[guardian-dev] Hello, and question about Android and gapps

Hans-Christoph Steiner hans at guardianproject.info
Wed Mar 28 11:36:34 EDT 2012

Anyone know the details of F-droid's app signature validation?  Ideally it would be like Debian, with a trusted keyring for checking the signatures on all apps.  And if an .apk is not signed by a key in the trusted keyring, it should give an error.


On Mar 28, 2012, at 10:29 AM, Travis Biehn wrote:

> Android won't let you install over packages with a different key. But it comes down to fdroids handling of install and update processes.
> Travis
> On Mar 28, 2012 10:26 AM, "Hans-Christoph Steiner" <hans at guardianproject.info> wrote:
> Ah, f-droid doesn't do any signature validation?  It should at least compare updates to the original key.
> .hc
> On Mar 28, 2012, at 10:08 AM, Travis Biehn wrote:
>> The apk can be signed by anyone...
>> On Mar 28, 2012 10:06 AM, "Hans-Christoph Steiner" <hans at guardianproject.info> wrote:
>> On Mar 27, 2012, at 6:02 AM, Rick Valenzuela wrote:
>> > On 2012/03/26 3:42 PM, Manuel wrote:
>> >> One note (and also the only thing that's keeping me from doing the
>> >> same): You will likely not be able to use apps you bought in Market,
>> >> because their license check will probably fail if you aren't logged
>> >> in with the account you used for the purchase.
>> >
>> > I expect some functionality will break sometime. But so far, all have
>> > been usable. The two separate pro licenses I have also backed up with
>> > Titanium Backup, and operate fine. But looking versions on the Play
>> > website, I can see that I'm missing updates. So that's one drawback. But
>> > at least I can see the "What's new" tab to see if it's a security patch
>> > or desirable bugfix.
>> >
>> >> On Mon, Mar 26, 2012 at 10:35:14AM -0400, Hans-Christoph Steiner
>> >> wrote:
>> >>>
>> >>> I think that's a save assumption.  AOSP (Android Open Source
>> >>> Project) provides a whole operating system that is truly free
>> >>> software.  Having to agree to Google's privacy policy to use it
>> >>> would make it non-free.  The ROMs are generally based off of AOSP.
>> >>> So congratulations! you have escaped Google on your phone :).
>> >
>> > heh, well, not quite: I was stuck without update on one app that pushed
>> > me to flash gapps and log in to Play. I updated that and everything else.
>> >
>> > Just to experiment, though, I then backed up with Titanium Backup and
>> > then made an update.zip of the TB itself, then made a nandroid backup.
>> > Went back and started over again . So my phone is back without the
>> > Google propietary apps on my phone, no account link, and updated apps.
>> Good point, didn't think of that.
>> >>> If you want a Free as in Freedom app store, check out F-Droid.
>> >>> We're working on getting all of our stuff in there, as well as all
>> >>> the things we find useful.
>> >
>> > yep! already on there, with both repos. i've found quite a few
>> > replacement apps on fdroid, too, that have let me ditch ones with
>> > sketchy permissions I got from the market. One thing I did notice when
>> > adding the Guardian Project repo: The f-droid repo is not SSL.
>> Yes, we probably should provide TLS connections to our repo.  Since the APKs themselves are signed, it probably is not a big security risk to use plain text transfer.  It is definitely a privacy risk, since someone in the middle could follow which apps you are installing.
>> .hc
>> _______________________________________________
>> Guardian-dev mailing list
>> Post: Guardian-dev at lists.mayfirst.org
>> List info: https://lists.mayfirst.org/mailman/listinfo/guardian-dev
>> To Unsubscribe
>>        Send email to:  Guardian-dev-unsubscribe at lists.mayfirst.org
>>        Or visit: https://lists.mayfirst.org/mailman/options/guardian-dev/tbiehn%40gmail.com
>> You are subscribed as: tbiehn at gmail.com

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.mayfirst.org/pipermail/guardian-dev/attachments/20120328/dc760e38/attachment-0001.htm>

More information about the Guardian-dev mailing list