mullvad
diff --git a/‎.github/workflows/android-audit.yml
+22-8 b/‎.github/workflows/android-audit.yml
+22-8
diff --git a/‎.github/workflows/verify-locked-down-signatures.yml
+4 b/‎.github/workflows/verify-locked-down-signatures.yml
+4
diff --git a/‎android/gradle/verification-keyring.keys
+1,359-2,640 b/‎android/gradle/verification-keyring.keys
+1,359-2,640
diff --git a/‎android/gradle/verification-metadata.keys.xml
+922 b/‎android/gradle/verification-metadata.keys.xml
+922
diff --git a/‎android/gradle/verification-metadata.xml
+1-229 b/‎android/gradle/verification-metadata.xml
+1-229
diff --git a/‎android/scripts/lockfile
+193 b/‎android/scripts/lockfile
+193
diff --git a/‎android/scripts/update-lockfile.sh
-100 b/‎android/scripts/update-lockfile.sh
-100
@@ -5,7 +5,9 @@ on:
     paths:
       - .github/workflows/android-audit.yml
       - android/gradle/verification-metadata.xml
-      - android/scripts/update-lockfile.sh
+      - android/gradle/verification-metadata.keys.xml
+      - android/gradle/verification-keyring.keys
+      - android/scripts/lockfile
       # libs.versions.toml and *.kts are necessary to ensure that the verification-metadata.xml is up-to-date
       # with our dependency usage due to the dependency verification not working as expected when keys are
       # specified for dependencies (DROID-1425).
@@ -59,19 +61,31 @@ jobs:
       - name: Fix HOME path
         run: echo "HOME=/root" >> $GITHUB_ENV
 
-      - name: Set locale
-        run: echo "LC_ALL=C.UTF-8" >> $GITHUB_ENV
-
       - uses: actions/checkout@v4
 
+      # Needed to run git diff later
       - name: Fix git dir
         run: git config --global --add safe.directory $(pwd)
 
-      - name: Create Android rustJniLibs dir
-        run: mkdir -p android/app/build/rustJniLibs/android
-
       - name: Re-generate lockfile
-        run: android/scripts/update-lockfile.sh
+        run: android/scripts/lockfile -u
 
       - name: Ensure no changes
         run: git diff --exit-code
+
+  verify-lockfile-keys:
+    needs: prepare
+    name: Verify lockfile keys
+    runs-on: ubuntu-latest
+    container:
+      image: ${{ needs.prepare.outputs.container_image }}
+    steps:
+      # Fix for HOME path overridden by GH runners when building in containers, see:
+      # https://github.com/actions/runner/issues/863
+      - name: Fix HOME path
+        run: echo "HOME=/root" >> $GITHUB_ENV
+
+      - uses: actions/checkout@v4
+
+      - name: Verify lockfile keys metadata
+        run: android/scripts/lockfile -v
@@ -4,6 +4,7 @@ on:
   pull_request:
     paths:
       - .github/workflows/verify-locked-down-signatures.yml
+      - .github/workflows/android-audit.yml
       - .github/workflows/unicop.yml
       - .github/CODEOWNERS
       - Cargo.toml
@@ -21,8 +22,11 @@ on:
       - android/gradlew
       - android/gradlew.bat
       - android/gradle/verification-metadata.xml
+      - android/gradle/verification-metadata.keys.xml
+      - android/gradle/verification-keyring.keys
       - android/gradle/wrapper/gradle-wrapper.jar
       - android/gradle/wrapper/gradle-wrapper.properties
+      - android/scripts/lockfile
       - building/build-and-publish-container-image.sh
       - building/mullvad-app-container-signing.asc
       - building/linux-container-image.txt
 
