undefined | Better HN

0 pointssneak5y ago0 comments

F-Droid has the same potential tampering issue: apps there are signed by the F-Droid key, not the developer’s key.

An F-Droid compromise could backdoor every app.

0 comments

Any history of this?

For anyone: Why don't they cross-sign with their key+dev key?

Because the builds are (generally) not reproducible

sneakOP5y ago

I think cross-signing implies adding a second signature (notarization) to an existing dev-signed build, not doing a rebuild.

Does apk support such a thing?

j / k navigate · click thread line to collapse