![]() ![]() ![]() WARNING: META-INF/androidx.appcompat_appcompat-resources.version not protected by signature. Delete or move the entry outside of META-INF/. Unauthorized modifications to this JAR entry will not be detected. WARNING: META-INF/androidx.annotation_annotation-experimental.version not protected by signature. ![]() WARNING: META-INF/androidx.activity_activity.version not protected by signature. Verified using v3 scheme (APK Signature Scheme v3): true Verified using v2 scheme (APK Signature Scheme v2): true Verified using v1 scheme (JAR signing): true OTOH, $ apksigner verify -verbose _1013050.apk Seems OK, but would seem better if “trusted” after confirming ownership and trusts over beers in a pub… Gpg: There is no indication that the signature belongs to the owner. Gpg: WARNING: This key is not certified with a trusted signature! This is simple and straightforward stuff using principles that were established decades ago so why do the f-droid devs ignore that? That would be well enough for most people to establish that root of trust. Anyone could therefore compare what the f-droid app is telling them with the results from their own checksum calculators to ensure they can trust the app thereafter.Īnyone can easily checksum the f-droid apk for an md5 and a sha256 using that tool it took just a few seconds to calculate the ones below for the f-droid apk. I would then include in the f-droid app a dialogue that informs the user of the results of similar checks on each file downloaded by the f-droid app. Off the top of my head, at the very least I would provide checksums of each app so the user can use online tools like this one Checksum Calculator Online - AppDevTools to check the integrity of apps especially the f-droid.apk file before they install it. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |