Android's package manager verifies app signatures and uses versionCode to provide downgrade protection. The signing key for each installed app is pinned and can only be changed via an authorized rotation.
source.android.com/security/apksi
This enables having a decentralized trust model.
Conversation
Historically, Google's Play Store used a decentralized trust model of shipping apps signed by the developers.
In an OS with Google apps and services integrated, the Play Store is granted the ability to do background app installs / uninstalls but cannot bypass the signing checks.
1
10
Google has been moving away from this to an approach matching Apple. Developer keys will only be used to verify uploads of bundles used to generate packages signed by the app store.
Amazon and the official F-Droid repository also centralize trust, just without the optimizations.
6
1
12
Replying to
F-Droid only does this when the app is not reproducible. They don't want to ship unverified binaries to users, so they build apps themselves. If the build matches the submitted binary, the developer's original binary and signature is shipped.
2
Otherwise they don't know what's in the binary, so they ship their own build, which is then obviously signed by F-Droid themselves.
1
Replying to
In theory, they could do that, but it isn't how they actually do things for their official repository. Since they lag so far behind in adopting the current tooling, it wouldn't work in practice anyway. They'd be unable to ship app updates for years...
Quote Tweet
Replying to @0xjomo
F-Droid ships releases signed with their own keys even for apps with reproducible builds. That's the excuse that's given but it's not what they actually do in practice. Their builds of apps have also had serious issues not present in developer builds such as using legacy tools.
1
Replying to
I just installed Oeffi via F-Droid and it seems to be signed by the developer:
1
Replying to
This what you claim above:
> F-Droid only does this when the app is not reproducible.
This screenshot does nothing to provide evidence for your completely untrue claim above.
F-Droid shipping apps signed by the developers is a rare exception, not the common case for them.
It took F-Droid 5 years to adopt v2 signatures, which was an important security fix for the signing system.
F-Droid lags years behind in using the current tooling and technologies.
It's unreasonable to expect app developers to stick to legacy tooling so that this can work.
1
Replying to
> This screenshot does nothing to provide evidence for your completely untrue claim above.
Well I wasn't trying to provide "evidence" ;
1
Show replies