F-Droid client blocks updating apps if signature does not match

Sometimes I encounter critical bug with some app and need to switch to very last version with fix built by its developer – no problem, I just download apk file from GitHub, and because I have disabled signature verification, I am not forced to uninstall app before and lose all of my app data. However when that fixed version appear on F-Droid later, I want to switch back to get automatic updates. And the F-Droid client says I can’t install that version because apk signature does not match.

Muntashirakon’s App Manager apk installer does warn about mismatching signature, but there’s an option “install only” in a case of disabled signature verification. F-Droid does not have such feature. I can either download apk from f-droid.org website and install by App Manager, or backup app data, uninstall, install by F-Droid client and restore data. It’s very inconvenient and meaningless at all. I tried enabling “incompatible versions” in settings, but it’s probably for something else.

The solution I suggest is to either add new option to skip checking signatures in settings, or add button “proceed with installation” in that dialog box saying cannot install. If first, make sure to not make automatic upgrades on mismatching signatures to avoid accidental overriding some system apps with the same package name, e.g. Launcher3. If installation eventually fail, display another error message in toast.

That’s a very peculiar use case that violates the security model of Android.

I’d vote -1

7 Likes

That defies one of the reasons why security is in place for signature mismatch. Anyone can sign and apk file and have codes injected to run malicious intents.
I too vote it down.

1 Like

I think the app developers should use distinct names for beta testing packages:

3 Likes

To be clear, the Android package manager itself prohibits signature changes unless probably handled such as in the case of valid key rotation.

2 Likes

Yes. But there is a serious gotcha. With the android signatures and storage model the idea of F-Droid working as an FOSS distribution is not working:

I can recompile any package myself but I can’t install and use it without loosing my data (not considering the rare cases where completely lossless backup and restore is possible).

So how about F-Droid server doing only PGP signatures to ensure package integrity for download and F-Droid client doing APK signatures with a user generated key - so that the user would have at least the theoretical possibility to rebuild and use packages on his own?

This would enable advanced users all kinds of things that are otherwise impossible in the Android ecosystem like downgrading, getting all data of an app and many more.

Btw I believe that F-Droid package integrity is guaranteed much better by the PGP signatures, APK signing had serious security flaws in the past so there would be very little or no security lost.

1 Like

Choose apps that have backup/restore, I guess.

Or you can use some 3rd party app to backup and restore data.

Only if you rooted your phone.

1 Like