zlacker

[return to "F-Droid Fake Signer PoC"]
1. kuschk+X8[view] [source] 2025-01-04 00:07:27
>>pabs3+(OP)
While none of that applies to F-Droids primary use case (the primary F-Droid repo builds all apps from source itself), it nonetheless looks like they failed to correctly handle the issue.

The only reason this didn't turn into a disaster was pure luck.

◧◩
2. gruez+mb[view] [source] 2025-01-04 00:31:28
>>kuschk+X8
>The only reason this didn't turn into a disaster was pure luck.

Is it? Or is it a case of "It rather involved being on the other side of this airtight hatchway"[1]? The apk signature done by fdroidserver seems totally superfluous. Android is already going to verify the certificate if you try to update an app, and presumably whatever upload mechanism is already authenticated some other way (eg. api token or username/password), so it's unclear what the signature validation adds, aside from maybe preventing installation failures.

[1] https://devblogs.microsoft.com/oldnewthing/20060508-22/?p=31...

◧◩◪
3. ncr100+ue[view] [source] 2025-01-04 00:59:53
>>gruez+mb
> Android is already going to verify the certificate..

Will it if it's a non Google distro of Android?

◧◩◪◨
4. gruez+Yl[view] [source] 2025-01-04 02:11:46
>>ncr100+ue
The behavior is in AOSP, so it should be in "non Google distro of Android" as well, unless the manufacturer decided to specifically remove this feature.
[go to top]