[github] Manage private secrets with GitHub Secrets to enhance security

1. Restore the original simple version of `configure.sh` Restores 08e37f4 "Refactor configure.sh" Reverts b87ee95b "Fixed configure.sh script and gh actions" 2. Use GitHub Secrets instead of a private git repository to enhance security standards and ensure credentials are encrypted and safely managed. 3. Document credentials used by GitHub Actions in docs/CREDENTIALS.md 4. Include `network_security_config.xml` directly into the repo as it has nothing sensitive. 5. Include Apple WWDR intermediate certificates directly into the repo as they are not sensitive and publicly available. https://developer.apple.com/help/account/reference/wwdr-intermediate-certificates 6. Add `private.h` in the repository since it does not differ from `private_defaults.h`. Signed-off-by: Roman Tsisyk <roman@tsisyk.com>
2024-12-25 20:15:11 +00:00 · 2024-12-25 20:15:11 +00:00 · e00f33a076
commit e00f33a076
parent 92850e8c2c
24 changed files with 273 additions and 248 deletions
--- a/.github/workflows/android-beta.yaml
+++ b/.github/workflows/android-beta.yaml
@ -56,19 +56,24 @@ jobs:
        shell: bash
        run: git submodule update --depth 1 --init --recursive --jobs=$(($(nproc) * 20))
-      - name: Checkout private keys
+      - name: Restore beta keys
        uses: actions/checkout@v4
        with:
          repository: ${{ secrets.PRIVATE_REPO }}
          ssh-key: ${{ secrets.PRIVATE_SSH_KEY }}
          ref: master
          path: private.git
      - name: Configure repo with private keys
        shell: bash
        run: |
-          ./configure.sh ./private.git
+          echo "$PRIVATE_H" | base64 -d > private.h
-          rm -rf ./private.git
+          echo "$FIREBASE_APP_DISTRIBUTION_JSON" | base64 -d > android/app/firebase-app-distribution.json
          echo "$GOOGLE_SERVICES_JSON" | base64 -d > android/app/google-services.json
          echo "$SECURE_PROPERTIES" | base64 -d > android/app/secure.properties
          echo "$RELEASE_KEYSTORE" | base64 -d > android/app/release.keystore
        env:
          PRIVATE_H: ${{ secrets.PRIVATE_H }}
          FIREBASE_APP_DISTRIBUTION_JSON: ${{ secrets.FIREBASE_APP_DISTRIBUTION_JSON }}
          GOOGLE_SERVICES_JSON: ${{ secrets.GOOGLE_SERVICES_JSON }}
          SECURE_PROPERTIES: ${{ secrets.SECURE_PROPERTIES }}
          RELEASE_KEYSTORE: ${{ secrets.RELEASE_KEYSTORE }}
      - name: Configure repository
        shell: bash
        run: ./configure.sh
      - name: Compile
        shell: bash
--- a/.github/workflows/android-check.yaml
+++ b/.github/workflows/android-check.yaml
@ -51,7 +51,7 @@ jobs:
        shell: bash
        run: git submodule update --depth 1 --init --recursive --jobs=$(($(nproc) * 20))
-      - name: Configure in Open Source mode
+      - name: Configure repository
        shell: bash
        run: ./configure.sh
@ -66,11 +66,11 @@ jobs:
    strategy:
      fail-fast: false
      matrix:
-        flavor: [WebDebug, FdroidBeta]
+        flavor: [WebDebug, FdroidDebug]
        include:
