Back to blogging in 2020!

Forgetting the Code Signing Password to Sketch-a-bit

There are 3 things I remember completely forgetting in my life. In that a) it sort of matters (mattered) that I remember these things and b) even many years later, I have NOT finally remembered. The first was my ATM PIN. It wasn't even a new pin. It just escaped my memory one day and was gone forever. I called Adam and was like, "Hey, did I ever share my pin with you? No? Darn." Later I called the bank and chose a more memorable one.

The second and third things I've forgotten are the code signing passwords to Sketch-a-bit and apparently Impressionist Fingerpaint. In my defense, Adam picked out and typed those passwords, but did show them to me. So they're not in my muscle memory anywhere at all.

Why this sucks

It means we can't update the Sketch-a-bit application at all.

It used to be that you could use a new key and the update would require people to remove the app and reinstall instead of just normal updating. Apparently this happened to Twitter and a few other apps and it was mostly inconvenient and embarrassing.

Now, security in the Google Play store seems tighter. If I try to upgrade my APK file, it yells at me and says, "The apk must be signed with the same certificates as the previous version."

It also means that we can't update Impressionist Fingerpaint, either. I have a feeling that password (since it was invented much more recently) will be easier/possible to recover from someone's brainmeat, though, and it doesn't have very many users.

But I wanted to make Sketch-a-bit suuuuper awesome!!

I still do!! Ahhh, I wish I could just upgrade the main app!

Now that we've seen how people cope with starting from another random user's random image, I kind of want to see what artistry people are capable of if they get to have more choice and agency. To achieve this, I was thinking of having a gallery and letting people select which sketches they want to start from.

I also want to make the system a little less anonymous by having random user ids instead of no identity whatsoever. Right now I can hypothesize about the same artist drawing several images in a row, but there's no way to know for sure.

At a retreat for my lab at UW, I learned that the color red was probably the first color people were aware of after dark and light. Here's a link to a wikipedia page with more info. Adam and I thought it would be totally awesome to introduce RED into Sketch-a-bit, then.

Decisions, decisions

The questions now are whether or not to spend more time trying to remember those passwords. We tried cracking one and learned that it's probably longer than 5 characters.

And then whether or not to release a Sketch-a-bit 2 and how many features to add. Just the bug fixes? Or more of those desired features that I don't really have time to implement? Seems like an entirely new version warrants some significant changes.

Good enough solution: put the APK online

I realized on the bus this morning that this is what I should do to get the fixes that I'd made to the two people who were requesting them. So now it's online. In a slightly secret location. I want to add the user ids and something on the server that tracks users and version numbers, and THEN I'll publicize the location.

Currently there are 3 people out there in the world capable of drawing in red. Here's what one of them made!

What have we learned here?

If you're going to release some code at 2am right before going to sleep, or 7pm right before grabbing a beer, PICK A MEMORABLE PASSWORD for your code signing key. Make a mnemonic for it. Write it down on a post-it. Email the password or the mnemonic or both to yourself. Whatever. In this case, I think losing the password was more trouble than having other people steal it and publish apps under our name.


Life moves on and we're still enabling people to make awesome things!


  1. Here's a fancy site: research from Stanford I believe

    You only have one password, plus the name of the website to which that password corresponds. It's like RSA for humans- a man-in-the-middle (ie leaked passwords) only get your hashed password, specific to that site, and not your private key.

  2. Historically, releasing a "version 2" on the marketplace and updating that instead of the original seems to send the right message. Good luck with your passwords otherwise.

  3. If the password is a reasonable length, we might be able to brute-force it.

    Does the signing key actually need to be encrypted with a password?


Post a Comment