APK file attestation

pull/215/head
M66B 4 months ago
parent 1f63fea82e
commit 56076347bd

@ -11,6 +11,12 @@ on:
description: 'Branch' description: 'Branch'
required: true required: true
default: 'master' default: 'master'
permissions:
id-token: write
contents: read
attestations: write
jobs: jobs:
build: build:
@ -52,6 +58,11 @@ jobs:
run: ./gradlew lintGithubRelease run: ./gradlew lintGithubRelease
- name: Build with Gradle - name: Build with Gradle
run: ./gradlew assembleGithubRelease assembleLargeRelease assemblePlayRelease uploadBugsnagGithub-releaseMapping uploadBugsnagLarge-releaseMapping uploadBugsnagPlay-releaseMapping run: ./gradlew assembleGithubRelease assembleLargeRelease assemblePlayRelease uploadBugsnagGithub-releaseMapping uploadBugsnagLarge-releaseMapping uploadBugsnagPlay-releaseMapping
#https://docs.github.com/en/actions/security-guides/using-artifact-attestations-to-establish-provenance-for-builds
- name: Generate artifact attestation
uses: actions/attest-build-provenance@v1
with:
subject-path: 'app/build/outputs/apk/**/release/*.apk'
- name: Upload to BitBucket - name: Upload to BitBucket
run: | run: |
./gradlew upload -Ptarget=play-preview-${{ github.event.inputs.branch }} ./gradlew upload -Ptarget=play-preview-${{ github.event.inputs.branch }}

@ -429,6 +429,7 @@ Anything on this list is in random order and *might* be added in the near future
* [(202) What is DNSSEC and what is DANE?](#faq202) * [(202) What is DNSSEC and what is DANE?](#faq202)
* [(203) Where is my sent message?](#faq203) * [(203) Where is my sent message?](#faq203)
* [(204) How do I use Gemini?](#faq204) * [(204) How do I use Gemini?](#faq204)
* [(205) How do I check the integrity of an APK file?](#faq205)
[I have another question.](#get-support) [I have another question.](#get-support)
@ -5986,6 +5987,24 @@ This feature is experimental and requires version 1.2171 or later for the GitHub
<br> <br>
<a name="faq205"></a>
**(205) How do I check the integrity of an APK file?**
You can verify in this way that an APK file was built and signed by a GitHub workflow:
1. Install the [GitHub CLI](https://cli.github.com/)
2. Download and extract the [APK files](https://github.com/M66B/FairEmail/actions)
3. [Verify](https://docs.github.com/en/actions/security-guides/using-artifact-attestations-to-establish-provenance-for-builds#verifying-artifact-attestations-with-the-github-cli) attestation of an APK file
```
gh attestation verify xyz.apk -R M66B/FairEmail
```
Attestation of APK files is available from version 1.2209.
<br>
<h2><a name="get-support"></a>Get support</h2> <h2><a name="get-support"></a>Get support</h2>
&#x1F30E; [Google Translate](https://translate.google.com/translate?sl=en&u=https%3A%2F%2Fm66b.github.io%2FFairEmail%2F%23get-support) &#x1F30E; [Google Translate](https://translate.google.com/translate?sl=en&u=https%3A%2F%2Fm66b.github.io%2FFairEmail%2F%23get-support)

@ -8,10 +8,19 @@
<style> <style>
code{white-space: pre-wrap;} code{white-space: pre-wrap;}
span.smallcaps{font-variant: small-caps;} span.smallcaps{font-variant: small-caps;}
span.underline{text-decoration: underline;} div.columns{display: flex; gap: min(4vw, 1.5em);}
div.column{display: inline-block; vertical-align: top; width: 50%;} div.column{flex: auto; overflow-x: auto;}
div.hanging-indent{margin-left: 1.5em; text-indent: -1.5em;} div.hanging-indent{margin-left: 1.5em; text-indent: -1.5em;}
ul.task-list{list-style: none;} /* The extra [class] is a hack that increases specificity enough to
override a similar rule in reveal.js */
ul.task-list[class]{list-style: none;}
ul.task-list li input[type="checkbox"] {
font-size: inherit;
width: 0.8em;
margin: 0 0.8em 0.2em -1.6em;
vertical-align: middle;
}
.display.math{display: block; text-align: center; margin: 0.5rem auto;}
</style> </style>
<link rel="shortcut icon" href="https://raw.githubusercontent.com/M66B/FairEmail/master/app/src/main/ic_launcher-web.png"> <link rel="shortcut icon" href="https://raw.githubusercontent.com/M66B/FairEmail/master/app/src/main/ic_launcher-web.png">
<style> <style>
@ -418,6 +427,7 @@
<li><a href="#faq202">(202) What is DNSSEC and what is DANE?</a></li> <li><a href="#faq202">(202) What is DNSSEC and what is DANE?</a></li>
<li><a href="#faq203">(203) Where is my sent message?</a></li> <li><a href="#faq203">(203) Where is my sent message?</a></li>
<li><a href="#faq204">(204) How do I use Gemini?</a></li> <li><a href="#faq204">(204) How do I use Gemini?</a></li>
<li><a href="#faq205">(205) How do I check the integrity of an APK file?</a></li>
</ul> </ul>
<p><a href="#get-support">I have another question.</a></p> <p><a href="#get-support">I have another question.</a></p>
<p><a name="faq1"></a> <strong>(1) Which permissions are needed and why?</strong></p> <p><a name="faq1"></a> <strong>(1) Which permissions are needed and why?</strong></p>
@ -2986,6 +2996,16 @@ adb install /path/to/FairEmail-xxx.apk</code></pre>
<p>Please read the privacy policy of <a href="https://support.google.com/gemini/answer/13594961">Gemini</a>. FairEmail does not use third-party libraries to avoid being tracked when Gemini is not being used.</p> <p>Please read the privacy policy of <a href="https://support.google.com/gemini/answer/13594961">Gemini</a>. FairEmail does not use third-party libraries to avoid being tracked when Gemini is not being used.</p>
<p>This feature is experimental and requires version 1.2171 or later for the GitHub version and version 1.2182 or later for the Play Store version.</p> <p>This feature is experimental and requires version 1.2171 or later for the GitHub version and version 1.2182 or later for the Play Store version.</p>
<p><br></p> <p><br></p>
<p><a name="faq205"></a> <strong>(205) How do I check the integrity of an APK file?</strong></p>
<p>You can verify in this way that an APK file was built and signed by a GitHub workflow:</p>
<ol type="1">
<li>Install the <a href="https://cli.github.com/">GitHub CLI</a></li>
<li>Download and extract the <a href="https://github.com/M66B/FairEmail/actions">APK files</a></li>
<li><a href="https://docs.github.com/en/actions/security-guides/using-artifact-attestations-to-establish-provenance-for-builds#verifying-artifact-attestations-with-the-github-cli">Verify</a> attestation of an APK file</li>
</ol>
<pre><code>gh attestation verify xyz.apk -R M66B/FairEmail</code></pre>
<p>Attestation of APK files is available from version 1.2209.</p>
<p><br></p>
<h2> <h2>
<a name="get-support"></a>Get support <a name="get-support"></a>Get support
</h2> </h2>

Loading…
Cancel
Save