          - flavor: WebDebug
            arch: arm64
-          - flavor: FdroidBeta
+          - flavor: FdroidDebug
            arch: arm32
    # Cancels previous jobs if the same branch or PR was updated again.
    concurrency:
@ -93,7 +93,7 @@ jobs:
        shell: bash
        run: git submodule update --depth 1 --init --recursive --jobs=$(($(nproc) * 20))
-      - name: Configure in Open Source mode
+      - name: Configure repository
        shell: bash
        run: ./configure.sh
--- a/.github/workflows/android-monkey.yaml
+++ b/.github/workflows/android-monkey.yaml
@ -56,19 +56,26 @@ jobs:
        shell: bash
        run: git submodule update --depth 1 --init --recursive --jobs=$(($(nproc) * 20))
-      - name: Checkout private keys
+      - name: Restore beta keys
        uses: actions/checkout@v4
        with:
          repository: ${{ secrets.PRIVATE_REPO }}
          ssh-key: ${{ secrets.PRIVATE_SSH_KEY }}
          ref: master
          path: private.git
      - name: Configure repo with private keys
        shell: bash
        run: |
-          ./configure.sh ./private.git
+          echo "$PRIVATE_H" | base64 -d > private.h
-          rm -rf ./private.git
+          echo "$FIREBASE_TEST_LAB_JSON" | base64 -d > android/app/firebase-test-lab.json
          echo "$FIREBASE_APP_DISTRIBUTION_JSON" | base64 -d > android/app/firebase-app-distribution.json
          echo "$GOOGLE_SERVICES_JSON" | base64 -d > android/app/google-services.json
          echo "$SECURE_PROPERTIES" | base64 -d > android/app/secure.properties
          echo "$RELEASE_KEYSTORE" | base64 -d > android/app/release.keystore
        env:
          PRIVATE_H: ${{ secrets.PRIVATE_H }}
          FIREBASE_TEST_LAB_JSON: ${{ secrets.FIREBASE_TEST_LAB_JSON }}
          FIREBASE_APP_DISTRIBUTION_JSON: ${{ secrets.FIREBASE_APP_DISTRIBUTION_JSON }}
          GOOGLE_SERVICES_JSON: ${{ secrets.GOOGLE_SERVICES_JSON }}
          SECURE_PROPERTIES: ${{ secrets.SECURE_PROPERTIES }}
          RELEASE_KEYSTORE: ${{ secrets.RELEASE_KEYSTORE }}
      - name: Configure repository
        shell: bash
        run: ./configure.sh
      - name: Compile
        shell: bash
--- a/.github/workflows/android-release-metadata.yaml
+++ b/.github/workflows/android-release-metadata.yaml
@ -26,19 +26,14 @@ jobs:
          ref: master
          path: screenshots
-      - name: Checkout private keys
+      - name: Restore release keys
        uses: actions/checkout@v4
        with:
          repository: ${{ secrets.PRIVATE_REPO }}
          ssh-key: ${{ secrets.PRIVATE_SSH_KEY }}
          ref: master
          path: private.git
      - name: Configure repo with private keys
        shell: bash
        run: |
-          ./configure.sh ./private.git
+          echo "$PRIVATE_H" | base64 -d > private.h
-          rm -rf ./private.git
+          echo "$GOOGLE_PLAY_JSON" | base64 -d > android/app/google-play.json
        env:
          PRIVATE_H: ${{ secrets.PRIVATE_H }}
          GOOGLE_PLAY_JSON: ${{ secrets.GOOGLE_PLAY_JSON }}
      - name: Upload
        shell: bash
--- a/.github/workflows/android-release.yaml
+++ b/.github/workflows/android-release.yaml
@ -100,19 +100,26 @@ jobs:
          ref: master
          path: screenshots
-      - name: Checkout private keys
+      - name: Restore release keys
        uses: actions/checkout@v4
        with:
          repository: ${{ secrets.PRIVATE_REPO }}
          ssh-key: ${{ secrets.PRIVATE_SSH_KEY }}
          ref: master
          path: private.git
      - name: Configure repo with private keys
        shell: bash
        run: |
-          ./configure.sh ./private.git
+          echo "$PRIVATE_H" | base64 -d > private.h
