F-droid signs all app releases using an air gapped machine, but it is still a single point of failure.

    • [deleted]

    • Edited

    AtriumCompound It is google that signs the apk.
    From google:

    • "For apps created before August 2021, you can still upload an APK file and manage your own keys instead of using app signing through Play and publishing through an Android App Bundle file. However, if you lose your key store or it is compromised, you will not be able to update your app without publishing a new app with a new bundle name. For these apps, Play recommends using app signing by Play and switching to app collections."
    • [deleted]

    AtriumCompound Fdroid does not give information about users to the government.

    Hi,

    thank you very much for the informative and controversial answers!

    I would like to continue with another question.
    I do not really understand why it is such a problem, that the F-Droid-Team digns all apps in the F-Droid repo themselves. Is it better to trust every single developer of all installed Apps (to not "lose" their keys) instead of only one source?
    Or is it more a "community-problem", because many users would be affectet, if there would be a problem with the F-Droid repo?

    Thank you!

      GraphyGraphy The main issue is that if F-Droid's signing keys are compromised, then every single app installed through the store can be compromised since any update would appear to come from the original legitimate source. [deleted] Pointed out that since August 2021 Google now stores developer keys in their own cloud. So, theoretically, a flaw in Google's security could lead to those developer keys being compromised too. Imo, this seems far less likely.
      Standardwaste Links to a post that does a good job explaining these issues and more, definitely worth a read if you're curious to know more.

        I have moved away from f-droid and actually use a little known app called 'obtanium' it is basically a front end where you can add direct links for apps, be it from fdroid, github, mullvad, gitlab. It will track them as they update via those links and advise when there is updates, taking out fdroid as the middleman and running directly from github for those apps that work through releases (or similar with gitlab)

        Check it out here - https://github.com/ImranR98/Obtainium

        I was using aurora store on my LOS device, however now that it is sandboxed (and quite cool, i might add, on GrapheneOS on my P7Pro) I still use google play as I have a few crucial apps that I use that i have paid for long ago that I can't give up... Maybe when my pinephone pro is fully up to speed i could, but for now it is what it is.

        I also use Obtainium. Seems to be doing the job fine. Strange thing is all my stores seem to "think" that they have installed all my apps.

          Thank you all! Obtainium sounds also very interesting! And for sure, droid-ify or Neo-Store, too.

          AtriumCompound Thank you very much, so the problem would be, that many of the installed Apps could become problematic at the same time. And as I understand, from case to case, this could be more problematic with one app than another. Apps without network permission are less problematic I think?
          Could that lead to a workaround in which one uses F-Droid for example for Apps without network permission only?

          Another thing: F-Droid is criticized because updates do not alwayd come in time. But my experience is, that this is althoug right for Aurora Store at least with anonymous login. While on one phone, the Play Store updates an App, sometimes the update is shown on another phone in the Aurora Store several days later. Than sometimes it helps to restart Aurora a few times what also means to login with different anonymous accounts until there is one, that already gets the update.
          Because of that, I assume, updates via Play Store are not rolled out to all users at the same time. Is this right? If so, Play Store would not really be better in this aspect!?

          Thank you all very much!

          italian_job

          Eirikr70

          If you go into aurora store into the updates section and click and hold the particular app, you should be able to add that app to the 'blacklist' this will stop telling you that they have installed the app and that it needs to update. You can do the same in fdroid, I believe it's a little checkbox and I imagine similar in other fdroid apps. I did this and left obtanium as the only updater for those particular apps managed through obtanium, saves getting the notifications multiple times from all the other apps

          ah, ok but I don't have aurora store...
          in drod-ify you can add ignore to a new version of an app but the few I can't add to Obtainium is because on github there are only source codes, others they have original repos on droid-ify
          notifications are not a problem since I check updates manually
          thanks to mention Obtainium, I was not knowing it, interesting app 😀

          • [deleted]

          abcZ "With app signing by Play, Google manages and protects your app's signing key for you, and uses it to sign the optimized distribution APK files that are generated from your app collections."

          • abcZ replied to this.

            abcZ The way that reads, they are signed by Google on behalf of the developer using the developer's key.

            • abcZ replied to this.