Merge branch 'release/2.11.3'

tchapgouv · May 14, 2024 · 3a40f86 · 3a40f86
2 parents cb5ca07 + 1c18dbd
commit 3a40f86
Show file tree

Hide file tree

Showing 7 changed files with 161 additions and 7 deletions.
diff --git a/TCHAP_CHANGES.md b/TCHAP_CHANGES.md
@@ -1,3 +1,15 @@
+Changes in Tchap 2.11.3 (2024-05-14)
+====================================
+
+Features ✨
+----------
+ - Activation des appels vocaux pour toutes les instances. ([#1043](https://github.com/tchapgouv/tchap-android/issues/1043))
+
+Other changes
+-------------
+ - Mise à jour du lien du serveur de notification sur dev ([#1041](https://github.com/tchapgouv/tchap-android/issues/1041))
+
+
 Changes in Tchap 2.11.2 (2024-04-30)
 ====================================
 

diff --git a/tools/release/sign_all_apks_yubi.sh b/tools/release/sign_all_apks_yubi.sh
@@ -0,0 +1,79 @@
+#!/usr/bin/env bash
+
+# Copy and adaptation of ./sign_all_apks.sh, which takes 2 more params: key store pass and the path of PKCS11 config file.
+# It's unsafe to use it because it takes password as parameter, so passwords will
+# remain in the terminal history.
+
+set -e
+
+if [ "$#" -ne 2 ]
+then
+  echo "Usage: ./tools/release/sign_all_apks_yubi \$PKCS11_CONFIG_PATH \$FOLDER"
+  exit 1
+fi
+
+# Get the command line parameters
+PARAM_PKCS11_CONFIG_PATH=$1
+PARAM_DIRECTORY=$2
+CHECKSUM_FILE="checksums.txt"
+
+if [ ! -f "$PARAM_PKCS11_CONFIG_PATH" ]
+then
+    echo "$PARAM_PKCS11_CONFIG_PATH does not exist. Please install yubico-piv-tool (doc: https://developers.yubico.com/PIV/Guides/Android_code_signing.html)"
+    exit 1
+fi
+
+read -p "Please enter the artifact URL: " artifactUrl
+read -s -p "Please enter your GitHub token: " gitHubToken
+
+printf "\n================================================================================\n"
+printf "Downloading the artifact...\n"
+
+# Ignore error
+set +e
+
+python3 ./tools/release/download_github_artifacts.py \
+    --token ${gitHubToken} \
+    --artifactUrl ${artifactUrl} \
+    --directory ${PARAM_DIRECTORY} \
+    --ignoreErrors
+
+# Do not ignore error
+set -e
+
+printf "\n================================================================================\n"
+printf "Unzipping the artifact...\n"
+
+unzip ${PARAM_DIRECTORY}/GplayTchapWithdmvoipWithpinning-release-unsigned.zip -d ${PARAM_DIRECTORY}
+
+# Flatten folder hierarchy
+mv ${PARAM_DIRECTORY}/gplayTchapWithdmvoipWithpinning/release/* ${PARAM_DIRECTORY}
+rm -rf ${PARAM_DIRECTORY}/gplayTchapWithdmvoipWithpinning
+
+read -s -p "Enter your PIN: " pin
+
+printf "\n================================================================================\n"
+printf "Signing the APKs...\n"
+
+# Sign, Rename and Hash all the apks in the directory PARAM_DIRECTORY
+for file in ${PARAM_DIRECTORY}/*.apk
+do
+  sh ./tools/release/sign_apk_yubi.sh "${PARAM_PKCS11_CONFIG_PATH}" "${file}" "${pin}"
+
+  # Rename Apk: remove unsigned by signed
+  apkName="$(echo ${file} | sed -e 's/\-unsigned/-signed/')" ;
+  mv "${file}" "${apkName}" ;
+
+  # Hash application with SHA 256
+  echo "Hash SHA 256 on file... ${apkName}"
+  result="$(shasum "-a" "256" ${apkName})"
+
+  # Save hash in file: Checksum.txt
+  resultSplit=(${result})
+  newName="$(echo ${resultSplit[1]} | sed 's/.*\///')"
+  echo "SHA256(${newName})=${resultSplit[0]}" >> ${PARAM_DIRECTORY}/${CHECKSUM_FILE}
+done
+
+unset pin
+
+echo "done !! :)"
diff --git a/tools/release/sign_apk_yubi.sh b/tools/release/sign_apk_yubi.sh
@@ -0,0 +1,60 @@
+#!/usr/bin/env bash
+
+# Copy and adaptation of ./sign_apk.sh, which takes 2 more params: key store pass and the path of PKCS11 config file.
+# It's unsafe to use it because it takes password as parameter, so passwords will
+# remain in the terminal history.
+
+set -e
+
+if [[ -z "${ANDROID_HOME}" ]]; then
+    echo "Env variable ANDROID_HOME is not set, should be set to something like ~/Library/Android/sdk"
+    exit 1
+fi
+
+if [[ "$#" -ne 3 ]]; then
+  echo "Usage: $0 PKCS11_CONFIG_PATH APK KS_PASS" >&2
+  exit 1
+fi
+
+# Get the command line parameters
+PARAM_PKCS11_CONFIG_PATH=$1
+PARAM_APK=$2
+PARAM_KS_PASS=$3
+
+# Other params
+BUILD_TOOLS_VERSION="31.0.0"
+MIN_SDK_VERSION=21
+BUILD_TOOLS_PATH=${ANDROID_HOME}/build-tools/${BUILD_TOOLS_VERSION}
+
+if [[ ! -d ${BUILD_TOOLS_PATH} ]]; then
+    printf "Fatal: ${BUILD_TOOLS_PATH} folder not found, ensure that you have installed the SDK version ${BUILD_TOOLS_VERSION}.\n"
+    exit 1
+fi
+
+echo "\n\nSigning ${PARAM_APK} with build-tools version ${BUILD_TOOLS_VERSION} for min SDK version ${MIN_SDK_VERSION}..."
+
+${BUILD_TOOLS_PATH}/apksigner -J-add-exports"=jdk.crypto.cryptoki/sun.security.pkcs11=ALL-UNNAMED" sign \
+    -v \
+    --ks NONE \
+    --ks-pass "pass:${PARAM_KS_PASS}" \
+    --ks-type PKCS11 \
+    --ks-key-alias "X.509 Certificate for PIV Authentication" \
+    --provider-class sun.security.pkcs11.SunPKCS11 \
+    --provider-arg ${PARAM_PKCS11_CONFIG_PATH} \
+    --min-sdk-version ${MIN_SDK_VERSION} \
+    ${PARAM_APK}
+
+# Verify the signature
+echo "\nVerifying the signature..."
+
+# Note: we ignore warning on META-INF files
+${BUILD_TOOLS_PATH}/apksigner verify \
+    -v \
+    --min-sdk-version ${MIN_SDK_VERSION} \
+    ${PARAM_APK} \
+    | grep -v "WARNING: META-INF/"
+
+echo "\nPackage info..."
+${BUILD_TOOLS_PATH}/aapt dump badging ${PARAM_APK} | grep package
+
+echo "\nCongratulations! The APK ${PARAM_APK} is now signed!\n"
diff --git a/towncrier.toml b/towncrier.toml
@@ -1,5 +1,5 @@
 [tool.towncrier]
-    version = "2.11.2"
+    version = "2.11.3"
     directory = "changelog.d"
     filename = "TCHAP_CHANGES.md"
     name = "Changes in Tchap"

