Whats wrong with my singning key?

Hello Community

I have created an fdroid repo on my fedora server. When I type “fdroid update” there are following critical errors:

    CRITICAL: 'keystorepass' not found in config.yml!
    CRITICAL: This command requires a signing key, you can create one using: fdroid update --create-key

I have a keystore.p12 file inside the fdroid folder and created the key using this command:
keytool -genkeypair -alias fdroid -keyalg RSA -keystore keystore.p12

Following the config.yml file:

# Copy this file to config.yml, then amend the settings below according to
# your system configuration.
repo_url: https://my_website.com/fdroid/repo
repo_name: My-App F-Droid repository
repo_description: MyApp Fdroid app repository
keypass: keYFromSigningKey
repo_keyalias: fdroid

Now my question is: What am I missing here? I already have a keystore file and provided the password for it inside the config file. But, I did only create one password and not 2 (keypass and keystorepass?) Did I use the wrong command for creating the key?

After 90 days, the key expires as it says. How can I update/create a new key without breaking the repository? Thank you all for your help.

fdroid update --create-metadata --delete-unknown --pretty --verbose --create-key <---- notice last parameter ? :slight_smile:

Yes, but I already crated one and signed the app with. Do I need to create a new one with fdroid update --create-key?

Sorry, I am very new to fdroid and don’t wanna mess it up now, before the first app release.
Don’t I need to give it a password when creating it with this command?

@Izzy thoughts?

Could you please make me a list with commands to create a key, corrrectly sign the app with it and publish/updating my repo?

I think, this is the easiest way to do it.
Please, I would love to have an fdroid repo now. Thank you.

I already did…

Also: Setup an F-Droid App Repo | F-Droid - Free and Open Source Android App Repository

Also see: Setting up a simple binary F-Droid repo (based on how I set up mine). Also make sure to run the fdroid commands from inside your repo root.

Thanks, so now when I follow the manual, in section

Create your first repo

the following error shows up when I run
fdroid update --create-key:

    2023-05-29 17:03:41,152 WARNING: unsafe permissions on 'config.yml' (should be 0600)!
    2023-05-29 17:03:41,154 INFO: Using /root/android/build-tools/30.0.0-preview/apksigner 
    2023-05-29 17:03:41,155 WARNING: repo_icon "repo/icons/icon.png" does not exist! Check "config.yml".
    2023-05-29 17:03:41,157 INFO: Generating a new key in "keystore.p12"...
    2023-05-29 17:03:44,763 INFO: Alias name: fdroid
    Creation date: May 29, 2023
    Entry type: PrivateKeyEntry
    Certificate chain length: 1
    Owner: CN=fdroid, OU=F-Droid
    Issuer: CN=fdroid, OU=F-Droid
    Serial number: 1bc2919ca6d38e90
    Valid from: Mon May 29 17:03:43 CEST 2023 until: Fri Oct 14 17:03:43 CEST 2050
    Certificate fingerprints:
    	 SHA1: 35:78:9F:97:EB:3A:85:F8:E0:C7:47:9C:CE:49:FE:4A:C0:12:8A:07
    	 SHA256: 65:71:2D:2C:C4:07:4F:16:2E:31:AC:F8:5F:71:B1:65:8C:AB:D8:5B:F7:02:B8:9B:CF:83:42:EC:23:C8:85:B4
    Signature algorithm name: SHA256withRSA
    Subject Public Key Algorithm: 4096-bit RSA key
    Version: 3


    #1: ObjectId: Criticality=false
    SubjectKeyIdentifier [
    KeyIdentifier [
    0000: F3 62 75 07 E3 28 1B 51   16 FF 05 7F 32 5B 0B 33  .bu..(.Q....2[.3
    0010: E4 D5 C7 16                                        ....

    2023-05-29 17:03:46,063 INFO: Creating signed index with this key (SHA256):
    2023-05-29 17:03:46,063 INFO: 65 71 2D 2C C4 07 4F 16 2E 31 AC F8 5F 71 B1 65 8C AB D8 5B F7 02 B8 9B CF 83 42 EC 23 C8 85 B4
    2023-05-29 17:03:46,867 WARNING: repo_icon "repo/icons/icon.png" does not exist, generating placeholder.
    2023-05-29 17:03:47,989 CRITICAL: Failed to sign repo/entry.jar: Failed to load signer "signer #1"
    java.io.IOException: Failed to obtain key with alias "fdroid" from keystore.p12. Wrong password?
    	at com.android.apksigner.SignerParams.loadPrivateKeyAndCertsFromKeyStore(SignerParams.java:320)
    	at com.android.apksigner.SignerParams.loadPrivateKeyAndCerts(SignerParams.java:181)
    	at com.android.apksigner.ApkSignerTool.sign(ApkSignerTool.java:277)
    	at com.android.apksigner.ApkSignerTool.main(ApkSignerTool.java:83)
    Caused by: java.security.UnrecoverableKeyException: Get Key failed: Given final block not properly padded. Such issues can arise if a bad key is used during decryption.
    	at java.base/sun.security.pkcs12.PKCS12KeyStore.engineGetKey(PKCS12KeyStore.java:450)
    	at java.base/sun.security.util.KeyStoreDelegator.engineGetKey(KeyStoreDelegator.java:91)
    	at java.base/java.security.KeyStore.getKey(KeyStore.java:1050)
    	at com.android.apksigner.SignerParams.getKeyStoreKey(SignerParams.java:375)
    	at com.android.apksigner.SignerParams.loadPrivateKeyAndCertsFromKeyStore(SignerParams.java:288)
    	... 3 more
    Caused by: javax.crypto.BadPaddingException: Given final block not properly padded. Such issues can arise if a bad key is used during decryption.
    	at java.base/com.sun.crypto.provider.CipherCore.unpad(CipherCore.java:862)
    	at java.base/com.sun.crypto.provider.CipherCore.fillOutputBuffer(CipherCore.java:942)
    	at java.base/com.sun.crypto.provider.CipherCore.doFinal(CipherCore.java:735)
    	at java.base/com.sun.crypto.provider.PBES2Core.engineDoFinal(PBES2Core.java:196)
    	at java.base/javax.crypto.Cipher.doFinal(Cipher.java:2205)
    	at java.base/sun.security.pkcs12.PKCS12KeyStore.lambda$engineGetKey$0(PKCS12KeyStore.java:371)
    	at java.base/sun.security.pkcs12.PKCS12KeyStore$RetryWithZero.run(PKCS12KeyStore.java:257)
    	at java.base/sun.security.pkcs12.PKCS12KeyStore.engineGetKey(PKCS12KeyStore.java:361)
    	... 7 more

I first deleted the keystore.p12 file. What the hell am I doing wrong all the time?
What does it mean “a bad key is used” ? Can someone help me?