Join GitHub today
GitHub is home to over 50 million developers working together to host and review code, manage projects, and build software together.
Sign upx/mobile: Add support for signing Android applications using v2+ scheme #38439
Labels
Milestone
Comments
andybons
added
NeedsInvestigation
help wanted
NeedsFix
and removed
NeedsInvestigation
labels
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Note:
This was suggested as part of the security issue filed as part of #38438 and might be relevant.
Description:
The signing of Android applications in gomobile is currently using the old v1 signing scheme and not the new and improved v2 or v3 schemes that have been available for quite some time now. See the Application Signing documentation for more information regarding the various signing schemes.
The v2+ schemes introduce both security and performance improvements and could be beneficial for improving the application signing. There are two way that this could be done due to v2+ being compatible on older Android phones as long as applications are signed with both (or possibly all three) protocols. This means that we could fix the security issue mentioned in #38438 and still sign with the v1 scheme for supporting Android 7 and below, but also sign with v2+ for better security and install performance on newer versions. Another possible way to solve it would be to drop support for v1 and just support v2+ and thus Android 7 and newer. The choice of the best option depends on how you look at it, but I will leave that to someone else to decide.