Closed
Bug 1396496
Opened 7 years ago
Closed 7 years ago
Zerda for Android - internal alpha - Signing & Upload
Categories
(Release Engineering :: Release Requests, enhancement)
Release Engineering
Release Requests
Tracking
(Not tracked)
RESOLVED
FIXED
People
(Reporter: wesley_huang, Unassigned)
References
Details
Attachments
(1 file, 7 obsolete files)
3.39 MB,
application/vnd.android.package-archive
|
Details |
We want to release Project Zerda after code complete, for Mozillians to dogfooding
I'll attach the release APKs to this bug. We need to sign them with the release keys and upload them to Google Play.
Comment 1•7 years ago
|
||
jlorenzo: You mentioned that another bug documents the steps to create release keys - is this the bug 1366003 or is there another one?
Flags: needinfo?(jlorenzo)
Comment 2•7 years ago
|
||
Bug 1371318 has the steps for creating a new release key
Flags: needinfo?(jlorenzo)
Reporter | ||
Updated•7 years ago
|
Flags: needinfo?(max)
Comment 3•7 years ago
|
||
Flags: needinfo?(max)
Comment 4•7 years ago
|
||
Attachment #8906637 -
Attachment is obsolete: true
Reporter | ||
Comment 5•7 years ago
|
||
(In reply to Johan Lorenzo [:jlorenzo] from comment #4)
> Created attachment 8906638 [details]
> app-zerda-beta-943_signed-aligned.apk
There is a blocking issue found earlier today for this v943.
So we'll fix and provide another apk.
Comment 6•7 years ago
|
||
Comment 7•7 years ago
|
||
APK signed. I see Sylvestre wasn't CC'd on the bug. Would you like to upload it, Sylvestre?
Attachment #8906638 -
Attachment is obsolete: true
Attachment #8906990 -
Attachment is obsolete: true
Flags: needinfo?(sledru)
Comment 8•7 years ago
|
||
I would like but I can't:
---
Upload failed
You uploaded an APK that is not signed with the upload certificate. You must use the same certificate. The upload certificate has fingerprint:
[ SHA1: 89:56:XX ]
and the certificate used to sign the APK you uploaded have fingerprint:
[ SHA1: 63:0F:XX ]
---
Flags: needinfo?(sledru) → needinfo?(jlorenzo)
Comment 9•7 years ago
|
||
Sylvestre and I investigated. It turns out there was 1 dummy APK already uploaded. Google Play is pretty simple in terms of trusting signing keys: It trusts the key of the first APK (it's a "trust on first use" model).
Then, the dummy APK made the keys generated in bug 1396871, unusable. Sylvestre sees 3 scenarios:
a. We keep using the first signing key (the one of the dummy APK).
b. We contact Google Play support so they purge org.mozilla.zerda, and we upload a real first APK.
c. We create a new Google Play product with a different namespace. For instance: org.mozilla.rocket
I'd go with solution c, it's the fastest and most secure.
Solution a is risky: the machine that generated the signing key is a workstation, which was connected to a lot of different networks/services. The key generator may have been compromised. Moreover, the private key might have been stored insecurely.
Solution b would be the simplest. However, I doubt Google has a way to delete products, given our previous history[1].
Max, what do you think?
[1] https://johanlorenzo.github.io/blog/2017/06/12/part-3-how-mozilla-publishes-apks-onto-google-play-store-in-a-reasonably-secure-and-automated-way.html#there-is-no-way-to-rollback-to-previous-apks-even-if-you-ask-a-human
Flags: needinfo?(jlorenzo) → needinfo?(max)
Comment 10•7 years ago
|
||
It's super surprise to me that it is our first-time bump to this problem. I thought the pair of upload key and package name is locked permanently in first upload apk is BASIC principle Google Play operation.
Please make sure this won't happen so easily next time. In our case this time, we only have to revoke the adjust token. In other scenarios, e.g. Leanplum/Firebase/GCE, we may have to replace all the credential bound to deprecate package name. This will block release-candidate testing when it was getting more close to launch date.
I will provide apk with solution C, with package name "org.mozilla.rocket"
Flags: needinfo?(max)
Comment 11•7 years ago
|
||
Attachment #8907018 -
Attachment is obsolete: true
Comment 12•7 years ago
|
||
I'm sorry and I understand this unpleasantness. As far as I've seen, dummy APKs have never been uploaded to previous project. It's a first.
I don't see a way to have an automated check, on our end. Google doesn't even show a warning message the first time you upload APKs. Then, humans will have to be careful. This may blow back to us again.
I'll file a request to Google, to see if they can improve their workflow. That's our best bet, I think.
Attachment #8907558 -
Attachment is obsolete: true
Flags: needinfo?(sledru)
Comment 13•7 years ago
|
||
I just chatted with the Google Play support. The person said it was a valid piece of feedback. She will transmit it to the right team. However, we won't have a way to track it. She said we could follow their tech blog[1] to see if that features gets in.
[1] https://android-developers.googleblog.com/
Comment 14•7 years ago
|
||
OK.
1) I removed the zerda app
2) I created the rocket app
3) I updated the permissions for the two users having access to zerda
4) I uploaded the signed apk to the alpha track, worked fine
Now, we have to update the listing to be able to publish it
Status: NEW → RESOLVED
Closed: 7 years ago
Flags: needinfo?(sledru)
Resolution: --- → FIXED
Comment 15•7 years ago
|
||
Hi Johan,
We have finished the beta testing and this version is ready for beta launch. Would you help to sign the apk, please? Thank you.
Hi Sylvestre,
After upload apk to google play console, would you help to add the google plus community as testers, please? Thank you.
https://plus.google.com/communities/105550538379640131671
Attachment #8907581 -
Attachment is obsolete: true
Flags: needinfo?(sledru)
Flags: needinfo?(jlorenzo)
Comment 16•7 years ago
|
||
The listing has to be updated to be able to publish anything.
Flags: needinfo?(sledru)
Comment 17•7 years ago
|
||
Attachment #8907968 -
Attachment is obsolete: true
Flags: needinfo?(jlorenzo)
Reporter | ||
Comment 18•7 years ago
|
||
(In reply to Sylvestre Ledru [:sylvestre] from comment #16)
> The listing has to be updated to be able to publish anything.
all green now.
You need to log in
before you can comment on or make changes to this bug.
Description
•