-          rm -rf ./private.git
+          echo "$GOOGLE_PLAY_JSON" | base64 -d > android/app/google-play.json
          echo "$HUAWEI_APPGALLERY_JSON" | base64 -d > android/app/huawei-appgallery.json
          echo "$AGCONNECT_SERVICES_JSON" | base64 -d > android/app/agconnect-services.json
          echo "$SECURE_PROPERTIES" | base64 -d > android/app/secure.properties
          echo "$RELEASE_KEYSTORE" | base64 -d > android/app/release.keystore
        env:
          PRIVATE_H: ${{ secrets.PRIVATE_H }}
          GOOGLE_PLAY_JSON: ${{ secrets.GOOGLE_PLAY_JSON }}
          HUAWEI_APPGALLERY_JSON: ${{ secrets.HUAWEI_APPGALLERY_JSON }}
          AGCONNECT_SERVICES_JSON: ${{ secrets.AGCONNECT_SERVICES_JSON }}
          SECURE_PROPERTIES: ${{ secrets.SECURE_PROPERTIES }}
          RELEASE_KEYSTORE: ${{ secrets.RELEASE_KEYSTORE }}
      - name: Configure repository
        shell: bash
        run: ./configure.sh
      - name: Set up SDK
        shell: bash
--- a/.github/workflows/coverage-check.yaml
+++ b/.github/workflows/coverage-check.yaml
@ -94,7 +94,7 @@ jobs:
              llvm \
              gcovr
-      - name: Configure
+      - name: Configure repository
        shell: bash
        run: ./configure.sh
--- a/.github/workflows/ios-beta.yaml
+++ b/.github/workflows/ios-beta.yaml
@ -52,18 +52,23 @@ jobs:
      - name: Parallel submodules checkout
        run: git submodule update --depth 1 --init --recursive --jobs=$(($(sysctl -n hw.logicalcpu) * 20))
-      - name: Checkout private keys
+      - name: Restore beta keys
-        uses: actions/checkout@v4
+        shell: bash
        with:
          repository: ${{ secrets.PRIVATE_REPO }}
          ssh-key: ${{ secrets.PRIVATE_SSH_KEY }}
          ref: master
          path: private.git
      - name: Configure repo with private keys
        run: |
-          ./configure.sh ./private.git
+          mkdir -p xcode/keys
-          rm -rf ./private.git
+          echo "$PRIVATE_H" | base64 -d > private.h
          echo "$APPSTORE_JSON" | base64 -d > xcode/keys/appstore.json
          echo "$CERTIFICATES_DEV_P12" | base64 -d > xcode/keys/CertificatesDev.p12
          echo "$CERTIFICATES_DISTR_P12" | base64 -d > xcode/keys/CertificatesDistr.p12
        env:
          PRIVATE_H: ${{ secrets.PRIVATE_H }}
          APPSTORE_JSON: ${{ secrets.APPSTORE_JSON }}
          CERTIFICATES_DEV_P12: ${{ secrets.CERTIFICATES_DEV_P12 }}
          CERTIFICATES_DISTR_P12: ${{ secrets.CERTIFICATES_DISTR_P12 }}
      - name: Configure repository
        shell: bash
        run: ./configure.sh
      - name: Compile and upload to TestFlight
        run: |
--- a/.github/workflows/ios-check.yaml
+++ b/.github/workflows/ios-check.yaml
@ -59,7 +59,7 @@ jobs:
        shell: bash
        run: git submodule update --depth 1 --init --recursive --jobs=$(($(sysctl -n hw.logicalcpu) * 20))
-      - name: Configure
+      - name: Configure repository
        shell: bash
        run: ./configure.sh
--- a/.github/workflows/ios-release.yaml
+++ b/.github/workflows/ios-release.yaml
@ -16,20 +16,13 @@ jobs:
      - name: Checkout
        uses: actions/checkout@v4
-      - name: Checkout private keys
+      - name: Restore release keys
        uses: actions/checkout@v4
        with:
          repository: ${{ secrets.PRIVATE_REPO }}
          ssh-key: ${{ secrets.PRIVATE_SSH_KEY }}
          ref: master
          path: ./private.git
      - name: Configure repo with private keys
        shell: bash
        run: |
-          mkdir -p xcode/keys/
+          mkdir -p xcode/keys
-          cp -p ./private.git/xcode/keys/appstore.json xcode/keys/
