SIGNPASS ?= SIGNPASS ?=
RELEASE_SIGNKEY ?= $(HOME)/.config/keepassgo/android-release.keystore
RELEASE_SIGNPASS_FILE ?= $(HOME)/.config/keepassgo/android-release.pass
ARCH_PKG_DIR ?= packaging/archlinux/keepassgo-git ARCH_PKG_DIR ?= packaging/archlinux/keepassgo-git
ARCH_PKG_TMPL ?= $(ARCH_PKG_DIR)/PKGBUILD.tmpl ARCH_PKG_TMPL ?= $(ARCH_PKG_DIR)/PKGBUILD.tmpl
ARCH_PKGBUILD ?= $(ARCH_PKG_DIR)/PKGBUILD ARCH_PKGBUILD ?= $(ARCH_PKG_DIR)/PKGBUILD
@@ -26,7 +28,17 @@ ifneq ($(strip $(SIGNPASS)),)
GOGIO_SIGN_FLAGS += -signpass $(SIGNPASS) GOGIO_SIGN_FLAGS += -signpass $(SIGNPASS)
endif endif
.PHONY: apk apk-local apk-container apk-container-image archlinux-pkgbuild browser-bridge browser-extension-validate CONTAINER_SIGNKEY_MOUNT :=
CONTAINER_SIGN_ARGS :=
ifneq ($(strip $(SIGNKEY)),)
CONTAINER_SIGNKEY_MOUNT += -v "$(dir $(abspath $(SIGNKEY))):$(dir $(abspath $(SIGNKEY))):ro"
CONTAINER_SIGN_ARGS += SIGNKEY="$(abspath $(SIGNKEY))"
endif
ifneq ($(strip $(SIGNPASS)),)
CONTAINER_SIGN_ARGS += SIGNPASS="$(SIGNPASS)"
endif
.PHONY: apk apk-local apk-release apk-container apk-container-image archlinux-pkgbuild browser-bridge browser-extension-validate
apk: apk:
@if [ -x "$(JAVA_HOME)/bin/java" ] && "$(JAVA_HOME)/bin/java" -version 2>&1 | grep -q 'version "25'; then \ @if [ -x "$(JAVA_HOME)/bin/java" ] && "$(JAVA_HOME)/bin/java" -version 2>&1 | grep -q 'version "25'; then \
$(MAKE) apk-local JAVA_HOME="$(JAVA_HOME)"; \ $(MAKE) apk-local JAVA_HOME="$(JAVA_HOME)"; \
@@ -59,6 +71,13 @@ apk-local: android/keepassgo-android.jar
-icon internal/assets/keepassgo-icon.png \ -icon internal/assets/keepassgo-icon.png \
./cmd/keepassgo ./cmd/keepassgo
apk-release:
@test -f "$(RELEASE_SIGNKEY)" || { echo "Release signing key not found at $(RELEASE_SIGNKEY)"; exit 1; }
@test -f "$(RELEASE_SIGNPASS_FILE)" || { echo "Release signing password file not found at $(RELEASE_SIGNPASS_FILE)"; exit 1; }
@signpass="$$(tr -d '\r\n' < "$(RELEASE_SIGNPASS_FILE)")"; \
test -n "$$signpass" || { echo "Release signing password file is empty"; exit 1; }; \
$(MAKE) apk SIGNKEY="$(abspath $(RELEASE_SIGNKEY))" SIGNPASS="$$signpass"
apk-container: apk-container-image apk-container: apk-container-image
@command -v docker >/dev/null 2>&1 || { echo "docker is required for apk-container"; exit 1; } @command -v docker >/dev/null 2>&1 || { echo "docker is required for apk-container"; exit 1; }
@test -d "$(ANDROID_SDK_ROOT)" || { echo "ANDROID_SDK_ROOT must point to an Android SDK install"; exit 1; } @test -d "$(ANDROID_SDK_ROOT)" || { echo "ANDROID_SDK_ROOT must point to an Android SDK install"; exit 1; }
@@ -69,11 +88,12 @@ apk-container: apk-container-image
-w "$(CURDIR)" \ -w "$(CURDIR)" \
-v "$(ANDROID_SDK_ROOT):$(ANDROID_SDK_ROOT)" \ -v "$(ANDROID_SDK_ROOT):$(ANDROID_SDK_ROOT)" \
-v "$(ANDROID_NDK_ROOT):$(ANDROID_NDK_ROOT)" \ -v "$(ANDROID_NDK_ROOT):$(ANDROID_NDK_ROOT)" \
$(CONTAINER_SIGNKEY_MOUNT) \
-e ANDROID_SDK_ROOT="$(ANDROID_SDK_ROOT)" \ -e ANDROID_SDK_ROOT="$(ANDROID_SDK_ROOT)" \
-e ANDROID_NDK_ROOT="$(ANDROID_NDK_ROOT)" \ -e ANDROID_NDK_ROOT="$(ANDROID_NDK_ROOT)" \
-e JAVA_HOME=/opt/java/openjdk \ -e JAVA_HOME=/opt/java/openjdk \
$(APK_BUILD_IMAGE) \ $(APK_BUILD_IMAGE) \
make apk-local JAVA_HOME=/opt/java/openjdk make apk-local JAVA_HOME=/opt/java/openjdk $(CONTAINER_SIGN_ARGS)
apk-container-image: apk-container-image:
@command -v docker >/dev/null 2>&1 || { echo "docker is required for apk-container-image"; exit 1; } @command -v docker >/dev/null 2>&1 || { echo "docker is required for apk-container-image"; exit 1; }
+11
View File
@@ -98,6 +98,17 @@ available, it falls back to the repo-managed Docker build image, which also
uses Java 25. You still need the Android SDK and NDK installed and configured uses Java 25. You still need the Android SDK and NDK installed and configured
for real device or release packaging. for real device or release packaging.
Release package:
```bash
make apk-release
```
`make apk-release` is the production-signing path. It requires a dedicated
release keystore at `~/.config/keepassgo/android-release.keystore` and a
password file at `~/.config/keepassgo/android-release.pass`, unless you
override `RELEASE_SIGNKEY` and `RELEASE_SIGNPASS_FILE`.
## Automation ## Automation
Desktop automation is resolved through the secure gRPC API rather than synthetic auto-type. Desktop automation is resolved through the secure gRPC API rather than synthetic auto-type.