fix: add release keystore signing to CI to fix self-update installs

Without a consistent signing key, each CI build was signed with the
ephemeral debug keystore from the Flutter container — causing Android
to reject updates with INSTALL_FAILED_UPDATE_INCOMPATIBLE.

Secrets stored in repo: RELEASE_KEYSTORE_BASE64, RELEASE_KEYSTORE_PASSWORD,
RELEASE_KEY_ALIAS. CI decodes the keystore and writes key.properties
before building so every release APK is signed identically.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
2026-03-26 23:41:56 -04:00
parent 2bdd663719
commit 399da397da
2 changed files with 11 additions and 0 deletions
+10
View File
@@ -54,6 +54,16 @@ jobs:
- name: Install dependencies
run: flutter pub get
- name: Set up release signing
env:
KEYSTORE_B64: ${{ secrets.RELEASE_KEYSTORE_BASE64 }}
STORE_PASSWORD: ${{ secrets.RELEASE_KEYSTORE_PASSWORD }}
KEY_ALIAS: ${{ secrets.RELEASE_KEY_ALIAS }}
run: |
echo "$KEYSTORE_B64" | base64 -d > android/app/release.jks
printf 'storePassword=%s\nkeyPassword=%s\nkeyAlias=%s\nstoreFile=release.jks\n' \
"$STORE_PASSWORD" "$STORE_PASSWORD" "$KEY_ALIAS" > android/key.properties
- name: Build release APK
run: |
# Derive version from the tag (e.g. v26.03.12 → name=26.03.12 number=260312)
+1
View File
@@ -10,3 +10,4 @@ GeneratedPluginRegistrant.java
# Signing secrets — never commit these
key.properties
fabled-release-key.jks
app/release.jks