mirror/fdroidclient
1
0
Fork 0
mirror of https://github.com/f-droid/fdroidclient.git synced 2026-04-22 16:01:37 -04:00
Code Issues Packages Projects Releases Wiki Activity
8,050 Commits 5 Branches 324 Tags
2f034cfec0abb68f56acbdd2aee662433f48ff97
Commit Graph

62 Commits

Author SHA1 Message Date
Hans-Christoph Steiner
e1915bc044 manually include missing verification metadata 
Android Studio uses this, but it seems that normal builds from the command
line do not.
 2022-12-20 21:00:03 +01:00
Hans-Christoph Steiner
6a2662b5c8 gradle/update-verification-metadata.sh: use keyservers to get keys 
key-servers enabled="false" is set by default to avoid unneeded network
connections during day-to-day operation, and to ensure that all the required
key material is included locally in gradle/verification-keyring.keys
 2022-12-20 21:00:01 +01:00
Hans-Christoph Steiner
0d5d0f7da2 use androidx script to generate Gradle verification metadata files 
https://android.googlesource.com/platform/frameworks/support/+/refs/heads/androidx-main/development/update-verification-metadata.sh

This also uses Gradle and androidx as sources of key material:
* 14e347025c/gradle/verification-keyring.keys
* https://android.googlesource.com/platform/frameworks/support/+/refs/heads/androidx-main/gradle/verification-keyring.keys
 2022-12-20 20:59:57 +01:00
Hans-Christoph Steiner
af51203008 update gradle to 7.5.1 to get verification fixes 
https://github.com/gradle/gradle/issues/19089

I ran this twice in a row to achieve this:
./gradlew wrapper --gradle-version 7.5.1 \
  --gradle-distribution-sha256-sum \
  db9c8211ed63f61f60292c69e80d89196f9eb36665e369e7f00ac4cc841c2219
 2022-12-20 20:59:53 +01:00
Torsten Grote
eef3c3fb0d Upgrade to Android Studio Chipmunk 
and upgrade other dependencies as well
 2022-11-28 12:48:58 +01:00
Torsten Grote
83dd06e682 [app] upgrade dependencies 2022-11-28 10:17:30 +01:00
Hans-Christoph Steiner
c629d21b56 gradle verification: only contact keyservers when updating metadata 
This config should include all the PGP keys needed to verify all the
dependencies used in this build.  This prevents Gradle from contacting PGP
keyservers for regular builds.  Gradle will still contact keyservers when
updating the metadata.

https://docs.gradle.org/current/userguide/dependency_verification.html#sec:local-keyring-only
 2022-11-28 09:49:38 +01:00
Hans-Christoph Steiner
206d8407d4 gradle verification: ignored keys are now available on keyservers 
I sent some to the keyservers, some key owners have pushed them to
keys.openpgp.net.  Also Google people have started maintaining keyrings:

https://android.googlesource.com/platform/frameworks/support/+/HEAD/gradle/verification-keyring.keys
 2022-11-28 09:37:14 +01:00
Hans-Christoph Steiner
9f6f010f5d gradle verification: include all keys in .gpg keyring 
for f in 429c8816dea04cdb d4da5eab3cd7e958 d5f4c07a434ab3da 03281aa0289ff53a e0cb7823cfd00fbf 02216ed811210daa 03281aa0289ff53a 056aca74d46000bf 280d66a55f5316c5 3967d4eda591b991 429c8816dea04cdb 4dbf5995d492505d 5f7786df73e61f56 6a65176a0fb1cd0b bf984b4145ea13f7 c1b12a5d99c0729d cb43338e060cf9fa d4da5eab3cd7e958 d5f4c07a434ab3da d89d05374952262b d9c565aa72ba2fdd dea3d207428ef16d e0cb7823cfd00fbf eb380dc13c39f675 fefe78456eddc34a; do gpg --export $f | GNUPGHOME=/tmp/fake gpg --primary-keyring gradle/verification-keyring.gpg --import || GNUPGHOME=/tmp/fake gpg --primary-keyring gradle/verification-keyring.gpg --recv-keys $f || GNUPGHOME=/tmp/fake gpg --primary-keyring gradle/verification-keyring.gpg --keyserver hkps://keyserver.ubuntu.com --recv-keys $f || break; done
 2022-11-28 09:37:05 +01:00
Torsten Grote
db275bf218 [db] Run tests also locally with roboelectric 
This is much faster and doesn't require a device. However, the test should also continue to run on-device as this is the sqlite version used in practice.
 2022-09-12 09:46:15 +00:00
Torsten Grote
44ceaa6842 [db] Add a method for getting an app without specifying the repoId 2022-09-12 09:46:15 +00:00
Torsten Grote
ca6da651ec [db] First prototype 2022-09-12 09:46:15 +00:00
Torsten Grote
8b2d96dc1b [index] Add LocaleChooser with getBestLocale() method and test 
This is for getting the best matching localized content.
 2022-07-17 15:57:14 -03:00
Torsten Grote
632833a3e7 [index] Add UpdateChecker with tests 
Also introduce interfaces for important classes, so they can be implemented by stuff like database classes as well. This makes UpdateChecker and CompatibilityChecker more generic.

