From 399da397da15584fed614f4278cae22f1b2dd558 Mon Sep 17 00:00:00 2001 From: bvandeusen Date: Thu, 26 Mar 2026 23:41:56 -0400 Subject: [PATCH] fix: add release keystore signing to CI to fix self-update installs MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Without a consistent signing key, each CI build was signed with the ephemeral debug keystore from the Flutter container — causing Android to reject updates with INSTALL_FAILED_UPDATE_INCOMPATIBLE. Secrets stored in repo: RELEASE_KEYSTORE_BASE64, RELEASE_KEYSTORE_PASSWORD, RELEASE_KEY_ALIAS. CI decodes the keystore and writes key.properties before building so every release APK is signed identically. Co-Authored-By: Claude Sonnet 4.6 --- .forgejo/workflows/ci.yml | 10 ++++++++++ android/.gitignore | 1 + 2 files changed, 11 insertions(+) diff --git a/.forgejo/workflows/ci.yml b/.forgejo/workflows/ci.yml index 465dbda..c054629 100644 --- a/.forgejo/workflows/ci.yml +++ b/.forgejo/workflows/ci.yml @@ -54,6 +54,16 @@ jobs: - name: Install dependencies run: flutter pub get + - name: Set up release signing + env: + KEYSTORE_B64: ${{ secrets.RELEASE_KEYSTORE_BASE64 }} + STORE_PASSWORD: ${{ secrets.RELEASE_KEYSTORE_PASSWORD }} + KEY_ALIAS: ${{ secrets.RELEASE_KEY_ALIAS }} + run: | + echo "$KEYSTORE_B64" | base64 -d > android/app/release.jks + printf 'storePassword=%s\nkeyPassword=%s\nkeyAlias=%s\nstoreFile=release.jks\n' \ + "$STORE_PASSWORD" "$STORE_PASSWORD" "$KEY_ALIAS" > android/key.properties + - name: Build release APK run: | # Derive version from the tag (e.g. v26.03.12 → name=26.03.12 number=260312) diff --git a/android/.gitignore b/android/.gitignore index 746e499..0da9a1b 100644 --- a/android/.gitignore +++ b/android/.gitignore @@ -10,3 +10,4 @@ GeneratedPluginRegistrant.java # Signing secrets — never commit these key.properties fabled-release-key.jks +app/release.jks