security(release): rotate compromised F-Droid repo key; keep key out of served tree

The F-Droid repo signing key (keystore.p12) and its config.yml — including the keystore passwords in cleartext — were publicly downloadable at apps.dev.jeanlucmakiola.de/dev/fdroid/ because the release workflow uploaded the entire fdroid/ working dir into the web-served path. The webserver has since been locked down to repo/ only; this rotates the now-compromised key and removes the root cause. - release.yaml: restore the repo key + config from new CI secrets (FDROID_KEYSTORE_BASE64, FDROID_CONFIG_BASE64) instead of the box; upload ONLY repo/ so the key never re-enters the served tree. - release.yaml: fail loudly when the repo key secrets are unset, replacing `fdroid update --create-key`, which silently minted a NEW repo key on a wiped server and would have broken every user's pinned fingerprint. - README: publish the new repo fingerprint (C2C0…3425). Existing users must remove and re-add the repo. - .gitignore: ignore *.p12 and the whole /fdroid/ working dir. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-14 12:01:00 +02:00
parent 54aed73726
commit e5be5f1ae5
3 changed files with 38 additions and 19 deletions
--- a/.gitea/workflows/release.yaml
+++ b/.gitea/workflows/release.yaml
@@ -165,27 +165,45 @@ jobs:
          $SUDO apt-get install -y sshpass python3-pip
          pip3 install --break-system-packages --upgrade fdroidserver

-      - name: Initialize or fetch F-Droid Repository
+      - name: Fetch existing F-Droid repo from Hetzner
        env:
          HOST: ${{ secrets.HETZNER_HOST }}
          USER: ${{ secrets.HETZNER_USER }}
          PASS: ${{ secrets.HETZNER_PASS }}
        run: |
+          set -euo pipefail
+          SSH_OPTS="-o StrictHostKeyChecking=no -o ConnectTimeout=20"
          mkdir -p fdroid
-          sshpass -p "$PASS" sftp -o StrictHostKeyChecking=no "$USER@$HOST" <<'SFTP'
-          -mkdir dev
-          -mkdir dev/fdroid
-          -mkdir dev/fdroid/repo
-          SFTP
-          sshpass -p "$PASS" scp -o StrictHostKeyChecking=no -r "$USER@$HOST:dev/fdroid/." fdroid/ || (cd fdroid && fdroid init)
+          # Pull only the published repo/ (all apps' APKs), any per-app
+          # metadata, and the repo icon — enough to rebuild the index without
+          # dropping the other apps. The signing key is deliberately NOT pulled
+          # from the box; it comes from CI secrets in the next step so it never
+          # has to live in the web-served tree.
+          sshpass -p "$PASS" scp $SSH_OPTS -r "$USER@$HOST:dev/fdroid/repo" fdroid/ 2>/dev/null || true
+          sshpass -p "$PASS" scp $SSH_OPTS -r "$USER@$HOST:dev/fdroid/metadata" fdroid/ 2>/dev/null || true
+          sshpass -p "$PASS" scp $SSH_OPTS "$USER@$HOST:dev/fdroid/icon.png" fdroid/ 2>/dev/null || true
+          mkdir -p fdroid/repo fdroid/metadata

-      - name: Ensure F-Droid repo signing key and icon
+      - name: Restore F-Droid signing key and config from secrets
+        env:
+          FDROID_KEYSTORE_BASE64: ${{ secrets.FDROID_KEYSTORE_BASE64 }}
+          FDROID_CONFIG_BASE64: ${{ secrets.FDROID_CONFIG_BASE64 }}
        run: |
-          cd fdroid
-          mkdir -p repo/icons
-          if [ ! -f keystore.p12 ]; then
-            fdroid update --create-key
+          set -euo pipefail
+          # Fail loudly if the repo key is not configured. NEVER auto-generate
+          # one: a fresh key changes the repo fingerprint and breaks every
+          # user's pinned repo. (Replaces the old `fdroid update --create-key`
+          # path, which silently rotated the key on a wiped server.)
+          if [ -z "${FDROID_KEYSTORE_BASE64:-}" ] || [ -z "${FDROID_CONFIG_BASE64:-}" ]; then
+            echo "ERROR: FDROID_KEYSTORE_BASE64 / FDROID_CONFIG_BASE64 secrets are not set." >&2
+            echo "Refusing to continue — will not auto-generate a new repo key." >&2
+            exit 1
          fi
+          echo "$FDROID_KEYSTORE_BASE64" | base64 --decode > fdroid/keystore.p12
+          echo "$FDROID_CONFIG_BASE64"   | base64 --decode > fdroid/config.yml
+          test -s fdroid/keystore.p12
+          test -s fdroid/config.yml
+          mkdir -p fdroid/repo/icons

      - name: Copy new APK to repo
        run: |
@@ -208,7 +226,7 @@ jobs:
          cd fdroid
          fdroid update -c

-      - name: Upload Repo to Hetzner
+      - name: Upload repo/ to Hetzner
        env:
          HOST: ${{ secrets.HETZNER_HOST }}
          USER: ${{ secrets.HETZNER_USER }}
@@ -219,9 +237,10 @@ jobs:
          sshpass -p "$PASS" sftp $SSH_OPTS "$USER@$HOST" <<'SFTP'
          -mkdir dev
          -mkdir dev/fdroid
-          -mkdir dev/fdroid/repo
          SFTP
-          sshpass -p "$PASS" scp $SSH_OPTS -r fdroid/. "$USER@$HOST:dev/fdroid/"
+          # Publish ONLY the signed repo/. keystore.p12 and config.yml never
+          # leave CI, so they can no longer end up in the web-served tree.
+          sshpass -p "$PASS" scp $SSH_OPTS -r fdroid/repo "$USER@$HOST:dev/fdroid/"

  # A Gitea release per tag, carrying the tag's CHANGELOG section as its
  # notes. Deliberately no APK assets — distribution stays with the F-Droid