From eb18a71fa4dad28cf29ea26c8cc2e681524635f1 Mon Sep 17 00:00:00 2001 From: ifedan-ed Date: Sun, 29 Mar 2026 00:51:42 +0000 Subject: [PATCH] Fix APK signing: use apksigner directly instead of broken r0adkll action The r0adkll/sign-android-release@v1 hardcodes build-tools 29.0.3 which isn't available. Now uses apksigner from the latest installed build-tools directly with zipalign + sign + verify steps. --- .github/workflows/build-apk.yml | 50 ++++++++++++++++++++------------- 1 file changed, 31 insertions(+), 19 deletions(-) diff --git a/.github/workflows/build-apk.yml b/.github/workflows/build-apk.yml index 9f8846c..bf0b4fa 100644 --- a/.github/workflows/build-apk.yml +++ b/.github/workflows/build-apk.yml @@ -46,31 +46,43 @@ jobs: ./gradlew assembleRelease -PTWA_HOST="${TWA_HOST}" - name: Sign APK - if: success() - uses: r0adkll/sign-android-release@v1 - id: sign - with: - releaseDirectory: android/app/build/outputs/apk/release - signingKeyBase64: ${{ secrets.ANDROID_SIGNING_KEY }} - alias: ${{ secrets.ANDROID_KEY_ALIAS }} - keyStorePassword: ${{ secrets.ANDROID_KEYSTORE_PASSWORD }} - keyPassword: ${{ secrets.ANDROID_KEY_PASSWORD }} - - - name: Rename signed APK - if: steps.sign.outcome == 'success' + if: success() && env.HAS_SIGNING_KEY == 'true' + env: + HAS_SIGNING_KEY: ${{ secrets.ANDROID_SIGNING_KEY != '' }} run: | - SIGNED=$(find android/app/build/outputs/apk/release -name "*-signed.apk" | head -1) - if [ -n "$SIGNED" ]; then - cp "$SIGNED" android/app/build/outputs/apk/release/PedScribe-v${{ github.ref_name }}-signed.apk - fi + # Decode signing key + echo "${{ secrets.ANDROID_SIGNING_KEY }}" | base64 -d > /tmp/release.jks + + # Find the latest build-tools version + BUILD_TOOLS=$(ls -d $ANDROID_HOME/build-tools/*/ | sort -V | tail -1) + echo "Using build-tools: $BUILD_TOOLS" + + UNSIGNED=$(find android/app/build/outputs/apk/release -name "*.apk" | head -1) + echo "Signing: $UNSIGNED" + + # Zipalign + ${BUILD_TOOLS}zipalign -v -p 4 "$UNSIGNED" /tmp/aligned.apk + + # Sign with apksigner + ${BUILD_TOOLS}apksigner sign \ + --ks /tmp/release.jks \ + --ks-key-alias "${{ secrets.ANDROID_KEY_ALIAS }}" \ + --ks-pass "pass:${{ secrets.ANDROID_KEYSTORE_PASSWORD }}" \ + --key-pass "pass:${{ secrets.ANDROID_KEY_PASSWORD }}" \ + --out android/app/build/outputs/apk/release/PedScribe-v9-signed.apk \ + /tmp/aligned.apk + + # Verify + ${BUILD_TOOLS}apksigner verify --print-certs android/app/build/outputs/apk/release/PedScribe-v9-signed.apk + + # Cleanup + rm -f /tmp/release.jks /tmp/aligned.apk - name: Upload APK to Release if: startsWith(github.ref, 'refs/tags/') uses: softprops/action-gh-release@v2 with: - files: | - android/app/build/outputs/apk/release/*-signed.apk - android/app/build/outputs/apk/release/app-release-unsigned.apk + files: android/app/build/outputs/apk/release/*.apk generate_release_notes: true - name: Upload artifact