This repository contains scripts, patches, and automated workflows designed to build a custom, modified version of the official Cryptomator Android application.
- Automated Containerized Builds: Utilizes Podman to create a reproducible build and signing environment for the Android application.
- License Verification Bypass: Includes a git patch that modifies the
DoLicenseCheck.javause case to return an empty string, bypassing the app's default license validation. - Custom Update Checker: Patches
UpdateCheckRepositoryImpl.javato fetch update information from a custom GitHub repository (ObjectAscended/cryptomator-android) and replaces the public key used for verifying app updates. - Automated Signing: Uses a dedicated signing container to automatically sign the resulting APK artifacts using
apksigner.
The build process is managed primarily through GitHub Actions but uses a modular script architecture:
Containerfile: Defines two isolated environments:- The
builderimage uses Ubuntu 26.04, JDK 17, and the Android SDK to compile the app. - The
signerimage uses Ubuntu 26.04 andapksignerto securely sign the artifacts.
- The
build.sh: A shell script executed inside thebuildercontainer. It runs the Gradle assemble tasks (./gradlew assemble...Release) to build the specific APK variants and collects the unsigned artifacts into an/artifacts/directory.sign.sh: Executed inside thesignercontainer. It iterates through the unsigned APKs in the artifacts directory and signs them using the provided keystore.
To build the project successfully, several environment variables and secrets must be configured. A template is provided in .env_example.
Cloud Provider API Keys (Build Environment):
DROPBOX_API_KEYONEDRIVE_API_KEYONEDRIVE_API_REDIRCT_URIPCLOUD_CLIENT_ID
Signing Credentials (Sign Environment):
SIGNING_KEYSTORE_PASSWORDSIGNING_KEY_ALIASSIGNING_KEY_PASSWORDSIGNING_KEYSTORE_BASE64(Used to decode the.p12keystore file during CI)
Update Checker Secrets:
ES256_PRIVATE_KEY(Used by a Node.js script in the pipeline to sign theversion.jwtpayload for the custom update checker)
The provided build.yml workflow is fully automated and triggers on pushes, pull requests, or manual workflow dispatch.
- Environment Setup: Builds the required Podman images (
builderandsigner) and configures the environment variable files (.env.buildand.env.sign) using GitHub Secrets. - Code Retrieval: Checks out version
1.12.3of the officialcryptomator/androidrepository. - Patch Application: Automatically applies the custom patches using
git am --3way. - Build & Sign: Runs the Podman containers to build the APK store variant and sign it.
- Release Preparation: Uses a Node.js script to hash the APK and generate a signed JWT (
version.jwt) containing release notes and the custom download URL. - Publishing: Automatically creates a GitHub Release with the compiled
cryptomator.apkand theversion.jwtfile.
The repository is configured via .gitignore to safely ignore sensitive files like .p12 keystores, local .env.* files, and generated directories like /artifacts/ and /android/.