From c7cab6c2dcf9db936963c1e4997dd736b36f1f67 Mon Sep 17 00:00:00 2001
From: Farnam Taheri <taheri.farnam@gmail.com>
Date: Mon, 11 May 2026 21:03:06 +0330
Subject: [PATCH] fix(android): require explicit release signing

Stop release builds from silently falling back to the debug signing key. Debug builds and normal Gradle task configuration remain unchanged, while Release app tasks now require ANDROID_SIGNING_ENABLED=true and the signing environment variables.
---
 android/app/build.gradle.kts | 15 ++++++++++++++-
 1 file changed, 14 insertions(+), 1 deletion(-)

diff --git a/android/app/build.gradle.kts b/android/app/build.gradle.kts
index a9e81eb..d82b097 100644
--- a/android/app/build.gradle.kts
+++ b/android/app/build.gradle.kts
@@ -57,7 +57,9 @@ android {
             isMinifyEnabled = true
             isShrinkResources = true
             val signingEnabled = System.getenv("ANDROID_SIGNING_ENABLED") == "true"
-            signingConfig = if (signingEnabled) signingConfigs.getByName("release") else signingConfigs.getByName("debug")
+            if (signingEnabled) {
+                signingConfig = signingConfigs.getByName("release")
+            }
             proguardFiles(
                 getDefaultProguardFile("proguard-android-optimize.txt"),
                 "proguard-rules.pro"
@@ -95,6 +97,17 @@ android {
     }
 }
 
+gradle.taskGraph.whenReady {
+    val releaseTaskRequested = allTasks.any { task ->
+        task.path.startsWith(":app:") && task.name.contains("Release")
+    }
+    if (releaseTaskRequested && System.getenv("ANDROID_SIGNING_ENABLED") != "true") {
+        throw org.gradle.api.GradleException(
+            "Release builds require ANDROID_SIGNING_ENABLED=true and Android signing environment variables."
+        )
+    }
+}
+
 dependencies {
     // Go mobile library (built via gomobile bind)
     implementation(fileTree(mapOf("dir" to "libs", "include" to listOf("*.aar", "*.jar"))))