Also add tests for CompatibilityChecker.
 2022-07-17 15:57:14 -03:00
Torsten Grote
d2d8b4ee9f [index] Add dokka for creating HTML library docs 2022-07-17 15:57:12 -03:00
Torsten Grote
802deb43eb [index] First prototype 2022-07-17 15:57:11 -03:00
Hans-Christoph Steiner
d6e97b4634 update to latest: org.robolectric:robolectric:4.8.1 
./gradlew --write-verification-metadata pgp,sha256 testFullDebugUnitTest
./gradlew --write-verification-metadata sha256 testFullDebugUnitTest
 2022-05-25 13:42:26 +02:00
Torsten Grote
eca567d7a1 disable jetifier after upgrading ACRA and delegate adapters 2022-05-18 12:52:56 +02:00
Torsten Grote
c463b3c9ed Upgrade to Gradle 7 and Java 11 2022-05-18 12:52:55 +02:00
Torsten Grote
30a41efe07 Allow cleartext (non-https) traffic, so swap/nearby works 
In the future, we might not want to allow cleartext for non-local comms.
 2022-05-17 11:23:47 -03:00
Hans-Christoph Steiner
04bb8b8998 update gradle verification 
./gradlew --write-verification-metadata pgp,sha256 assemble
./gradlew --write-verification-metadata sha256 assemble
 2022-05-03 11:08:04 +02:00
Torsten Grote
8b3e0f83ae Publish download library to maven central 
and add a different license for it.
 2022-04-27 10:29:28 -03:00
Torsten Grote
d6b21e2658 [download] Switch to different slf4j logging implementation on Android 2022-04-19 14:08:58 -03:00
Torsten Grote
d937732ce0 [download] Upgrade Ktor to 2.0 2022-04-19 11:37:19 -03:00
Torsten Grote
bf202bcbd8 Disable kotlin-native for now as it pulls in unverified binaries and executes them 
https://youtrack.jetbrains.com/issue/KT-47026
 2022-04-01 09:48:04 -03:00
Torsten Grote
27fe848156 Improve mirror fallback, e.g. on 404 
and update ktor
 2022-03-18 08:38:18 -03:00
Torsten Grote
f777410358 Add test that we don't accept TLS 1.0 or TLS 1.1 2022-03-09 16:19:37 -03:00
Torsten Grote
decc2cc6e3 Add ktlint and run it in CI 
Fixes formatting issues it found.

Also remove version variables from gradle scripts as they are not wanted by the project.
 2022-02-16 09:43:19 -03:00
Torsten Grote
82b131ff71 Address first round of review comments 2022-02-16 09:43:19 -03:00
Torsten Grote
062c870f23 Move (Http)Downloader into download library 2022-02-16 09:43:18 -03:00
Torsten Grote
9ca7bebc88 Add mirror support in downloads library 2022-02-16 09:43:17 -03:00
Torsten Grote
2bbc03b797 Add workaround for https://youtrack.jetbrains.com/issue/KTOR-3358 2022-02-16 09:43:17 -03:00
Torsten Grote
3d479b29e5 Initial work on separate download library 2022-02-16 09:43:17 -03:00
Torsten Grote
d9f993632c Add kotlin-gradle-plugin and upgrade gradle to 6.9.2 
in order to resolve issue with dependency verification
 2022-02-16 09:43:17 -03:00
mlya
79c2a38247 closes #2332 add missing verification-metadata for macos 2022-02-04 10:22:07 +00:00
Hans-Christoph Steiner
80a50dcfd4 vendor 'cc.mvdan.accesspoint:library:0.2.0' to remove jcenter entirely 
Code was in https://github.com/mvdan/libaccesspoint

