2323 PLATFORM_KEY_PASS : ${{ secrets.PLATFORM_KEY_PASS }}
2424 USER_STORE_PASS : ${{ secrets.USER_STORE_PASS }}
2525 USER_KEY_PASS : ${{ secrets.USER_KEY_PASS }}
26+
2627 steps :
2728 - name : Checkout repository
2829 uses : actions/checkout@v4
@@ -33,12 +34,13 @@ jobs:
3334 distribution : temurin
3435 java-version : 17
3536
37+ # FIXED: Switched to Android 33 / Build Tools 33.0.2 for stability
3638 - name : Install Android SDK and platform tools
3739 uses : android-actions/setup-android@v3
3840 with :
3941 packages : |
40- platforms;android-34
41- build-tools;34 .0.0
42+ platforms;android-33
43+ build-tools;33 .0.2
4244
4345name : Install required native tooling
4446 run : |
@@ -95,13 +97,16 @@ jobs:
9597 INTERMEDIATE_KEY=intermediate-ca.key.pem
9698 INTERMEDIATE_CSR=intermediate-ca.csr.pem
9799 INTERMEDIATE_CERT=intermediate-ca.cert.pem
100+
98101 openssl genrsa -out "$INTERMEDIATE_KEY" 4096
99102 openssl req \
100103 -new \
101104 -key "$INTERMEDIATE_KEY" \
102105 -out "$INTERMEDIATE_CSR" \
103106 -subj "/CN=MobIDE Intermediate CA/O=WebLabs Security/C=US"
107+
104108 printf 'basicConstraints=CA:TRUE,pathlen:0\nkeyUsage=critical,digitalSignature,keyCertSign\nsubjectKeyIdentifier=hash\nauthorityKeyIdentifier=keyid:always,issuer:always\n' > intermediate-ca.ext
109+
105110 openssl x509 \
106111 -req \
107112 -in "$INTERMEDIATE_CSR" \
@@ -112,6 +117,7 @@ jobs:
112117 -days 1095 \
113118 -sha256 \
114119 -extfile intermediate-ca.ext
120+
115121 ls -l "$INTERMEDIATE_KEY" "$INTERMEDIATE_CERT"
116122 echo "key=$INTERMEDIATE_KEY" >> "$GITHUB_OUTPUT"
117123 echo "cert=$INTERMEDIATE_CERT" >> "$GITHUB_OUTPUT"
@@ -122,6 +128,7 @@ jobs:
122128 run : |
123129 set -euo pipefail
124130 umask 077
131+
125132 keytool -genkeypair \
126133 -alias platform \
127134 -keyalg RSA \
@@ -131,7 +138,7 @@ jobs:
131138 -storepass "${{ steps.validate_secrets.outputs.storepass_platform }}" \
132139 -keypass "${{ steps.validate_secrets.outputs.keypass_platform }}" \
133140 -dname "CN=MobIDE Platform Signing,O=WebLabs Security,C=US"
134-
141+
135142 keytool -genkeypair \
136143 -alias userkey \
137144 -keyalg RSA \
@@ -141,7 +148,7 @@ jobs:
141148 -storepass "${{ steps.validate_secrets.outputs.storepass_user }}" \
142149 -keypass "${{ steps.validate_secrets.outputs.keypass_user }}" \
143150 -dname "CN=MobIDE User Signing,O=WebLabs Security,C=US"
144-
151+
145152 ls -l platform.keystore user.keystore
146153
147154name : Prepare Gradle
@@ -154,14 +161,17 @@ jobs:
154161 shell : bash
155162 run : |
156163 set -euo pipefail
157- ZIPALIGN_BIN="${ANDROID_HOME:-$ANDROID_SDK_ROOT}/build-tools/34.0.0/zipalign"
164+ # FIXED: Updated path to match the installed build-tools 33.0.2
165+ ZIPALIGN_BIN="${ANDROID_HOME:-$ANDROID_SDK_ROOT}/build-tools/33.0.2/zipalign"
158166 "$ZIPALIGN_BIN" -v -p 4 "${{ env.APK_BUILD_PATH }}" "${{ env.ZIPALIGNED_APK }}"
159167
160168name : Sign with platform and user keystores
161169 shell : bash
162170 run : |
163171 set -euo pipefail
164- APK_SIGNER_BIN="${ANDROID_HOME:-$ANDROID_SDK_ROOT}/build-tools/34.0.0/apksigner"
172+ # FIXED: Updated path to match the installed build-tools 33.0.2
173+ APK_SIGNER_BIN="${ANDROID_HOME:-$ANDROID_SDK_ROOT}/build-tools/33.0.2/apksigner"
174+
165175 "$APK_SIGNER_BIN" sign \
166176 --ks platform.keystore \
167177 --ks-key-alias platform \
@@ -174,6 +184,7 @@ jobs:
174184 --key-pass pass:${{ steps.validate_secrets.outputs.keypass_user }} \
175185 --out "${{ env.SIGNED_APK_FINAL }}" \
176186 "${{ env.ZIPALIGNED_APK }}"
187+
177188 "$APK_SIGNER_BIN" verify --verbose "${{ env.SIGNED_APK_FINAL }}"
178189
179190name : Collect chain of trust
@@ -196,16 +207,3 @@ jobs:
196207 trust-chain.pem
197208 ca-root.pem
198209 ca-intermediate.pem
199- platform.keystore
200- user.keystore
201-
202- name : Upload CA outputs for auditing
203- uses : actions/upload-artifact@v4
204- with :
205- name : mobide-ca-audit
206- retention-days : 30
207- path : |
208- ${{ steps.root_ca.outputs.cert }}
209- ${{ steps.intermediate_ca.outputs.cert }}
210- intermediate-ca.ext
211- intermediate-ca.csr.pem
0 commit comments