I don’t trust to F-Droid (which is good, sorry).
The apk file that the F-Droid repository has may differ from the original upstream version.
Someone may hack the repository and upload own apk.
So I wish to have the upstream signature for the apk.
But the upstream may be compromised too. So I wish to have two signatures and the client should compare that the digest is the same.
With reproducible builds this should be possible.
I know that the PKCS7/CMS detached signature files allows multiple signers. The PGP should allow this too.
It looks like the Android apksigner “APK signature scheme v4” (Android 11+) has support for detached signatures
https://source.android.com/docs/security/features/apksigning/v4
The F-Droid client itself may be compromised too and ignore a signature or just upload an apk file from somewhere. So the signatures check ideally should be made by the Android itself. When I manually installing an apk file on my old Galaxy it just shows the app name but nothing about signatures. Maybe in newer Android this is improved somehow.
Compromising of a clients is less likely to happen without access to a phone.
But if the repo was hacked then the F-Droid may upgrade itself with the compromised version.
A hacked probably won’t have a signature if some of the F-Droid devs signs manually new versions.
But is this a case or the CI signs automatically?
Is the F-Droid app release performed manually, or it’s triggered automatically from git on a new tag?
What about other apps? Does anyone make some review of a new version? What if it was compromised?
The git allows to sign commits so at least we may know that the commits came from the same author.
Does F-Droid CI requires for a git commit signature?
Some critical apps (wallets, keychains, password managers, browsers) must have a review.
The reviewer may be a third party that also can approve the apk release by own signature.
It would be problematic to find such reviewers that aren’t affiliated with author and F-Droid and do have a time and willingness to review changes.
But for critical apps I believe it should be enough of volunteers.
Automatic upgrades for such critical apps is probably should be disabled by default. For a browser this may a bad idea because an upgrade may have a security fix. But for a wallet it probably would be better to notify a user about an upgrade but not install it automatically.
Today I wanted to install a wallet directly from a GitHub specifically to avoid a situation that the F-Droid will autoupdate it.
Then I disabled manually upgrades for my wallet app with “Ignoring upgrades” option,
but it was difficult to find it and I think such apps should be upgraded only manually by default.
Similarly, some apps may have a check for a new version and download it from somewhere.
The NewPipe does this and I do update it because it’s buggy, but I don’t really know from were the apk was downloaded.
So maybe the critical apps should have the own updater disabled and force a user to upgrade only from F-Droid.
Please clarify if it’s possible to improve the security.