| 25 Mar 2021 |
 _hc | the method? I think it, I think it was audited | 19:25:00 |
 mimi89999 | What if the upstream dev intentionally did not sign one of the files in the apk and included malicious content in it? | 19:25:11 |
| _hc | how would that be different than a malicious APK that gets signed? I don't see anything risky in the existing function or in apksigcopier | 19:27:05 |
|  dupondje left the room. | 19:29:08 |
| mimi89999 | When https://f-droid.org/en/docs/Build_Metadata_Reference/#Binaries is set, we are publishing upstream apk, right? | 19:29:10 |
| mimi89999 | How do we know that it does not contain files that are not covered by the signature and that we were not able to reproduce? | 19:32:32 |
| _hc | no, we don't publish the upstream APK | 19:32:49 |
|  Guest77992 joined the room. | 19:32:57 |
| mimi89999 | > F-Droid will use upstream binaries if the verification succeeded. | 19:33:59 |
| mimi89999 | That's what the doc says | 19:34:04 |
| _hc | oh, ha, ok | 19:35:20 |
| _hc | but verifcation first has to succeed in the throwaway VM | 19:35:44 |
| mimi89999 | How is verification done? | 19:38:04 |
| _hc | signature copy then apksigner | 19:38:19 |
| mimi89999 | https://gitlab.com/fdroid/fdroidserver/-/blob/master/fdroidserver/publish.py#L319 | 19:38:24 |
| mimi89999 | That's how publish works | 19:38:41 |
| mimi89999 | What if the upstream apk has files not covered by the signature? | 19:39:43 |
| _hc | there are some, but are not executable | 19:40:19 |
| mimi89999 | Do all executable files in an apk need to be signed for it to run? | 19:44:57 |
| _hc | yes | 19:45:08 |
| _hc | only files in META-INF are unsigned | 19:45:36 |
| _hc | adding v2/v3 signatures to this process will protect it more even | 19:49:43 |
|  wb9688_ joined the room. | 19:57:57 |
| mimi89999 | > adb: failed to install test-signed.apk: Failure [INSTALL_PARSE_FAILED_NO_CERTIFICATES: Package /data/app/vmdl1067901348.tmp/base.apk has no certificates at entry classes.dex] | 19:58:21 |
| mimi89999 | OK | 19:58:21 |
 cdesai | mimi89999: this is the whole point of v2 signature. this vulnerability (adding other files to a signed apk) was being exploited which is why they did this | 20:00:15 |
| _hc | JAR Signatures work when properly implemented, they had implementation problems... the approach more sensitive | 20:01:06 |
| mimi89999 | Yes, I can only add files in meta inf and outside the directory | 20:10:01 |
| mimi89999 | So that seems OK | 20:10:54 |
| dupondje joined the room. | 20:11:20 |
