Android's package manager verifies app signatures and uses versionCode to provide downgrade protection. The signing key for each installed app is pinned and can only be changed via an authorized rotation.
source.android.com/security/apksi
This enables having a decentralized trust model.
Conversation
Historically, Google's Play Store used a decentralized trust model of shipping apps signed by the developers.
In an OS with Google apps and services integrated, the Play Store is granted the ability to do background app installs / uninstalls but cannot bypass the signing checks.
1
10
Google has been moving away from this to an approach matching Apple. Developer keys will only be used to verify uploads of bundles used to generate packages signed by the app store.
Amazon and the official F-Droid repository also centralize trust, just without the optimizations.
Replying to
Due to the package manager pinning keys, developers of existing apps need to upload their keys to transfer trust to the Play Store.
These keys are usually the same ones used to sign releases outside the Play Store too. For a new app, this particular issue doesn't exist though.
1
9
After August 2021, app bundles will be enforced for new apps. GrapheneOS won't be releasing standalone apps via the Play Store anymore.
It would be possible to keep updating apps we already published through it until it becomes mandatory for those but we'll likely stop earlier.
2
7
It's likely that we'll stop bothering with supporting more than GrapheneOS in our standalone apps going forward. There's not much appeal in doing it if we can't distribute them through the main distribution mechanism used elsewhere. They might as well just be part of GrapheneOS.
9
Replying to
Not knowing much about the topic, but it sounds like the only reason for this concept is to not have a big keychain/signing key infra?
1
Replying to
F-Droid only does this when the app is not reproducible. They don't want to ship unverified binaries to users, so they build apps themselves. If the build matches the submitted binary, the developer's original binary and signature is shipped.
2
Otherwise they don't know what's in the binary, so they ship their own build, which is then obviously signed by F-Droid themselves.
1
Show replies
Replying to
This trust model was one of the best decision they made, but after chatting with Android devs, they welcome the new, simpler model :-(
Replying to
In theory, but that's not what they do for most of the apps where reproducible builds are possible. It also depends on F-Droid keeping up with the development and signing tools used by real world apps. Since it took 5 years to support v2+ signatures, that clearly isn't viable.
1
Show replies
Replying to
Are there any plans for GrapheneOS to provide its own F-Droid-like app store with improved security & decentralization?
1
Replying to
There are plans to provide a modern app install/update system for first party apps / components. It would be for our own projects including forks of existing apps. It wouldn't support arbitrary repositories and we won't be shipping third party apps through it.
1