Hi all,
I have again issues trying to build my app. The problem seems to be
DEBUG: Problem: found extra signing block 'Dependency metadata'
In the last successful build, the log had, at the same place,
DEBUG: Using APK Signature v2
What am I doing wrong?
See Run scan for `DependencyInfoBlock` on a full repo mirror (#3330) · Issues · F-Droid / Data · GitLab
Build succeeds now, thanks!
But I don’t claim to have understood the issue. Is this a new verification check, or have I changed something in my build.gradle file by accident?
I have read APK Signing Block considerations (#1056) · Issues · F-Droid / fdroidserver · GitLab but I don’t understand what it is about.
I think I have understood it now. I’ll try to put in in my words:
The APK certificate block as specified by Google has some optional extensions that are poorly documented. This is not intended to be part of the app, but would in principle allow for code snippets to be hidden there. As F-Droid has no means of checking this certificate block, it must be banned from apps. This is verified now and has not been done before.
And the following entry in build.gradle suppresses this extension:
android { dependenciesInfo { includeInApk = false includeInBundle = false } }
Correct?
yes
we don’t like the secret nature of it
The data is compressed, encrypted by a Google Play signing key, and stored in the signing block of your release app.