Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat(package_info_plus)!: Switch to SHA-256 for buildSignature on Android #2835

Merged
merged 2 commits into from
Apr 15, 2024
Merged

feat(package_info_plus)!: Switch to SHA-256 for buildSignature on Android #2835

merged 2 commits into from
Apr 15, 2024

Conversation

miquelbeltran
Copy link
Member

@miquelbeltran miquelbeltran commented Apr 10, 2024
edited

Description

  • As discussed in [Bug]: Insecure hashing algorithm SHA1 used #2833, the use of SHA-1 should be avoided.
  • Besides, some security analysis tools may give a warning when analyzing the android APK for using SHA1.
  • This change encourages users to switch to SHA-256 for the application certificate fingerprint verification.
  • An alternative solution to this problem would be to remove the buildSignature completely, but I'd avoid doing that since we can use SHA-256 instead.

Thanks to @vitoramaral10 for the heads-up and providing the code!

Related Issues

Checklist

  • I read the Contributor Guide and followed the process outlined there for submitting PRs.
  • I titled the PR using Conventional Commits.
  • I did not modify the CHANGELOG.md nor the plugin version in pubspec.yaml files.
  • All existing and new tests are passing.
  • The analyzer (flutter analyze) does not report any problems on my PR.

Breaking Change

Does your PR require plugin users to manually update their apps to accommodate your change?

  • Yes, this is a breaking change (please indicate that with a ! in the title as explained in Conventional Commits).
  • No, this is not a breaking change.

@miquelbeltran miquelbeltran changed the title fix(package_info_plus)!: Switch to SHA-256 for buildSignature on Android feat(package_info_plus)!: Switch to SHA-256 for buildSignature on Android Apr 10, 2024
@miquelbeltran miquelbeltran marked this pull request as ready for review April 10, 2024 18:59
@miquelbeltran miquelbeltran merged commit 7259af2 into main Apr 15, 2024
21 of 22 checks passed
@miquelbeltran miquelbeltran deleted the miquelbeltran/2833 branch April 15, 2024 20:48
@vbuberen vbuberen mentioned this pull request May 14, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@vbuberen vbuberen vbuberen approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

[Bug]: Insecure hashing algorithm SHA1 used
2 participants
@miquelbeltran @vbuberen