+          echo "$APPSTORE_JSON" | base64 -d > xcode/keys/appstore.json
-          rm -rf ./private.git
+        env:
          APPSTORE_JSON: ${{ secrets.APPSTORE_JSON }}
      - name: Checkout screenshots
        uses: actions/checkout@v4
--- a/.github/workflows/linux-check.yaml
+++ b/.github/workflows/linux-check.yaml
@ -67,7 +67,7 @@ jobs:
              libqt6positioning6-plugins \
              libqt6positioning6
-      - name: Configure
+      - name: Configure repository
        shell: bash
        run: ./configure.sh
@ -134,7 +134,7 @@ jobs:
              libqt6positioning6-plugins \
              libqt6positioning6
-      - name: Configure
+      - name: Configure repository
        shell: bash
        run: ./configure.sh
--- a/.github/workflows/macos-check.yaml
+++ b/.github/workflows/macos-check.yaml
@ -57,7 +57,7 @@ jobs:
        run: |
          HOMEBREW_NO_INSTALLED_DEPENDENTS_CHECK=1 brew install ninja qt@6
-      - name: Configure
+      - name: Configure repository
        shell: bash
        run: ./configure.sh
--- a/android/app/build.gradle
+++ b/android/app/build.gradle
@ -45,7 +45,6 @@ repositories {
 }
 apply plugin: 'com.android.application'
 apply from: 'secure.properties'
 if (googleFirebaseServicesEnabled) {
  apply plugin: 'com.google.gms.google-services'
  apply plugin: 'com.google.firebase.crashlytics'
@ -247,6 +246,11 @@ android {
    }
  }
  def securityPropertiesFileExists = file('secure.properties').exists()
  if (securityPropertiesFileExists) {
    apply from: 'secure.properties'
  }
  signingConfigs {
    debug {
      storeFile file('debug.keystore')
@ -256,10 +260,15 @@ android {
    }
    release {
-      storeFile file(spropStoreFile)
+      if (securityPropertiesFileExists) {
-      storePassword spropStorePassword
+        println('The release signing keys are available')
-      keyAlias spropKeyAlias
+        storeFile file(spropStoreFile)
-      keyPassword spropKeyPassword
+        storePassword spropStorePassword
        keyAlias spropKeyAlias
        keyPassword spropKeyPassword
      } else {
        println('The release signing keys are unavailable')
      }
    }
  }
--- a/android/app/src/main/res/xml/network_security_config.xml
+++ b/android/app/src/main/res/xml/network_security_config.xml
@ -0,0 +1,20 @@
 <?xml version="1.0" encoding="utf-8"?>
 <network-security-config>
  <base-config cleartextTrafficPermitted="true">
    <trust-anchors>
      <!-- Certificates are required for Android 7 and below. See the link for details:
           https://community.letsencrypt.org/t/letsencrypt-certificates-fails-on-android-phones-running-android-7-or-older/205686 -->
      <certificates src="@raw/isrgrootx1" />
      <certificates src="@raw/globalsignr4" />
      <certificates src="@raw/gtsrootr1" />
      <certificates src="@raw/gtsrootr2" />
      <certificates src="@raw/gtsrootr3" />
      <certificates src="@raw/gtsrootr4" />
      <certificates src="system" />
    </trust-anchors>
  </base-config>
  <domain-config cleartextTrafficPermitted="true">
    <domain includeSubdomains="true">organicmaps.app</domain>
    <domain includeSubdomains="true">omaps.app</domain>
  </domain-config>
 </network-security-config>
--- a/configure.sh
+++ b/configure.sh
@ -1,171 +1,17 @@
 #!/usr/bin/env bash
 #
 # Please run this script to configure the repository after cloning it.
 #
-# When configuring with private repository, the following override hierarchy is used:
+set -euo pipefail
 # - commandline parameters - most specific, always wins.
 # - stdin parameters.
 # - saved repository - least specific, if present.
 # - fallback to opensource mode.
-# Stop on the first error.
