From 5df7a4f07336b2500115b489ae409ae1b00f0c8b Mon Sep 17 00:00:00 2001 From: yostyle Date: Tue, 14 May 2024 12:46:40 +0200 Subject: [PATCH 1/7] Add script to sign apks with yubikey --- tools/release/sign_all_apks_yubi.sh | 83 +++++++++++++++++++++++++++++ tools/release/sign_apk_yubi.sh | 60 +++++++++++++++++++++ 2 files changed, 143 insertions(+) create mode 100755 tools/release/sign_all_apks_yubi.sh create mode 100755 tools/release/sign_apk_yubi.sh diff --git a/tools/release/sign_all_apks_yubi.sh b/tools/release/sign_all_apks_yubi.sh new file mode 100755 index 0000000000..6bdc5229ea --- /dev/null +++ b/tools/release/sign_all_apks_yubi.sh @@ -0,0 +1,83 @@ +#!/usr/bin/env bash + +# Copy and adaptation of ./sign_all_apks.sh, which takes 2 more params: key store pass and the path of PKCS11 config file. +# It's unsafe to use it because it takes password as parameter, so passwords will +# remain in the terminal history. + +set -e + +if [ "$#" -ne 2 ] +then + echo "Usage: ./tools/release/sign_all_apks_yubi \$PKCS11_CONFIG_PATH \$FOLDER" + exit 1 +fi + +# Get the command line parameters +PARAM_PKCS11_CONFIG_PATH=$1 +PARAM_DIRECTORY=$2 +CHECKSUM_FILE="checksums.txt" + +if [ ! -f "$PARAM_PKCS11_CONFIG_PATH" ] +then + echo "$PARAM_PKCS11_CONFIG_PATH does not exist. Please install yubico-piv-tool (doc: https://developers.yubico.com/PIV/Guides/Android_code_signing.html)" + exit 1 +fi + +read -p "Please enter the artifact URL: " artifactUrl +read -s -p "Please enter your GitHub token: " gitHubToken + +printf "\n================================================================================\n" +printf "Downloading the artifact...\n" + +# Ignore error +set +e + +python3 ./tools/release/download_github_artifacts.py \ + --token ${gitHubToken} \ + --artifactUrl ${artifactUrl} \ + --directory ${PARAM_DIRECTORY} \ + --ignoreErrors + +# Do not ignore error +set -e + +printf "\n================================================================================\n" +printf "Unzipping the artifact...\n" + +unzip ${PARAM_DIRECTORY}/GplayTchapWithdmvoipWithpinning-release-unsigned.zip -d ${PARAM_DIRECTORY} + +# Flatten folder hierarchy +mv ${PARAM_DIRECTORY}/gplayTchapWithdmvoipWithpinning/release/* ${PARAM_DIRECTORY} +rm -rf ${PARAM_DIRECTORY}/gplayTchapWithdmvoipWithpinning + +printf "\n================================================================================\n" +printf "Signing the APKs...\n" + +read -s -p "Enter your PIN: " pin + +# Sign all the apks in the directory PARAM_DIRECTORY +for file in ${PARAM_DIRECTORY}/*.apk +do + sh ./tools/release/sign_apk_yubi.sh "${PARAM_PKCS11_CONFIG_PATH}" "${file}" "${pin}" +done + +unset pin + +# Rename and Hash all the apks in the directory PARAM_DIRECTORY +for file in ${PARAM_DIRECTORY}/*.apk +do + # Rename Apk: remove unsigned by signed + apkName="$(echo ${file} | sed -e 's/\-unsigned/-signed/')" ; + mv "${file}" "${apkName}" ; + + # Hash application with SHA 256 + echo "Hash SHA 256 on file... ${apkName}" + result="$(shasum "-a" "256" ${apkName})" + + # Save hash in file: Checksum.txt + resultSplit=(${result}) + newName="$(echo ${resultSplit[1]} | sed 's/.*\///')" + echo "SHA256(${newName})=${resultSplit[0]}" >> ${PARAM_DIRECTORY}/${CHECKSUM_FILE} +done + +echo "done !! :)" diff --git a/tools/release/sign_apk_yubi.sh b/tools/release/sign_apk_yubi.sh new file mode 100755 index 0000000000..34b16999a4 --- /dev/null +++ b/tools/release/sign_apk_yubi.sh @@ -0,0 +1,60 @@ +#!