As there is no proper way for f-droid users to establish the root of trust that would be required to verify the apps they install from f-droid are legit I would like to propose some improvements that might help mitigate.
Firstly every app on the site should have SHA256 checksum along with it’s pgp signature in it’s description dialogue.
Secondly f-droid app should be hardcoded to self check its own package signature and calculate its own apk checksums and display them in its own ‘about’ dialogue so users can compare that with those on the f-droid website and with results from their own checksum calculator.
Thirdly f-droid app should display those same package signature and checksum results for each app it downloaded and installed so the user can compare with f-droid website and their own checksum calculator.
Bottom line. If f-droid app’s own built in dialogue calculates the same package sigs and checksums as the f-droid website and the checksums also match the users own third party checksum calculator there can be only one conclusion. The installed apps are the same as those that were built by f-droid.
That won’t help. A malicious app could just still display a valid checksum. All the modifications you suggest also depend on trusting the F-Droid apk (it could display a valid checksum and still download another file).
I think the F-Droid app already verifies the checksums automatically. So as long as you trust the original F-Droid apk you installed, everything should already be fine.
“as long as you trust the original F-Droid apk you installed”
My entire point is about creating a means by which to trust the f-droid apk that is downloaded and installed is actually the one created by f-droid as per the published source code and not a malicious substitute and similarly all the other hosted apps.
Then you have to check that you trust the F-Droid apk before installing (the F-Droid website shows the signature). There is nothing the app could display that would actually make it more trustworthy because a malicious app can just display whatever it wants.
Checksum verification is not a security practice.
Here is why: If an attacker gets access to a download page and replaces a download APK file, they will also replace its checksum.
If pgp signature is the proper way then why are there no apps that can check if an apk was really signed by the correct signing key and why does the command line method return multiple warnings about the f-droid apk. That is about as proper as saying my security is bullshit and you can check that with my linux command line bullshit detector and just ignore all the subsequent warnings they are just more bullshit.
Because your previous request didn’t get traction with a developer who had time or motivation to create it?
Or F-Droid and Android Installer already do it for you, without giving you the “proof” you wish to see. Have you tried installing an app apk from one source or F-droid repo’, then attempting an update from another? You would find it will complain about signature mismatch.
I wouldn’t say I’m hostile to improving the security model. I’m just against adding things that provide a false feeling of security without actually being more secure.
Yeah it’s a good idea to improve security, but also not necessarily the best way to implement that.
PGP Signatures are only useful in specific use case scenarios, it’s just as easy to change a signature if you have access to changing the download page.
The hypothetical scenario is that F-Droid are already hacked.
F-Droid already does provide a valid signature checksum, the signature checksum is similar in this scenario to using a PGP Key, the key is only provided by the developer : the signature if modified would change the key and therefore change the checksum.
If you believe One Way Decryption Key provided by a hacked website is more secure than a package and signature checksum provided by the same hacked website then I’m not sure what to say.
How do you think a signed app is a security feature when no one can verify the signing key used to sign the app is legit because every app on f-droid is signed with a different key?