+echo "Configuring the repository for development."
 set -e -u
-BASE_PATH=$(cd "$(dirname "$0")"; pwd)
+if [ ! -d 3party/boost/tools ]; then
-
+  git submodule update --init --recursive
 DEFAULT_PRIVATE_HEADER="$BASE_PATH/private_default.h"
 PRIVATE_HEADER="private.h"
 PRIVATE_PROPERTIES="android/app/secure.properties"
 PRIVATE_NETWORK_CONFIG="android/app/src/main/res/xml/network_security_config.xml"
 PRIVATE_GOOGLE_SERVICES="android/app/google-services.json"
 SAVED_PRIVATE_REPO_FILE="$BASE_PATH/.private_repository_url"
 SAVED_PRIVATE_BRANCH_FILE="$BASE_PATH/.private_repository_branch"
 TMP_REPO_DIR="$BASE_PATH/.tmp.private.repo"
 usage() {
  echo "This tool configures Organic Maps for an opensource build by default"
  echo "and bootstraps the Boost submodule after that."
  echo
  echo "To e.g. publish in app stores populate following configs with your own private keys etc."
  echo "  $PRIVATE_HEADER"
  echo "  $PRIVATE_PROPERTIES"
  echo "  $PRIVATE_NETWORK_CONFIG"
  echo "  $PRIVATE_GOOGLE_SERVICES"
  echo "The tool can copy over the necessary configs from a given private repo and a branch"
  echo "(it copies all files except README.md)."
  echo "It remembers the repo and the branch to pull the config changes automatically on next run."
  echo
  echo "Usage:"
  echo "  $0 private_repo_url [private_repo_branch]  - copy configs from a private repo (master is the default branch)"
  echo "  echo 'private_repo_url [private_repo_branch]' | $0  - alternate invocation for private repo configuration"
  echo "  $0  - use a saved repo and a branch if present or default to an opensource build configs"
  echo ""
 }
 setup_opensource() {
  echo "Initializing repository with default values in Open-Source mode."
  cat "$DEFAULT_PRIVATE_HEADER" > "$BASE_PATH/$PRIVATE_HEADER"
  echo 'ext {
  spropStoreFile = "debug.keystore"
  spropStorePassword = "12345678"
  spropKeyAlias = "debug"
  spropKeyPassword = "12345678"
 }
 ' > "$BASE_PATH/$PRIVATE_PROPERTIES"
  echo '<?xml version="1.0" encoding="utf-8"?>
 <network-security-config>
  <base-config>
    <trust-anchors>
      <!-- Certificates are required for Android 7 and below. See the link for details:
           https://community.letsencrypt.org/t/letsencrypt-certificates-fails-on-android-phones-running-android-7-or-older/205686 -->
      <certificates src="@raw/isrgrootx1" />
      <certificates src="@raw/globalsignr4" />
      <certificates src="@raw/gtsrootr1" />
      <certificates src="@raw/gtsrootr2" />
      <certificates src="@raw/gtsrootr3" />
      <certificates src="@raw/gtsrootr4" />
      <certificates src="system" />
    </trust-anchors>
  </base-config>
 </network-security-config>
 ' > "$BASE_PATH/$PRIVATE_NETWORK_CONFIG"
  rm -f "$BASE_PATH/$PRIVATE_GOOGLE_SERVICES"
 }
 # Clone the private repo and copy all of its files (except README.md) into the main repo
 setup_private() {
  echo "Copying private configuration files from the repo '$PRIVATE_REPO', branch '$PRIVATE_BRANCH'"
  set -x
  rm -rf "$TMP_REPO_DIR"
  git clone --branch "$PRIVATE_BRANCH" --depth 1 "$PRIVATE_REPO" "$TMP_REPO_DIR"
  echo "$PRIVATE_REPO" > "$SAVED_PRIVATE_REPO_FILE"
  echo "$PRIVATE_BRANCH" > "$SAVED_PRIVATE_BRANCH_FILE"
  echo "Saved private repository url '$PRIVATE_REPO' to '$SAVED_PRIVATE_REPO_FILE'"
  echo "Saved private branch '$PRIVATE_BRANCH' to '$SAVED_PRIVATE_BRANCH_FILE'"
  cd $TMP_REPO_DIR
  rm -rf "$TMP_REPO_DIR/.git" "$TMP_REPO_DIR/README.md"
  cp -Rv "$TMP_REPO_DIR"/* "$BASE_PATH"
  rm -rf "$TMP_REPO_DIR"
  # Remove old android secrets during the transition period to the new project structure
  echo "Removing keys from old locations"
  rm -f android/release.keystore \
        android/secure.properties \
        android/libnotify.properties \
        android/google-services.json \
        android/google-play.json \
        android/firebase-app-distribution.json \
        android/firebase-test-lab.json \
        android/huawei-appgallery.json \
        android/res/xml/network_security_config.xml
  set +x
  echo "Private files have been updated."