/usr/bin/env bash + +# Copy and adaptation of ./sign_apk.sh, which takes 2 more params: key store pass and the path of PKCS11 config file. +# It's unsafe to use it because it takes password as parameter, so passwords will +# remain in the terminal history. + +set -e + +if [[ -z "${ANDROID_HOME}" ]]; then + echo "Env variable ANDROID_HOME is not set, should be set to something like ~/Library/Android/sdk" + exit 1 +fi + +if [[ "$#" -ne 3 ]]; then + echo "Usage: $0 PKCS11_CONFIG_PATH APK KS_PASS" >&2 + exit 1 +fi + +# Get the command line parameters +PARAM_PKCS11_CONFIG_PATH=$1 +PARAM_APK=$2 +PARAM_KS_PASS=$3 + +# Other params +BUILD_TOOLS_VERSION="31.0.0" +MIN_SDK_VERSION=21 +BUILD_TOOLS_PATH=${ANDROID_HOME}/build-tools/${BUILD_TOOLS_VERSION} + +if [[ ! -d ${BUILD_TOOLS_PATH} ]]; then + printf "Fatal: ${BUILD_TOOLS_PATH} folder not found, ensure that you have installed the SDK version ${BUILD_TOOLS_VERSION}.\n" + exit 1 +fi + +echo "\n\nSigning ${PARAM_APK} with build-tools version ${BUILD_TOOLS_VERSION} for min SDK version ${MIN_SDK_VERSION}..." + +${BUILD_TOOLS_PATH}/apksigner -J-add-exports"=jdk.crypto.cryptoki/sun.security.pkcs11=ALL-UNNAMED" sign \ + -v \ + --ks NONE \ + --ks-pass "pass:${PARAM_KS_PASS}" \ + --ks-type PKCS11 \ + --ks-key-alias "X.509 Certificate for PIV Authentication" \ + --provider-class sun.security.pkcs11.SunPKCS11 \ + --provider-arg ${PARAM_PKCS11_CONFIG_PATH} \ + --min-sdk-version ${MIN_SDK_VERSION} \ + ${PARAM_APK} + +# Verify the signature +echo "\nVerifying the signature..." + +# Note: we ignore warning on META-INF files +${BUILD_TOOLS_PATH}/apksigner verify \ + -v \ + --min-sdk-version ${MIN_SDK_VERSION} \ + ${PARAM_APK} \ + | grep -v "WARNING: META-INF/" + +echo "\nPackage info..." +${BUILD_TOOLS_PATH}/aapt dump badging ${PARAM_APK} | grep package + +echo "\nCongratulations! The APK ${PARAM_APK} is now signed!\n" From 40aaa91516bc44fb086e933feebce5c191471416 Mon Sep 17 00:00:00 2001 From: yostyle Date: Tue, 14 May 2024 16:54:31 +0200 Subject: [PATCH 2/7] Fix PR comments --- tools/release/sign_all_apks_yubi.sh | 16 ++++++---------- 1 file changed, 6 insertions(+), 10 deletions(-) diff --git a/tools/release/sign_all_apks_yubi.sh b/tools/release/sign_all_apks_yubi.sh index 6bdc5229ea..eb3a0db09d 100755 --- a/tools/release/sign_all_apks_yubi.sh +++ b/tools/release/sign_all_apks_yubi.sh @@ -50,22 +50,16 @@ unzip ${PARAM_DIRECTORY}/GplayTchapWithdmvoipWithpinning-release-unsigned.zip -d mv ${PARAM_DIRECTORY}/gplayTchapWithdmvoipWithpinning/release/* ${PARAM_DIRECTORY} rm -rf ${PARAM_DIRECTORY}/gplayTchapWithdmvoipWithpinning +read -s -p "Enter your PIN: " pin + printf "\n================================================================================\n" printf "Signing the APKs...\n" -read -s -p "Enter your PIN: " pin - -# Sign all the apks in the directory PARAM_DIRECTORY +# Sign, Rename and Hash all the apks in the directory PARAM_DIRECTORY for file in ${PARAM_DIRECTORY}/*.apk do sh ./tools/release/sign_apk_yubi.sh "${PARAM_PKCS11_CONFIG_PATH}" "${file}" "${pin}" -done - -unset pin - -# Rename and Hash all the apks in the directory PARAM_DIRECTORY -for file in ${PARAM_DIRECTORY}/*.apk -do + # Rename Apk: remove unsigned by signed apkName="$(echo ${file} | sed -e 's/\-unsigned/-signed/')" ; mv "${file}" "${apkName}" ; @@ -80,4 +74,6 @@ do echo "SHA256(${newName})=${resultSplit[0]}" >> ${PARAM_DIRECTORY}/${CHECKSUM_FILE} done +unset pin + echo "done !! :)" From 6c5fbb6d89dd10f1ed19edaad39adc4a0dee4f81 Mon Sep 17 00:00:00 2001 From: yostyle Date: Tue, 14 May 2024 14:41:37 +0200 Subject: [PATCH 3/7] Update sygnal url on dev --- vector-config/src/devTchap/res/values/config.xml | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/vector-config/src/devTchap/res/values/config.xml b/vector-config/src/devTchap/res/values/config.xml index 7a7606622b..7e7a02af0d 100644 --- a/vector-config/src/devTchap/res/values/config.xml +++ b/vector-config/src/devTchap/res/values/config.xml @@ -25,6 +25,13 @@ https://matrix.org/docs/spec/client_server/r0.4.0#id128 --> + + + https://sygnal.tchap.incubateur.net/_matrix/push/v1/notify + + + + fr.gouv.tchap.dev.android From 49e74c20189197aa00ba5c3d56815fa67854da7a Mon Sep 17 00:00:00 2001 From: yostyle Date: Tue, 14 May 2024 14:52:33 +0200 Subject: [PATCH 4/7] add changelog --- changelog.d/1041.misc | 1 + 1 file changed, 1 