110
you are viewing a single comment's thread
view the rest of the comments
[-] incogtino@lemmy.zip 28 points 1 year ago

F-Droid used to build and sign the APK for each app they distribute using keys owned by F-Droid

That meant you had to trust F-Droid to distribute the app as per the source, and hope that the source hadn't been compromised (as the developer wasn't signing anything)

Now when a new app is added to the repo, they build an APK from source and compare it with an APK distributed by the developer

If they match exactly (and if there is no reason to think the developer key has been compromised) then F-Droid will instead distribute APKs signed with the developer key, and verify that the same key was used for each update

If the same key was used, F-Droid doesn't need to build the APK themselves but can distribute the update as-is

The advantages then are that F-Droid is acting as an additional layer of security and assurance to the developer signing the APK, and updates can be distributed faster as F-Droid doesn't have to build them

load more comments (1 replies)
this post was submitted on 20 Sep 2023
110 points (98.2% liked)

F-Droid

8080 readers
44 users here now

F-Droid is an installable catalogue of FOSS (Free and Open Source Software) applications for the Android platform. The client makes it easy to browse, install, and keep track of updates on your device.

Website | GitLab | Mastodon

Matrix space | forum | IRC

founded 3 years ago
MODERATORS