diff --git a/vector-app/build.gradle b/vector-app/build.gradle
@@ -37,7 +37,7 @@ ext.versionMinor = 11
 // Note: even values are reserved for regular release, odd values for hotfix release.
 // When creating a hotfix, you should decrease the value, since the current value
 // is the value for the next regular release.
-ext.versionPatch = 2
+ext.versionPatch = 3
 
 static def getGitTimestamp() {
     def cmd = 'git show -s --format=%ct'

diff --git a/vector-config/src/devTchap/res/values/config.xml b/vector-config/src/devTchap/res/values/config.xml
@@ -25,6 +25,13 @@
     https://matrix.org/docs/spec/client_server/r0.4.0#id128
     -->
 
+    <!-- Note: pusher_http_url should have path '/_matrix/push/v1/notify' -->
+    <!-- It is the push gateway for FCM embedded distributor -->
+    <string name="pusher_http_url" translatable="false">https://sygnal.tchap.incubateur.net/_matrix/push/v1/notify</string>
+    <!-- Note: default_push_gateway_http_url should have path '/_matrix/push/v1/notify' -->
+    <!-- It is the push gateway for UnifiedPush -->
+    <!-- Tchap: Use empty default push gateway http url -->
+    <string name="default_push_gateway_http_url" translatable="false"> </string>
     <!-- Note: pusher_app_id cannot exceed 64 chars -->
     <string name="pusher_app_id" translatable="false">fr.gouv.tchap.dev.android</string>
 

diff --git a/vector-config/src/tchap/res/values/config-features.xml b/vector-config/src/tchap/res/values/config-features.xml
@@ -4,9 +4,5 @@
     <bool name="tchap_is_key_backup_enabled">true</bool>
     <bool name="tchap_is_thread_enabled">false</bool>
 
-    <string-array name="tchap_is_voip_supported_homeservers" translatable="false">
-        <item>agent.dinum.tchap.gouv.fr</item>
-        <item>agent.diplomatie.tchap.gouv.fr</item>
-        <item>agent.finances.tchap.gouv.fr</item>
-    </string-array>
+    <string-array name="tchap_is_voip_supported_homeservers" translatable="false" />
 </resources>