 }
 if [ "${1-}" = "-h" -o "${1-}" = "--help" ]; then
  usage
  exit 1
 fi
-
+pushd 3party/boost/
-ARGS_PRIVATE_REPO=${1-}
+./bootstrap.sh
-ARGS_PRIVATE_BRANCH=${2-}
+./b2 headers
-
+popd
-if [ -n "$ARGS_PRIVATE_REPO" ]; then
+echo "The repository is configured for development."
  PRIVATE_REPO=$ARGS_PRIVATE_REPO
  if [ -n "$ARGS_PRIVATE_BRANCH" ]; then
    PRIVATE_BRANCH=$ARGS_PRIVATE_BRANCH
  else
    PRIVATE_BRANCH=master
  fi
 else
  read -t 1 READ_PRIVATE_REPO READ_PRIVATE_BRANCH || true
  if [ -n "${READ_PRIVATE_REPO-}" ]; then
    PRIVATE_REPO=$READ_PRIVATE_REPO
    if [ -n "${READ_PRIVATE_BRANCH-}" ]; then
      PRIVATE_BRANCH=$READ_PRIVATE_BRANCH
    else
      PRIVATE_BRANCH=master
    fi
  elif [ -f "$SAVED_PRIVATE_REPO_FILE" ]; then
    PRIVATE_REPO=`cat "$SAVED_PRIVATE_REPO_FILE"`
    echo "Using stored private repository URL: $PRIVATE_REPO"
    if [ -f "$SAVED_PRIVATE_BRANCH_FILE" ]; then
      PRIVATE_BRANCH=`cat "$SAVED_PRIVATE_BRANCH_FILE"`
      echo "Using stored private branch: $PRIVATE_BRANCH"
    else
      PRIVATE_BRANCH=master
    fi
  else
    PRIVATE_REPO=""
  fi
 fi
 if [ -n "$PRIVATE_REPO" ]; then
  setup_private
 else
  setup_opensource
 fi
 # TODO: Remove these lines when XCode project is finally generated by CMake.
 if [ ! -d "$BASE_PATH/3party/boost/" ]; then
  echo "You need to have Boost submodule present to run bootstrap.sh"
  echo "Try 'git submodule update --init --recursive'"
  exit 1
 fi
 if [ ! -d "$BASE_PATH/3party/boost/tools" ]; then
  echo "Boost's submodule 'tools' is missing, it is required for bootstrap"
  echo "Try 'git submodule update --init --recursive'"
  exit 1
 fi
 cd "$BASE_PATH/3party/boost/"
 if [[ "$OSTYPE" == msys ]]; then
  echo "For Windows please run:"
  echo "cd 3party\\boost"
  echo "bootstrap.bat"
  echo "b2 headers"
  echo "cd ..\\.."
 else
  ./bootstrap.sh
  ./b2 headers
 fi
 cd "$BASE_PATH"
--- a/docs/CREDENTIALS.md
+++ b/docs/CREDENTIALS.md
@ -0,0 +1,127 @@
 This file contains a list of all sensitive credentials, access keys, authentication tokens, and security certificates used by CI/CD (Github Actions).