insertion(+) create mode 100644 changelog.d/1041.misc diff --git a/changelog.d/1041.misc b/changelog.d/1041.misc new file mode 100644 index 0000000000..e4f183ad7e --- /dev/null +++ b/changelog.d/1041.misc @@ -0,0 +1 @@ +Mise à jour du lien du serveur de notification sur dev \ No newline at end of file From 59c6417bf449d1477a48d30aaaa256d045b7f06a Mon Sep 17 00:00:00 2001 From: yostyle Date: Tue, 14 May 2024 15:41:04 +0200 Subject: [PATCH 5/7] Enable VoIP for all instances --- vector-config/src/tchap/res/values/config-features.xml | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) diff --git a/vector-config/src/tchap/res/values/config-features.xml b/vector-config/src/tchap/res/values/config-features.xml index 4d141f2b07..e30415e59d 100755 --- a/vector-config/src/tchap/res/values/config-features.xml +++ b/vector-config/src/tchap/res/values/config-features.xml @@ -4,9 +4,5 @@ true false - - agent.dinum.tchap.gouv.fr - agent.diplomatie.tchap.gouv.fr - agent.finances.tchap.gouv.fr - + From d7df4127308ef7e3023001b13454a5231c318f3e Mon Sep 17 00:00:00 2001 From: yostyle Date: Tue, 14 May 2024 17:34:35 +0200 Subject: [PATCH 6/7] Add changelog --- changelog.d/1043.feature | 1 + 1 file changed, 1 insertion(+) create mode 100644 changelog.d/1043.feature diff --git a/changelog.d/1043.feature b/changelog.d/1043.feature new file mode 100644 index 0000000000..6c75b4953e --- /dev/null +++ b/changelog.d/1043.feature @@ -0,0 +1 @@ +Activation des appels vocaux pour toutes les instances. \ No newline at end of file From 1c18dbddc19db66940206082bada79f88b026d5a Mon Sep 17 00:00:00 2001 From: yostyle Date: Tue, 14 May 2024 19:06:19 +0200 Subject: [PATCH 7/7] Update changes --- TCHAP_CHANGES.md | 12 ++++++++++++ changelog.d/1041.misc | 1 - changelog.d/1043.feature | 1 - towncrier.toml | 2 +- vector-app/build.gradle | 2 +- 5 files changed, 14 insertions(+), 4 deletions(-) delete mode 100644 changelog.d/1041.misc delete mode 100644 changelog.d/1043.feature diff --git a/TCHAP_CHANGES.md b/TCHAP_CHANGES.md index f2d529694a..8f9664ae7c 100644 --- a/TCHAP_CHANGES.md +++ b/TCHAP_CHANGES.md @@ -1,3 +1,15 @@ +Changes in Tchap 2.11.3 (2024-05-14) +==================================== + +Features ✨ +---------- + - Activation des appels vocaux pour toutes les instances. ([#1043](https://github.com/tchapgouv/tchap-android/issues/1043)) + +Other changes +------------- + - Mise à jour du lien du serveur de notification sur dev ([#1041](https://github.com/tchapgouv/tchap-android/issues/1041)) + + Changes in Tchap 2.11.2 (2024-04-30) ==================================== diff --git a/changelog.d/1041.misc b/changelog.d/1041.misc deleted file mode 100644 index e4f183ad7e..0000000000 --- a/changelog.d/1041.misc +++ /dev/null @@ -1 +0,0 @@ -Mise à jour du lien du serveur de notification sur dev \ No newline at end of file diff --git a/changelog.d/1043.feature b/changelog.d/1043.feature deleted file mode 100644 index 6c75b4953e..0000000000 --- a/changelog.d/1043.feature +++ /dev/null @@ -1 +0,0 @@ -Activation des appels vocaux pour toutes les instances. \ No newline at end of file diff --git a/towncrier.toml b/towncrier.toml index 6d18b84f3d..a6e8ae5104 100644 --- a/towncrier.toml +++ b/towncrier.toml @@ -1,5 +1,5 @@ [tool.towncrier] - version = "2.11.2" + version = "2.11.3" directory = "changelog.d" filename = "TCHAP_CHANGES.md" name = "Changes in Tchap" diff --git a/vector-app/build.gradle b/vector-app/build.gradle index 85578bdeb4..3511254d0c 100644 --- a/vector-app/build.gradle +++ b/vector-app/build.gradle @@ -37,7 +37,7 @@ ext.versionMinor = 11 // Note: even values are reserved for regular release, odd values for hotfix release. // When creating a hotfix, you should decrease the value, since the current value // is the value for the next regular release. -ext.versionPatch = 2 +ext.versionPatch = 3 static def getGitTimestamp() { def cmd = 'git show -s --format=%ct'