IzziOnDroid points out below a potentially #
critical #
issue (for fdroid users) with apps on Fdroid having their #
signing #
keys changed. If you develop for #
Android, read all his 4 posts. #
infosecI suppose Fdroid should mark those apps, so that users can make their own concious decisions. @
IzzyOnDroid ✅ You've read about F-Droid's
#reproducibleBuilds recently? Now, the
#IzzySoftRepo repo makes use of that implementation. How, you ask?
Well: part of the process is to compare APKs and make sure they carry the signature of their authors. That's done by fdroidserver whenever the YAML file of an app has "AllowedAPKSigningKeys:" defined. APKs with not-matching signatures are rejected. That's used by my repo now to make sure updates are "legit" (and not placed to the repo by a malicious actor). (1/4)
Hexit
Support Hubzilla
