Dear #Android #App #Developers, as it still happens far too often (no naming, no shaming! 💩 happens to everyone of us) a reminder to take good care of your #signing keys – and also take precautions for the case that your keystore might get lost. Please take a look at: https://f-droid.org/2023/09/03/reproducible-builds-signing-keys-and-binary-repos.html#lessons-learned-2-how-to-keep-your-key-safe-and-what-measures-to-take-for-the-event-of-loss where I outline this topic.
Thanks!
[#]security
=> More informations about this toot | More toots from IzzyOnDroid@floss.social
@IzzyOnDroid How do you deal with key rotation ? And, is it planned for the client to inform about an application they have to reinstall (because of that) ?
=> More informations about this toot | More toots from S1m@infosec.exchange
@S1m Key rotation does no longer work at F-Droid.org, but it does at IzzyOnDroid (as we implemented the suggested patches instead of accepting their implementation of the "POC fix" back then). If Key rotation is used, no notifications are needed; IIRC, Android handles that (we have only 1 such app yet). And establishing RB here does not require it either, as we only ship the APKs signed by their resp. devs to begin with (RB runs on a "parallel track" here).
=> More informations about this toot | More toots from IzzyOnDroid@floss.social
@IzzyOnDroid Ok, great ! Hope they fix it too.
The notification is still required for developers that loses their keys 😬
=> More informations about this toot | More toots from S1m@infosec.exchange
@S1m I have my doubts towards the former (that would mean rolling back their implementation, at least in parts, and using the suggested patches instead, which they rejected. The argument was that f-droid.org itself does not need key rotation, IIRC.). And as long as we still use fdroidserver, the only way we can notify is via the inlined per-release changelogs (aka "Fastlane changelogs"), which is what we do.
=> More informations about this toot | More toots from IzzyOnDroid@floss.social
@IzzyOnDroid Hm, there should be a way to set a warning for a version in the index that the client can use to inform users
=> More informations about this toot | More toots from S1m@infosec.exchange
@S1m which needs to be implemented serverside (fdroidserver writing the index) AND clientside (to show it). Without the index itself supporting it, there's nothing the clients can do. So: https://gitlab.com/fdroid/fdroidserver/-/issues/301 ? https://gitlab.com/fdroid/fdroidclient/-/issues/195 ? Does not look like this will happen.
=> More informations about this toot | More toots from IzzyOnDroid@floss.social
@IzzyOnDroid I'll try to open issues for more specific messages then: metadata to warn about removed application, and metadata to warn about application that need to be reinstalled
=> More informations about this toot | More toots from S1m@infosec.exchange
@S1m Remember that WE cannot implement those. Everything that needs changes to the index, is out of our hands – at least as long as we're still bound to fdroidserver. So such issues would need to be filed there – with the tools that generate the indexes. Our client devs would surely pick up those data once available.
=> More informations about this toot | More toots from IzzyOnDroid@floss.social
@IzzyOnDroid Yep, I know ! Will share once done
=> More informations about this toot | More toots from S1m@infosec.exchange
@IzzyOnDroid @S1m the f-droid client doesn't handle key rotation. I think neo store and droid-ify allow disabling the key fingerprint check allowing android to handle the rotation but all clients will by default consider the key incompatible and not offer an update as the index format itself does not support key rotation even when generated using an implementation that doesn't flat out reject all APKs with rotated keys like fdroidserver does
=> More informations about this toot | More toots from obfusk@tech.lgbt
@obfusk @IzzyOnDroid so the index needs to be patched too
=> More informations about this toot | More toots from S1m@infosec.exchange
@obfusk @S1m Confirmed that NeoStore can handle that. Just checked: Droid-ify had a new release this year already, so it should now handle that as well by now (last time I've checked it was implemented but not yet published, now it should be both). I cannot tell about other clients or how they might handle it.
=> More informations about this toot | More toots from IzzyOnDroid@floss.social This content has been proxied by September (3851b).Proxy Information
text/gemini