Was the signing key changed?

I’m the dev of a new app on F-droid (Alovoa | F-Droid - Free and Open Source Android App Repository) which needs the sha256 fingerprint of the signing key.
The app works fine using a self signed and the one from Google, but doesn’t work properly on the F-droid build (address bar is visible).
There was a thread about this (Android App links with F-Droid - how can it work? - #4 by niccokunzmann) but it’s now 2 years old. The same fingerprint is also on the F-droid website (https://f-droid.org/en/docs/Release_Channels_and_Signing_Keys/). The same fingerprint is also on a public API (https://alovoa.com/.well-known/assetlinks.json), but does not seem to work with the F-droid build exclusively.

1 Like

Well, I don’t know much about that assetlinks feature (I tried to implement it for Catima but I still do not know how to even test this, Google’s documentation is extremely unclear there to me) but given it has to do with your app, it seems to me like you’d want to look at the key your app is signed with instead of looking at the key the F-Droid .apk itself is signed with? Would something like App Manager help with that?

In Catima’s case I grabbed the value of “SHA-256” here, which for your app would be B8:35:67:B8:FC:B2:6C:64:B2:94:36:B5:50:94:B1:F5:1D:1E:53:3A:59:D6:2A:D7:9D:78:41:05:B4:59:72:C3.

Thanks! Works now with that exact SHA-256 fingerprint, I assume all F-droid apps are signed with the same key. Either the signing key for the F-droid app is unique or the signing key was changed in the last 2 years.

They’re not, for each app an unique key is generated and the app is signed with its unique key for security reasons.

If multiple apps are signed with the same key, they actually can get more access to other apps than intended. A few apps use this (like AnySoftKeyboard with its language packs), and thus are explicitly all signed with the same key by F-Droid on developer’s request, but those are the exception rather than the norm.

1 Like

It was renewed 9 months ago. That may be a slight change, in date.

That is the PGP key used for verifying the apk files from the website.
Each F-Droid compatible repository also has an index signing key used for signing the repo metadata and apk hashes.

But each app also has its own unique signing key generated when it is first added to the official F-Droid repo. That key is what the app filter verification service checks against and is related to the OP here.

1 Like

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.