ci: verify release signatures

ovitrif · ovitrif · commit 6fbe9ce87851 · 2026-05-25T14:21:24.000+02:00
diff --git a/.github/workflows/release-internal.yml b/.github/workflows/release-internal.yml
@@ -68,6 +68,21 @@ jobs:
           KEY_PASSWORD: ${{ secrets.INTERNAL_KEY_PASSWORD }}
         run: ./gradlew assembleMainnetRelease --no-daemon --stacktrace
 
+      - name: Verify internal release signature
+        run: |
+          set -euo pipefail
+          android_sdk_root="${ANDROID_HOME:-${ANDROID_SDK_ROOT:-}}"
+          test -n "$android_sdk_root"
+          apksigner_path="$(find "$android_sdk_root/build-tools" -name apksigner -type f | sort -V | tail -n 1)"
+          test -n "$apksigner_path"
+
+          apk_count=0
+          while IFS= read -r -d '' apk_path; do
+            apk_count=$((apk_count + 1))
+            "$apksigner_path" verify --verbose --print-certs "$apk_path"
+          done < <(find app/build/outputs/apk/mainnet/release -name 'bitkit-mainnet-release-*.apk' -print0)
+          test "$apk_count" -gt 0
+
       - name: Collect internal artifacts
         id: artifacts
         run: |
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -68,6 +68,28 @@ jobs:
           KEY_PASSWORD: ${{ secrets.BITKIT_KEY_PASSWORD }}
         run: ./gradlew assembleMainnetRelease bundleMainnetRelease --no-daemon --stacktrace
 
+      - name: Verify release signatures
+        run: |
+          set -euo pipefail
+          android_sdk_root="${ANDROID_HOME:-${ANDROID_SDK_ROOT:-}}"
+          test -n "$android_sdk_root"
+          apksigner_path="$(find "$android_sdk_root/build-tools" -name apksigner -type f | sort -V | tail -n 1)"
+          test -n "$apksigner_path"
+
+          apk_count=0
+          while IFS= read -r -d '' apk_path; do
+            apk_count=$((apk_count + 1))
+            "$apksigner_path" verify --verbose --print-certs "$apk_path"
+          done < <(find app/build/outputs/apk/mainnet/release -name 'bitkit-mainnet-release-*.apk' -print0)
+          test "$apk_count" -gt 0
+
+          bundle_count=0
+          while IFS= read -r -d '' bundle_path; do
+            bundle_count=$((bundle_count + 1))
+            jarsigner -verify -verbose -certs "$bundle_path"
+          done < <(find app/build/outputs/bundle/mainnetRelease -name 'bitkit-mainnet-release-*.aab' -print0)
+          test "$bundle_count" -gt 0
+
       - name: Collect release artifacts
         id: artifacts
         run: |
