Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

clearly mark debug signing certificates as insecure #1

Open
greensheeps opened this issue Dec 27, 2023 · 4 comments
Open

clearly mark debug signing certificates as insecure #1

greensheeps opened this issue Dec 27, 2023 · 4 comments
Labels
enhancement New feature or request

Comments

@greensheeps
Copy link

the title says it all
@soupslurpr soupslurpr added the enhancement New feature or request label Dec 27, 2023
@TotallyAvailable TotallyAvailable mentioned this issue Feb 18, 2024
Closed
@TotallyAvailable
Copy link

How would Reproducible F-Droid Apps based on Debug certs be labeled ?

@soupslurpr
Copy link
Owner

Oh my, if that's true then it should be reported immediately to the developers

@greensheeps
Copy link
Author

Oh my, if that's true then it should be reported immediately to the developers

Those developers aren't very interested...

@TotallyAvailable
Copy link

TotallyAvailable commented Feb 19, 2024
edited
Loading

Certainly a discovery I didn't expect to make.

While neither of them appears to be public, if the dev wants to continue providing GitHub releases signed (and visible to a user, assuming they look/care for who signed the apk) like this that's fine (maybe?) but those should never make it onto F-Droid reproducible.

Especially with Izzy currently pushing to remove (getting them re-signed correctly) all of them from his repo.
(Which after reading through a bunch of things I wasn't aware of...yikes. Certainly messed with my option on F-Droid in a not so positive way.)

Signature schemes: v1, v2

Signer Certificate
Subject: C=US,O=Android,CN=Android Debug
Issuer: C=US,O=Android,CN=Android Debug
Issued date: Tue Jan 03 15:56:03 UTC 2023
Expiry date: Thu Dec 26 15:56:03 UTC 2052
Type: X.509, Version: 1, Validity: Valid
Serial Number: 01
Checksums
MD5: c78e3bce5cf4afe2da769efdbe8ae876
SHA-1: 65305390d693dde43834444d08975e600a6c3d59
SHA-256: fc20c11e46319aaedd0fab6876bfcb2f06afb57f53ea14748590676e727b3200
SHA-384: 34c9d520c98dd60317d36b57c07f43fefdf0af4cbc54c8da2ab741bc3ed47c6a0d6742c609cbd5e44e444df2877b876d
SHA-512: 1ad9d9a44ed883630e94dba9901e9ec9847fec44408802ab8ebe4007616a5887bebf71ee4b368c1998265eff30898d71842cbfc26d83074cf4a456cb3206779e
Signature
Algorithm: SHA1withRSA

https://gitlab.com/fdroid/fdroiddata/-/blob/master/metadata/github.umer0586.sensorserver.yml?ref_type=heads

AllowedAPKSigningKeys: fc20c11e46319aaedd0fab6876bfcb2f06afb57f53ea14748590676e727b3200

As I could obviously write/edit whatever I want

6bb35eb9ae7277132d1a106bc58f138613dd8e0e10f31c81e0c1b1c83237e656

https://www.virustotal.com/gui/file/6bb35eb9ae7277132d1a106bc58f138613dd8e0e10f31c81e0c1b1c83237e656/details

Also probably should've included the "non public (to my knowledge)" part in my first comment.
But if those 2 made it ("Android Debug" not being a clear factor of exclusion for RB inclusion) how many more "hidden" ones are there and are all of them (still) private ?
There's obviously still the case of actively used public signatures not clearly labeled as debug with the potential to cause issues.

Does the official F-Droid client clearly label Reproducible Builds ?
Answer might be no (last time I checked)

Someone before me had a look and must've approved it.

What I am however aware of and did read through (probably something everyone actively using Iceraven should) is fork-maintainers/iceraven-browser#169

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@soupslurpr @TotallyAvailable @greensheeps