 - [PRIVATE\_H](#private_h)
 - [RELEASE\_KEYSTORE](#release_keystore)
 - [SECURE\_PROPERTIES](#secure_properties)
 - [FIREBASE\_APP\_DISTRIBUTION\_JSON](#firebase_app_distribution_json)
 - [FIREBASE\_TEST\_LAB\_JSON](#firebase_test_lab_json)
 - [GOOGLE\_SERVICES\_JSON](#google_services_json)
 - [GOOGLE\_PLAY\_JSON](#google_play_json)
 - [HUAWEI\_APPGALLERY\_JSON](#huawei_appgallery_json)
 - [AGCONNECT\_SERVICES\_JSON](#agconnect_services_json)
 - [APPSTORE\_JSON](#appstore_json)
 - [CERTIFICATES\_DEV\_P12](#certificates_dev_p12)
 - [CERTIFICATES\_DISTR\_P12](#certificates_distr_p12)
 - [APPSTORE\_CERTIFICATE\_PASSWORD](#appstore_certificate_password)
 ## PRIVATE_H
 Shared compile-time secrets for all platforms.
 ```bash
 gh secret set PRIVATE_H --env beta --body "$(base64 < private.h)"
 gh secret set PRIVATE_H --env production --body "$(base64 < private.h)"
 ```
 ## RELEASE_KEYSTORE
 Android Java-compatible keystore with certificates used for signing APKs.
 ```bash
 gh secret set RELEASE_KEYSTORE --env beta --body "$(base64 < android/app/release.keystore)"
 gh secret set RELEASE_KEYSTORE --env production --body "$(base64 < android/app/release.keystore)"
 ```
 ## SECURE_PROPERTIES
 Android Gradle configuration file containing the passwords for the `release.keystore`.
 ```bash
 gh secret set SECURE_PROPERTIES --env beta --body "$(base64 < android/app/secure.properties)"
 gh secret set SECURE_PROPERTIES --env production --body "$(base64 < android/app/secure.properties)"
 ```
 ## FIREBASE_APP_DISTRIBUTION_JSON
 Credentials for uploading betas to Google Firebase App Distribution.
 ```bash
 gh secret set FIREBASE_APP_DISTRIBUTION_JSON --env beta --body "$(base64 < android/app/firebase-app-distribution.json)"
 ```
 ## FIREBASE_TEST_LAB_JSON
 Credentials for using Firebase Test Lab ("Monkey").
 ```bash
 gh secret set FIREBASE_TEST_LAB_JSON --env beta --body "$(base64 < android/app/firebase-test-lab.json)"
 ```
 ## GOOGLE_SERVICES_JSON
 Credentials for using Firebase Crashlytics.
 ```bash
 gh secret set GOOGLE_SERVICES_JSON --env beta --body "$(base64 < android/app/google-services.json)"
 ```
 ## GOOGLE_PLAY_JSON
 Credentials for uploading Android releases to Google Play.
 ```bash
 gh secret set GOOGLE_PLAY_JSON --env production --body "$(base64 < android/app/google-play.json)"
 ```
 ## HUAWEI_APPGALLERY_JSON
 Credentials for uploading Android releases to Huawei AppGallery.
 ```bash
 gh secret set HUAWEI_APPGALLERY_JSON --env production --body "$(base64 < android/app/huawei-appgallery.json)"
 ```
 ## AGCONNECT_SERVICES_JSON
 Credentials for Huawei Mobile Services (HMS) to use Location Kit (not yet finished).
 ```bash
 gh secret set AGCONNECT_SERVICES_JSON --env beta --body "$(base64 < android/app/agconnect-services.json)"
 gh secret set AGCONNECT_SERVICES_JSON --env production --body "$(base64 < android/app/agconnect-services.json)"
 ```
 ## APPSTORE_JSON
 Credentials for uploading iOS releases to Apple AppStore Connect.
 ```bash
 gh secret set APPSTORE_JSON --env beta --body "$(base64 < xcode/keys/appstore.json)"
 gh secret set APPSTORE_JSON --env production --body "$(base64 < xcode/keys/appstore.json)"
 ```
 ## CERTIFICATES_DEV_P12
 Credentials for signing iOS releases - dev keys.
 ```bash
 gh secret set CERTIFICATES_DEV_P12 --env beta --body "$(base64 < xcode/keys/CertificatesDev.p12)"
 gh secret set CERTIFICATES_DEV_P12 --env production --body "$(base64 < xcode/keys/CertificatesDev.p12)"
 ```
 ## CERTIFICATES_DISTR_P12
 Credentials for signing iOS releases - AppStore keys.