Note that this project is **abandoned** since its method doesn't work on Android
7.1 or later. Have a look at these newer alternatives that have been tested to
work on Android 8.0:

* https://github.com/shinilms/direct-net-share
* https://github.com/geekywoman/direct-net-share
* https://github.com/aegis1980/WifiHotSpot
 2022-01-19 20:43:24 +01:00
proletarius101
d440cb0c81 Fix status bar color 2021-08-26 13:09:00 +00:00
proletarius101
42c0fe7430 Migrate the image loader to Glide 2021-07-01 15:57:06 +00:00
Hans-Christoph Steiner
39f680bb24 resync gradle verification metadata 2021-06-16 14:35:10 +02:00
Isira Seneviratne
19ffd2b491 Use ActivityCompat.recreate(). 2021-06-16 12:29:32 +00:00
Isira Seneviratne
5fad229dbe Update RxJava to version 3. 2021-06-15 08:51:16 +00:00
proletarius101
e48c49ce0c Change the bottom navigation bar to the material component one 2021-05-18 12:39:58 +00:00
proletarius101
aaf08fea0c Update material components library to 1.3.0 2021-04-28 19:17:05 +08:00
Hans-Christoph Steiner
1cd02f02e0 fix trove4j verification error 
trove4j-20160824.pom uploaded to mavenCentral has more info in it, so a
different sha256.
 2021-04-12 15:57:40 +02:00
Hans-Christoph Steiner
04ab3aefa4 update gradle verification metadata 
./gradlew --write-verification-metadata pgp,sha256 assemble
./gradlew --write-verification-metadata sha256 assemble
 2021-04-07 22:00:20 +02:00
Isira Seneviratne
ab8e7935b0 Add WorkManagerTestRule. 2021-01-21 06:18:23 +05:30
Isira Seneviratne
df66d127c2 Add AndroidX WorkManager. 2021-01-21 06:17:28 +05:30
Hans-Christoph Steiner
83b7d7ff67 bump all test dependencies 
Hopefully this will give some stability in the Robolectric tests.
 2021-01-19 09:06:05 +01:00
Hans-Christoph Steiner
4640146842 gradle dependency verification is too buggy with .pom metadata 
This disables the verification of .pom files.  .pom files can add
dependencies, so it would be good to have them verified.  But since this
current setup requires all JAR to be verified, any new dependencies would
fail anyway:
https://docs.gradle.org/current/userguide/dependency_verification.html#sec:disabling-metadata-verification

In some cases everything works fine, like on gitlab-ci, and in other places
it always gives errors like this:

```
A problem occurred configuring root project 'client'.
> Dependency verification failed for configuration ':classpath'
  4 artifacts failed verification:
    - all-1.2.0.pom (com.sun.activation:all:1.2.0) from repository MavenRepo
    - jvnet-parent-1.pom (net.java:jvnet-parent:1) from repository MavenRepo
    - oss-parent-7.pom (org.sonatype.oss:oss-parent:7) from repository MavenRepo
    - oss-parent-9.pom (org.sonatype.oss:oss-parent:9) from repository MavenRepo
  This can indicate that a dependency has been compromised. Please carefully verify the checksums.

  Open this report for more details: file:///home/hans/code/fdroid/client/build/reports/dependency-verification/at-1603359642220/dependency-verification-report.html
```

@glennmen and @eighthave both are getting that error.
 2020-10-22 11:49:17 +02:00
Hans-Christoph Steiner
708a6d8dbd allow differing sha256 values in Google Maven vs Android Offline 
It turns out that some of the dependencies in the Google Offline Components
downloadable maven repository have difference to the ones Google publishes
to maven.google.com.  WTF.  In any case, the new Gradle Dependency
Verification feature handles this gracefully.  I manually verified the
diffs between the two using diffoscope.  One just differed by timestamps in
the ZIP header, and the other just differed by linefeeds at the end of the
file.  Then I generated this metadata update using:

`./gradlew --write-verification-metadata pgp,sha256`

* https://developer.android.com/studio#offline
 2020-08-04 09:46:43 +02:00