Why F-Droid is still using APK Signature Scheme v1?

I heard that F-Droid only use APK Signature Scheme v1 and tested some apk download from F-Droid. Why not use v3? Is v1 still safe?

Lack of developers of course, feel free to lend a hand :wink:

1 Like

Yes, we should support the newer signatures for compatibility. F-Droid uses signed metadata, which provides the same level of protection as v2 and v3 signatures, more or less. So its mostly an issue of someone finding the time. This stuff is mapped out in https://gitlab.com/fdroid/fdroidserver/issues

Signed metadata can only protect apks download from fdroid client. I guess attackers can install malware update.

If someone has access to install an APK on your device, they are basically already in.

:rofl: You are right! Attackors can install update with guest accounts but they need to access the device first.
Or users may download update from malware website… Ok, they can download malware at the beginning. :woman_facepalming: :man_facepalming:

If they can install anything they don’t need to update some app anyway, that’s more work.

FYI already in, and deployed https://gitlab.com/fdroid/fdroidserver/-/merge_requests/736

3 Likes