Skip to content

fix(android): proper release signing + R8 minify (audit H2 + H3)#13

Merged
github-actions[bot] merged 2 commits intomainfrom
fix/audit-h2-h3-android-release
May 7, 2026
Merged

fix(android): proper release signing + R8 minify (audit H2 + H3)#13
github-actions[bot] merged 2 commits intomainfrom
fix/audit-h2-h3-android-release

Conversation

@satyakwok
Copy link
Copy Markdown
Contributor

@satyakwok satyakwok commented May 7, 2026

Summary

Two HIGH findings from 2026-05-07 audit:

H2 — release builds were signed with debug keystore (signingConfig = signingConfigs.getByName("debug")). Anyone could resign + replace published APK. Now reads release signing from key.properties (local, gitignored) OR SOLUX_KEYSTORE_* env vars (CI). Fails fast if neither configured.

H3 — release builds had no minify (isMinifyEnabled = false). Pre-crypto layer lands, enable R8 + resource shrinking so discipline is in place when sensitive code arrives.

Operator next steps post-merge

  1. Generate release keystore one-time: keytool -genkey -v -keystore solux-release.jks -keyalg RSA -keysize 2048 -validity 10000 -alias solux
  2. Add 4 GH secrets: SOLUX_KEYSTORE_PATH, SOLUX_KEYSTORE_PASSWORD, SOLUX_KEY_ALIAS, SOLUX_KEY_PASSWORD
  3. CI workflow: base64-decode keystore from secret in build job, set env vars, then flutter build apk

@satyakwok
fix(android): proper release signing config + R8 minify (audit H2 + H3)
70569a9 
Audit findings 2026-05-07:

H2 (HIGH): release builds were signed with the debug keystore. Anyone
could resign the published APK and impersonate Solux. Now reads
release signing config from local key.properties (gitignored) OR
CI env vars (SOLUX_KEYSTORE_PATH/_PASSWORD/_KEY_ALIAS/_KEY_PASSWORD).
Build fails fast with a clear error if neither is provided.

H3 (HIGH): release builds had no minify / no R8. When the crypto
layer lands, an unminified binary makes keystore logic + signing flow
trivially readable. Enabling R8 + resource shrinking now (pre-crypto)
so the discipline is in place before sensitive code arrives. Stub
proguard-rules.pro added with Flutter keeps.

.gitignore: never commit key.properties / *.jks / *.keystore.

Operator action items post-merge:
1. Generate a release keystore (one-time): keytool -genkey -v -keystore solux-release.jks -keyalg RSA -keysize 2048 -validity 10000 -alias solux
2. Add it to GH secrets (4 values: SOLUX_KEYSTORE_PATH, _PASSWORD, _KEY_ALIAS, _KEY_PASSWORD)
3. Update CI workflow to base64-decode keystore from secret + set env vars before flutter build apk
4. (separate work) Add release signing job to release pipeline
@github-actions github-actions Bot enabled auto-merge (squash) May 7, 2026 14:16
@github-actions github-actions Bot merged commit 3b4fc54 into main May 7, 2026
2 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@satyakwok