Bitwarden Android App Signing Key Mistake

Tldr Bitwarden accidentally signed and released the fdroid version of their app with a debug cert. They have since rectified this error with a newer release signed with the correct pinned cert.

I use Obtainium to download and install new versions of Bitwarden from Github. (packageName com.x8bit.bitwarden)

Earlier today I couldn’t update the app with either the fdroid or regular release via either Obtainium or manual Github apk downloads. I grabbed the last 3 versions of each release (versionName 2024.2.1 2024.2.0 and 2024.1.1 )and inspected them with com.apk.editor, and apksigner and found that the fdroid and regular releases are signed by different certs. Which is fine and prevents accidentally migrating from one release to another.

The problem with updating to the fdroid release 2024.2.1 versionCode 9641 was that they accidentally signed the apk with a brand spanking new debug cert with a different key. Bitwarden has since re-released (note the timestamp discrepancies of the assets on Github) the fdroid version with a higher versionCode 9705 but same versionName 2024.2.1 signed with the earlier pinned cert.

I believe this should serve as a reminder to always verify apk signatures even when using TLS connections to reputable sites, as even professional and reputable organizations make mistakes. While a mildly concerning incident this has further strengthened my appreciation for FOSS projects and their communities as I am not the only person to notice this flub.

Correct Fdroid version com.x8bit.bitwarden-fdroid.apk
Signer #1 certificate DN: CN=Bitwarden, OU=IT, O=Bitwarden
Signer #1 certificate SHA-256 digest: de6ec91431557995297bf3e65bc80349bc603a04708160618c86bc9994171c90
Signer #1 certificate SHA-1 digest: 6e8701765efcf3e53a5ba136c5147f43b91e28c2
Signer #1 certificate MD5 digest: 5d4269ea4edc87bd222fa81f52b76642

Regular version com.x8bit.bitwarden.apk
Signer #1 certificate DN: CN=Unknown, OU=Engineering, O=8bit Solutions LLC, L=Jacksonville, ST=Florida, C=US
Signer #1 certificate SHA-256 digest: 24e06c04c208048f19f1c993b4dda4430ea8b06db8375ea0e37b834696b9ac3a
Signer #1 certificate SHA-1 digest: 754185cd4cdfde598748b043048bfe59a17264c2
Signer #1 certificate MD5 digest: be9ec31af72b4e1b0f69a07d4c60ecbd

Incorrect Fdroid version com.x8bit.bitwarden-fdroid.apk
Signer #1 certificate DN: CN=Android Debug, O=Android, C=US
Signer #1 certificate SHA-256 digest: e24f1ed95a3a8b97b146733f00f6597ddd06c68b81ca026400cd7cccc1a5af54
Signer #1 certificate SHA-1 digest: 7fd8778bf4d6033bab66f63d420f037c82aa5116
Signer #1 certificate MD5 digest: 1f524e77b10036cb0f7b9614ef1ed229

1 Like

Updated from GitHub via Obtainium, everything went fine