Build online but do not sign

.github/workflows/release.yml

@@ -6,9 +6,6 @@ on:
       beta:
         type: boolean
         description: Is beta?
-      draft:
-        type: boolean
-        description: Is draft?
 
 jobs:
   build:
@@ -27,13 +24,6 @@ jobs:
         id: flutter_doctor
         run: |
           flutter doctor -v
-          
-      - name: Import GPG key
-        id: import_pgp_key
-        uses: crazy-max/ghaction-import-gpg@v6
-        with:
-          gpg_private_key: ${{ secrets.PGP_KEY_BASE64 }}
-          passphrase: ${{ secrets.PGP_PASSPHRASE }}
 
       - name: Check submodule
         id: check_submodule
@@ -57,24 +47,13 @@ jobs:
           for file in build/app/outputs/flutter-apk/app-*normal*.apk*; do mv "$file" "${file//-normal/}"; done
           flutter build apk --flavor fdroid -t lib/main_fdroid.dart && flutter build apk --split-per-abi --flavor fdroid -t lib/main_fdroid.dart
           rm ./build/app/outputs/flutter-apk/*.sha1
+          cp ./sign.sh ./build/app/outputs/flutter-apk/
           ls -l ./build/app/outputs/flutter-apk/
-        
-      - name: Sign APKs
-        env:
-          KEYSTORE_BASE64: ${{ secrets.KEYSTORE_BASE64 }}
-          KEYSTORE_PASSWORD: ${{ secrets.KEYSTORE_PASSWORD }}
-          PGP_PASSPHRASE: ${{ secrets.PGP_PASSPHRASE }}
-        run: |
-          echo "${KEYSTORE_BASE64}" | base64 -d > apksign.keystore
-          for apk in ./build/app/outputs/flutter-apk/*-release*.apk; do
-            unsignedFn=${apk/-release/-unsigned}
-            mv "$apk" "$unsignedFn"
-            ${ANDROID_HOME}/build-tools/$(ls ${ANDROID_HOME}/build-tools/ | tail -1)/apksigner sign --ks apksign.keystore --ks-pass pass:"${KEYSTORE_PASSWORD}" --out "${apk}" "${unsignedFn}"
-            sha256sum ${apk} | cut -d " " -f 1 > "$apk".sha256
-            gpg --batch  --pinentry-mode loopback --passphrase "${PGP_PASSPHRASE}" --sign --detach-sig "$apk".sha256
-          done
-          rm apksign.keystore
-          PGP_KEY_FINGERPRINT="${{ steps.import_pgp_key.outputs.fingerprint }}"
+
+      - name: Save Unsigned APKs as Action Artifacts
+        uses: actions/upload-artifact@v4
+        with:
+          path: build/app/outputs/flutter-apk/*
 
       - name: Create Tag
         uses: mathieudutour/github-tag-action@v6.1
@@ -83,12 +62,11 @@ jobs:
           custom_tag: "${{ steps.extract_version.outputs.tag }}"
           tag_prefix: ""
       
-      - name: Create Release And Upload APKs
+      - name: Create Draft Release
         uses: ncipollo/release-action@v1
         with:
           token: ${{ secrets.GH_ACCESS_TOKEN }}
           tag: "${{ steps.extract_version.outputs.tag }}"
           prerelease: "${{ steps.extract_version.outputs.beta }}"
-          draft: "${{ inputs.draft }}"
-          artifacts: ./build/app/outputs/flutter-apk/*-release*.apk*
+          draft: "true"
           generateReleaseNotes: true

