Skip to content

x/mobile: Add support for signing Android applications using v2+ scheme #38439

Open
@Jacalz

Description

@Jacalz

Note:

This was suggested as part of the security issue filed as part of #38438 and might be relevant.

Description:

The signing of Android applications in gomobile is currently using the old v1 signing scheme and not the new and improved v2 or v3 schemes that have been available for quite some time now. See the Application Signing documentation for more information regarding the various signing schemes.

The v2+ schemes introduce both security and performance improvements and could be beneficial for improving the application signing. There are two way that this could be done due to v2+ being compatible on older Android phones as long as applications are signed with both (or possibly all three) protocols. This means that we could fix the security issue mentioned in #38438 and still sign with the v1 scheme for supporting Android 7 and below, but also sign with v2+ for better security and install performance on newer versions. Another possible way to solve it would be to drop support for v1 and just support v2+ and thus Android 7 and newer. The choice of the best option depends on how you look at it, but I will leave that to someone else to decide.

Metadata

Metadata

Assignees

No one assigned

    Labels

    NeedsFixThe path to resolution is known, but the work has not been done.help wantedmobileAndroid, iOS, and x/mobile

    Type

    No type

    Projects

    No projects

    Milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions