Unauthorized modifications to this JAR entry will not be detected. ![]() ![]() WARNING: META-INF/androidx.appcompat_appcompat-resources.version not protected by signature. Delete or move the entry outside of META-INF/. WARNING: META-INF/androidx.annotation_annotation-experimental.version not protected by signature. WARNING: META-INF/androidx.activity_activity.version not protected by signature. Verified using v3 scheme (APK Signature Scheme v3): true Verified using v2 scheme (APK Signature Scheme v2): true Verified using v1 scheme (JAR signing): true OTOH, $ apksigner verify -verbose _1013050.apk Seems OK, but would seem better if “trusted” after confirming ownership and trusts over beers in a pub… Gpg: There is no indication that the signature belongs to the owner. Gpg: WARNING: This key is not certified with a trusted signature! This is simple and straightforward stuff using principles that were established decades ago so why do the f-droid devs ignore that? That would be well enough for most people to establish that root of trust. #Best pgp app apk#Anyone could therefore compare what the f-droid app is telling them with the results from their own checksum calculators to ensure they can trust the app thereafter.Īnyone can easily checksum the f-droid apk for an md5 and a sha256 using that tool it took just a few seconds to calculate the ones below for the f-droid apk. I would then include in the f-droid app a dialogue that informs the user of the results of similar checks on each file downloaded by the f-droid app. #Best pgp app install#Off the top of my head, at the very least I would provide checksums of each app so the user can use online tools like this one to check the integrity of apps especially the f-droid.apk file before they install it. I don’t have an answer for you and I am not going to argue with you. You are welcome to come up with a new proposal. Verifying a root of trust of anything is long standing problem. How can you trust your CPU to not manipulate your OS/programs?Īt some point you inherently have to give-in and trust someone/something. #Best pgp app verification#How can you trust your OS to not manipulate the file and verification results from other programs? How can you trust your browser to not manipulate the file? I can say just trust HTTPS, but how do you trust the included certificates? I can say, just install OpenKeychain or Termux/gnupg first, but then how do you verify that app download? I can say, just install CalyxOS or DivestOS which comes pre-installed with F-Droid, but then how do you verify the OS download? It says they do not care one iota about the users at all so what is their motivation for doing it? What was that? Did I hear three later agency? There is something inherently suspicious about the entire thing.
0 Comments
Leave a Reply. |
AuthorJennifer ArchivesCategories |