.github/workflows/temp.yml

@@ -1,71 +0,0 @@
-name: Playing around (temp)
-
-on:
-  workflow_dispatch:
-    inputs:
-      beta:
-        type: boolean
-        description: Is beta?
-
-jobs:
-  build:
-    runs-on: ubuntu-latest
-
-    steps:
-      
-      - uses: actions/checkout@v3
-      - uses: subosito/flutter-action@v2
-      - uses: actions/setup-java@v4
-        with:
-          distribution: 'temurin' # See 'Supported distributions' for available options
-          java-version: '17'
-
-      - name: Flutter Doctor
-        id: flutter_doctor
-        run: |
-          flutter doctor -v
-
-      - name: Check submodule
-        id: check_submodule
-        run: |
-          git checkout ${{ inputs.checkout }}
-
-      - name: Extract Version
-        id: extract_version      
-        run: |
-          VERSION=$(grep -oP "^version: [^\+]+" pubspec.yaml | tail -c +10)
-          echo "version=$VERSION" >> $GITHUB_OUTPUT
-          if [ ${{ inputs.beta }} == true ]; then BETA=true; else BETA=false; fi
-          echo "beta=$BETA" >> $GITHUB_OUTPUT
-          TAG="v$VERSION"
-          echo "tag=$TAG" >> $GITHUB_OUTPUT
-
-      - name: Build APKs
-        run: |
-          sed -i 's/signingConfig signingConfigs.release//g' android/app/build.gradle
-          flutter build apk --flavor normal && flutter build apk --split-per-abi --flavor normal
-          for file in build/app/outputs/flutter-apk/app-*normal*.apk*; do mv "$file" "${file//-normal/}"; done
-          flutter build apk --flavor fdroid -t lib/main_fdroid.dart && flutter build apk --split-per-abi --flavor fdroid -t lib/main_fdroid.dart
-          rm ./build/app/outputs/flutter-apk/*.sha1
-          ls -l ./build/app/outputs/flutter-apk/
-
-      - name: Save Unsigned APKs as Action Artifacts
-        uses: actions/upload-artifact@v4
-        with:
-          path: build/app/outputs/flutter-apk/*
-
-      #- name: Create Tag
-      #  uses: mathieudutour/github-tag-action@v6.1
-      #  with:
-      #    github_token: ${{ secrets.GH_ACCESS_TOKEN }}
-      #    custom_tag: "${{ steps.extract_version.outputs.tag }}"
-      #    tag_prefix: ""
-      
-      #- name: Create Draft Release
-      #  uses: ncipollo/release-action@v1
-      #  with:
-      #    token: ${{ secrets.GH_ACCESS_TOKEN }}
-      #    tag: "${{ steps.extract_version.outputs.tag }}"
-      #    prerelease: "${{ steps.extract_version.outputs.beta }}"
-      #    draft: "true"
-      #    generateReleaseNotes: true

sign.sh

@@ -0,0 +1,38 @@
+#!/bin/bash
+set -e
+
+# Script to sign unsigned APKs
+# Assumptions:
+# 1. Your PGP key is already imported on the locally running agent
+# 2. An Android SDK is located at $ANDROID_HOME (or ~/Android/Sdk as fallback)
+
+usage() {
+  echo "sign.sh <PATH_TO_KEYSTORE> <PATH_TO_BUILD_DIR>"
+  exit 1
+}
+
+if [ -z "$1" ] || [ -z "$2" ] || [ ! -f "$1" ] || [ ! -d "$2" ]; then
+  usage
+fi
+
+KEYSTORE_LOCATION="$1"
+BUILD_DIR="$2"
+
+read -s -p "Enter your keystore password: " KEYSTORE_PASSWORD
+
+if [ -z "$ANDROID_HOME" ]; then
+  ANDROID_HOME=~/Android/Sdk
+fi
+if [ ! -d "$ANDROID_HOME" ]; then
+  echo "Could not find Android SDK!" >&2
+  exit 1
+fi
+
+for apk in "$BUILD_DIR"/*-release*.apk; do
+  unsignedApk=${apk/-release/-unsigned}
+  mv "$apk" "$unsignedApk"
+  ${ANDROID_HOME}/build-tools/$(ls ${ANDROID_HOME}/build-tools/ | tail -1)/apksigner sign --ks "$KEYSTORE_LOCATION" --ks-pass pass:"${KEYSTORE_PASSWORD}" --out "${apk}" "${unsignedApk}"
+  sha256sum ${apk} | cut -d " " -f 1 >"$apk".sha256
+  gpg --batch --sign --detach-sig "$apk".sha256
+  rm "$unsignedApk"
+done