JakeFS
June 9, 2025, 12:24pm
1
The APK signing key for GitHub - Catfriend1/syncthing-android: Syncthing-Fork - A Syncthing Wrapper for Android. has changed without being rotated.
How do we verify continuity?
Uninstalling and reinstalling seems insecure as it basically trusts the new key blindly (IIRC).
JakeFS
June 9, 2025, 12:27pm
2
I notice there is also a PGP key, but I didn’t pin it before the change, so I don’t think I can trust it.
JakeFS
June 9, 2025, 12:30pm
3
I know this because it gave me an error when I tried to install it normally. I will not uninstall and reinstall as IIRC that will wipe the existing key and do TOFU all over again.
How did you verify my old key?
The pgp key also came around when I set up the CI builds, so is pretty young.
Syncthing-Fork "Wrapper for Syncthing" has these release channels:
<b>1. F-Droid release build</b>
* <b>"COMMON USER" - please choose this!</b>
* Published on [F-Droid](https://f-droid.org/packages/com.github.catfriend1.syncthingandroid/) and [GitHub release page](https://github.com/Catfriend1/syncthing-android/releases/latest)
* File name is like: com.github.catfriend1.syncthingandroid_fdroid_1.29.6.0_7d59e75.apk
* Certificate hash: yei5Ybhe9jZNx7NG4WE9MgjnfsPqbHCzUhHvfedPEuU=
* Signing Certificate SHA256 fingerprint: <details>C9:E8:B9:61:B8:5E:F6:36:4D:C7:B3:46:E1:61:3D:32:08:E7:7E:C3:EA:6C:70:B3:52:11:EF:7D:E7:4F:12:E5</details>
<b>2. GitHub release build</b>
* If you don't like to use F-Droid for some reason, please choose this!
* Only published on [GitHub release page](https://github.com/Catfriend1/syncthing-android/releases/latest)
* File name is like: com.github.catfriend1.syncthingandroid_release_1.29.6.0_7d59e75.apk
* Certificate hash: 03S43lBXATFDx9FRWgFVmMLfQDvoFgyuAaWMIn5uhqo=
* Signing Certificate SHA256 fingerprint: <details>D3:74:B8:DE:50:57:01:31:43:C7:D1:51:5A:01:55:98:C2:DF:40:3B:E8:16:0C:AE:01:A5:8C:22:7E:6E:86:AA</details>
<b>3. Google Play release build</b>
This file has been truncated. show original
JakeFS
June 10, 2025, 1:40pm
5
I didn’t. I TOFU’d it. I want to ensure continuity between the old key and the new key.
JakeFS
June 10, 2025, 1:48pm
6
Did you use apksigner rotate
?
No, it just came out of “gradlew assembleRelease” and “gradlew assembleDebug”. The keystore was freshly created by Android Studio back in 2019 and this month for the new key. Thanks for posting the link, next time “hopefully in 5 five years” I’ll know .
JakeFS:
I TOFU’d it
How do you feel about the fact, that Google Play servers know my old key? Do you trust Google?