@@ -0,0 +1,193 @@
+#!/usr/bin/env bash
+
+set -eu
+
+SCRIPT_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
+cd "$SCRIPT_DIR"
+
+# shellcheck disable=SC1091
+source ../../scripts/utils/log
+
+print_usage() {
+  log "Usage: lockfile <option>"
+  log "Where option is one of the following flags:"
+  log "    -u, --update"
+  log "              Update the metadata files with new entries, and add new keys that may be used."
+  log "    -v, --verify"
+  log "              Verify all dependencies' signatures with the keys metadata file."
+  log "    -r, --renew-keys"
+  log "              Renew all keys, will remove all trusted keys and clear the keyring, allowing for old"
+  log "              keys to removed and key entries to be updated. This result is not reproducible since"
+  log "              entries may change depending on from which keyserver keys was fetched and how gradle"
+  log "              decides to create verification xml file. Also make sure to do an additional normal run"
+  log "              afterwards."
+  log "    -h, --help"
+  log "              Show this help page."
+}
+
+function main {
+    if [[ $# -eq 0 ]]; then
+        print_usage
+        exit 1
+    fi
+
+    if [[ $# -gt 1 ]]; then
+        log_error "Too many arguments"
+        print_usage
+        exit 1
+    fi
+
+    cd ../gradle/
+    trap cleanup EXIT
+
+    case "$1" in
+    "-u"|"--update")
+        setup_gradle
+        update_checksums
+        update_keys false
+        ;;
+    "-v"|"--verifiy")
+        setup_gradle
+        verify
+        ;;
+    "-r"|"--renew-keys")
+        setup_gradle
+        update_keys true
+        # First run can produce a pgp entry in among the checksums, a second run clears this out.
+        log_info "Running second time to flush out impurities"
+        update_keys false
+        ;;
+    "-h"|"--help")
+        print_usage
+        exit 0
+        ;;
+    *)
+        log_error "Invalid argument: \`$1\`"
+        print_usage
+        exit 1
+        ;;
+    esac
+}
+
+function cleanup {
+    log "Cleaning up temp dirs..."
+    rm -rf -- "$GRADLE_USER_HOME" "$TEMP_GRADLE_PROJECT_CACHE_DIR" verification-keyring.gpg
+}
+
+function setup_gradle {
+    # regardless if stopped.
+    GRADLE_OPTS="-Dorg.gradle.daemon=false"
+    # We must provide a template for mktemp to work properly on macOS.
+    GRADLE_USER_HOME=$(mktemp -d -t gradle-home-XXX)
+    TEMP_GRADLE_PROJECT_CACHE_DIR=$(mktemp -d -t gradle-cache-XXX)
+    # Task list to discover all tasks and their dependencies since
+    # just running the suggested 'help' task isn't sufficient.
+    GRADLE_TASKS=(
+        "lint"
+    )
+
+    export GRADLE_OPTS
+    export GRADLE_USER_HOME
+
+    log_header "Gradle Configuration"
+    log_info "home: $GRADLE_USER_HOME"
+    log_info "cache: $TEMP_GRADLE_PROJECT_CACHE_DIR"
+}
+
+function update_checksums {
+    log_header "Update checksums"
+
+    log "Removing old components..."
+    sed -i '/<components>/,/<\/components>/d' verification-metadata.xml
+
+    log "Generating new components..."
+    ../gradlew -q -p .. --project-cache-dir "$TEMP_GRADLE_PROJECT_CACHE_DIR" -M sha256 "${GRADLE_TASKS[@]}"
+
+    log_success "Successfully updated checksums"
+}
+
+function update_keys {
+    local renew_keys=$1
+
+    if [ "$renew_keys" = true ]; then
+      log_header "Renew keys"
+    else
+      log_header "Update keys"
+    fi
+
+    activate_keys_metadata
+
+    log "Temporarily enabling key servers..."
+    sed -Ei 's,key-servers enabled="[^"]+",key-servers enabled="true",' verification-metadata.xml
+
+    log "Removing old components..."
+    sed -i '/<components>/,/<\/components>/d' verification-metadata.xml
+
+    if [ "$renew_keys" = true ]; then
+        log_info "Renewing all keys"
+
+        log "Removing old trusted keys..."
+        sed -i '/<trusted-keys>/,/<\/trusted-keys>/d' verification-metadata.xml
+
+        log "Removing old keyring..."
+        rm verification-keyring.keys
+    fi
+
+    log "Generating new trusted keys & updating keyring..."
+    ../gradlew -q -p .. --project-cache-dir "$TEMP_GRADLE_PROJECT_CACHE_DIR" -M pgp,sha256 "${GRADLE_TASKS[@]}" --export-keys
+
+    log "Sorting keyring and removing duplicates..."
+      # Sort and unique the keyring
+      # https://github.com/gradle/gradle/issues/20140
+      # `sed 's/$/NEWLINE/g'` adds the word NEWLINE at the end of each line
+      # `tr -d '\n'` deletes the actual newlines
+      # `sed` again adds a newline at the end of each key, so each key is one line
+      # `sort` orders the keys deterministically
+      # `uniq` removes identical keys
+      # `sed 's/NEWLINE/\n/g'` puts the newlines back
+    < verification-keyring.keys \
+        sed 's/$/NEWLINE/g' \
+        | tr -d '\n' \
+        | sed 's/\(-----END PGP PUBLIC KEY BLOCK-----\)/\1\n/g' \
+        | grep "END PGP PUBLIC KEY BLOCK" \
+        | sort \
+        | uniq \
+        | sed 's/NEWLINE/\n/g' \
+        > verification-keyring.new.keys
+    mv -f verification-keyring.new.keys verification-keyring.keys
+
+    log "Disabling key servers..."
+    sed -Ezi 's,key-servers,key-servers enabled="false",' verification-metadata.xml
+
+    deactivate_keys_metadata
+
+    log_success "Successfully updated keys"
+}
+
+function activate_keys_metadata {
+    log_info "Activating keys metadata"
+    mv verification-metadata.xml verification-metadata.checksums.xml
+    mv verification-metadata.keys.xml verification-metadata.xml
+}
+
+function deactivate_keys_metadata {
+    log_info "Deactivating keys metadata"
+    mv verification-metadata.xml verification-metadata.keys.xml
+    mv verification-metadata.checksums.xml verification-metadata.xml
+}
+
+function verify {
+    log_header "Verify dependencies' signatures"
+
+    activate_keys_metadata
+
+    log "Verifying signatures..."
+    ../gradlew -q -p .. --project-cache-dir "$TEMP_GRADLE_PROJECT_CACHE_DIR" "${GRADLE_TASKS[@]}"
+
+    deactivate_keys_metadata
+
+    log_success "Verification successful"
+}
+
+# Run script
+main "$@"