1
0
Fork 0
mirror of https://github.com/M66B/FairEmail.git synced 2024-12-22 07:42:52 +00:00

APK file attestation

This commit is contained in:
M66B 2024-06-26 07:39:45 +02:00
parent 1f63fea82e
commit 56076347bd
3 changed files with 53 additions and 3 deletions

View file

@ -11,6 +11,12 @@ on:
description: 'Branch'
required: true
default: 'master'
permissions:
id-token: write
contents: read
attestations: write
jobs:
build:
@ -52,6 +58,11 @@ jobs:
run: ./gradlew lintGithubRelease
- name: Build with Gradle
run: ./gradlew assembleGithubRelease assembleLargeRelease assemblePlayRelease uploadBugsnagGithub-releaseMapping uploadBugsnagLarge-releaseMapping uploadBugsnagPlay-releaseMapping
#https://docs.github.com/en/actions/security-guides/using-artifact-attestations-to-establish-provenance-for-builds
- name: Generate artifact attestation
uses: actions/attest-build-provenance@v1
with:
subject-path: 'app/build/outputs/apk/**/release/*.apk'
- name: Upload to BitBucket
run: |
./gradlew upload -Ptarget=play-preview-${{ github.event.inputs.branch }}

19
FAQ.md
View file

@ -429,6 +429,7 @@ Anything on this list is in random order and *might* be added in the near future
* [(202) What is DNSSEC and what is DANE?](#faq202)
* [(203) Where is my sent message?](#faq203)
* [(204) How do I use Gemini?](#faq204)
* [(205) How do I check the integrity of an APK file?](#faq205)
[I have another question.](#get-support)
@ -5986,6 +5987,24 @@ This feature is experimental and requires version 1.2171 or later for the GitHub
<br>
<a name="faq205"></a>
**(205) How do I check the integrity of an APK file?**
You can verify in this way that an APK file was built and signed by a GitHub workflow:
1. Install the [GitHub CLI](https://cli.github.com/)
2. Download and extract the [APK files](https://github.com/M66B/FairEmail/actions)
3. [Verify](https://docs.github.com/en/actions/security-guides/using-artifact-attestations-to-establish-provenance-for-builds#verifying-artifact-attestations-with-the-github-cli) attestation of an APK file
```
gh attestation verify xyz.apk -R M66B/FairEmail
```
Attestation of APK files is available from version 1.2209.
<br>
<h2><a name="get-support"></a>Get support</h2>
&#x1F30E; [Google Translate](https://translate.google.com/translate?sl=en&u=https%3A%2F%2Fm66b.github.io%2FFairEmail%2F%23get-support)

View file

@ -8,10 +8,19 @@
<style>
code{white-space: pre-wrap;}
span.smallcaps{font-variant: small-caps;}
span.underline{text-decoration: underline;}
div.column{display: inline-block; vertical-align: top; width: 50%;}
div.columns{display: flex; gap: min(4vw, 1.5em);}
div.column{flex: auto; overflow-x: auto;}
div.hanging-indent{margin-left: 1.5em; text-indent: -1.5em;}
ul.task-list{list-style: none;}
/* The extra [class] is a hack that increases specificity enough to
override a similar rule in reveal.js */
ul.task-list[class]{list-style: none;}
ul.task-list li input[type="checkbox"] {
font-size: inherit;
width: 0.8em;
margin: 0 0.8em 0.2em -1.6em;
vertical-align: middle;
}
.display.math{display: block; text-align: center; margin: 0.5rem auto;}
</style>
<link rel="shortcut icon" href="https://raw.githubusercontent.com/M66B/FairEmail/master/app/src/main/ic_launcher-web.png">
<style>
@ -418,6 +427,7 @@
<li><a href="#faq202">(202) What is DNSSEC and what is DANE?</a></li>
<li><a href="#faq203">(203) Where is my sent message?</a></li>
<li><a href="#faq204">(204) How do I use Gemini?</a></li>
<li><a href="#faq205">(205) How do I check the integrity of an APK file?</a></li>
</ul>
<p><a href="#get-support">I have another question.</a></p>
<p><a name="faq1"></a> <strong>(1) Which permissions are needed and why?</strong></p>
@ -2986,6 +2996,16 @@ adb install /path/to/FairEmail-xxx.apk</code></pre>
<p>Please read the privacy policy of <a href="https://support.google.com/gemini/answer/13594961">Gemini</a>. FairEmail does not use third-party libraries to avoid being tracked when Gemini is not being used.</p>
<p>This feature is experimental and requires version 1.2171 or later for the GitHub version and version 1.2182 or later for the Play Store version.</p>
<p><br></p>
<p><a name="faq205"></a> <strong>(205) How do I check the integrity of an APK file?</strong></p>
<p>You can verify in this way that an APK file was built and signed by a GitHub workflow:</p>
<ol type="1">
<li>Install the <a href="https://cli.github.com/">GitHub CLI</a></li>
<li>Download and extract the <a href="https://github.com/M66B/FairEmail/actions">APK files</a></li>
<li><a href="https://docs.github.com/en/actions/security-guides/using-artifact-attestations-to-establish-provenance-for-builds#verifying-artifact-attestations-with-the-github-cli">Verify</a> attestation of an APK file</li>
</ol>
<pre><code>gh attestation verify xyz.apk -R M66B/FairEmail</code></pre>
<p>Attestation of APK files is available from version 1.2209.</p>
<p><br></p>
<h2>
<a name="get-support"></a>Get support
</h2>