 ```bash
 gh secret set CERTIFICATES_DISTR_P12 --env beta --body "$(base64 < xcode/keys/CertificatesDistr.p12)"
 gh secret set CERTIFICATES_DISTR_P12 --env production --body "$(base64 < xcode/keys/CertificatesDistr.p12)"
 ```
 ## APPSTORE_CERTIFICATE_PASSWORD
 Password for `CertificatesDistr.p12`.
 ```bash
 gh secret set APPSTORE_CERTIFICATE_PASSWORD --env beta
 gh secret set APPSTORE_CERTIFICATE_PASSWORD --env production
 ```
--- a/private_default.h
+++ b/private_default.h
@ -9,8 +9,9 @@
 #define MWM_GEOLOCATION_SERVER ""
 #define METASERVER_URL "https://meta.omaps.app/maps"
 #define DIFF_LIST_URL ""
-#define DEFAULT_URLS_JSON "[ \"https://cdn.organicmaps.app/\" ]"
+#define DEFAULT_URLS_JSON "[ \"https://cdn-de1.organicmaps.app/\",\"https://cdn-us3.organicmaps.app/\",\"https://cdn-nl1.organicmaps.app/\",\"https://cdn-uk1.organicmaps.app/\",\"https://cdn-fi1.organicmaps.app/\",\"https://cdn.organicmaps.app/\" ]"
-#define DEFAULT_CONNECTION_CHECK_IP "140.82.121.4"  // For now the IP of cdn.organicmaps.app
+#define DEFAULT_CONNECTION_CHECK_IP "65.108.198.117"  // For now the IP of cdn.organicmaps.app
 #define TRAFFIC_DATA_BASE_URL ""
 #define USER_BINDING_PKCS12 ""
 #define USER_BINDING_PKCS12_PASSWORD ""
 #define KAYAK_AFFILIATE_ID "kan_267335"
--- a/xcode/fastlane/Fastfile
+++ b/xcode/fastlane/Fastfile
@ -35,6 +35,16 @@ platform :ios do
        keychain_name: ENV['MATCH_KEYCHAIN_NAME'],
        keychain_password: ENV['MATCH_KEYCHAIN_PASSWORD']
      )
      import_certificate(
        certificate_path: 'keys/Apple/AppleWWDRCAG7.cer',
        keychain_name: ENV['MATCH_KEYCHAIN_NAME'],
        keychain_password: ENV['MATCH_KEYCHAIN_PASSWORD']
      )
      import_certificate(
        certificate_path: 'keys/Apple/AppleWWDRCAG8.cer',
        keychain_name: ENV['MATCH_KEYCHAIN_NAME'],
        keychain_password: ENV['MATCH_KEYCHAIN_PASSWORD']
      )
      # Organic Maps certificates.
      import_certificate(
        certificate_path: 'keys/CertificatesDev.p12',
--- a/xcode/keys/Apple/AppleWWDRCAG2.cer
+++ b/xcode/keys/Apple/AppleWWDRCAG2.cer
--- a/xcode/keys/Apple/AppleWWDRCAG3.cer
+++ b/xcode/keys/Apple/AppleWWDRCAG3.cer
--- a/xcode/keys/Apple/AppleWWDRCAG4.cer
+++ b/xcode/keys/Apple/AppleWWDRCAG4.cer
--- a/xcode/keys/Apple/AppleWWDRCAG5.cer
+++ b/xcode/keys/Apple/AppleWWDRCAG5.cer
--- a/xcode/keys/Apple/AppleWWDRCAG6.cer
+++ b/xcode/keys/Apple/AppleWWDRCAG6.cer
--- a/xcode/keys/Apple/AppleWWDRCAG7.cer
+++ b/xcode/keys/Apple/AppleWWDRCAG7.cer
--- a/xcode/keys/Apple/AppleWWDRCAG8.cer
+++ b/xcode/keys/Apple/AppleWWDRCAG8.cer