Development resources at your finger tips
Build with the coolest Web3 projects
Recurring funding for Open Source
Ethical ads to power Open Source
Learn about Web3 & earn rewards
Show appreciation for each other
Meet fellow developers, designers, futurists and more. Collaborate and BUIDL awesome projects together.
Follow the orgs you like more with tribes and build relationships and meaningful projects.
Meet the top hunters and contributors from our community.
Most people working with Ethereum have questions about ETH2.0. Kevin Owocki hosted some developers working on the project for a recent episode of the…
Sia recently ran the Skynet Hackathon with Gitcoin for Skynet’s launch, leading to over 40 project submissions in a 2 week period. This piece, …
Gitcoin is GDPR complaint. Learn more in
Gitcoin's Terms & Conditions.
Check out the Issue Explorer
Looking to fund some work? You can submit a new Funded Issue here.
* Hardware wallets like the TREZOR can be a great and secure way to sign APKs
* Currently I am signing WallETH with an old separate offline laptop - but the process is painful (USB stick juggling) and when I am on the road I most of the time do not have this offline laptop with me - this might be bad if e.g. a urgent HotFix is needed
* Backups of signing keys are important - if you loose your key you are not able to publish an update of the app anymore - usually people do backups of their hardware wallet - so this could also be a good argument for using a HardWare wallet here
* Signing keys are often not handled with the care they deserve (I have seen companies having them on the CI-Server with the potential of extracting them with a PR ..) If the process is easy with a Hardware wallet perhaps we can convince more people to treat signing keys with more respect
Bounty acceptance criteria:
* Deliver a small CLI program that allows to sign APKs with a TREZOR
* That program should be written in Kotlin or Java - I would prefer Kotlin. Limiting the languages has 2 main reasons: 1) I want to be able to give it a meaningful review 2) Make a potential future reuse in an Android app easier
* Should not need modifications of the TREZOR firmware (If there are good reasons that this is needed there might be an exemption - e.g. if one would go the extra mile of supporting RSA to lower the minSDK)
* Support signature scheme v1 and optionally v2 - but at least v1 so we do not have a high impact on the minSDK
* support to specify a derviation path so different APKs can be signed with different keys
* here some examples of ECDSA signed apk's:
* introduction of ECDSA support for signatures in Android: https://issuetracker.google.com/issues/36956587
* Tweet by prusnak about the possibility of this: https://twitter.com/pavolrusnak/status/982944347418177536
* APKSigner source: https://android.googlesource.com/platform/build/+/8740e9d/tools/apksigner/core/src/com/android/apksigner/core/