Post SHA-256 Hash of Developer Signing Key

shrimprugbysnowowl commented 1 month ago

Checklist

[X] I can reproduce the bug with the latest version given here.
[X] I made sure that there are no existing issues - open or closed - to which I could contribute my information.
[X] I made sure that there are no existing discussions - open or closed - to which I could contribute my information.
[X] I have read the FAQs inside the app (Menu -> About -> FAQs) and my problem isn't listed.
[X] I have taken the time to fill in all the required details. I understand that the bug report will be dismissed otherwise.
[X] This issue contains only one bug.
[X] I have read and understood the contribution guidelines.

Affected app version

1.2.1

Affected Android/Custom ROM version

13

Affected device model

N/A

How did you install the app?

GitHub releases

Steps to reproduce the bug

Fossify offers a direct apk download option for all its apps from github as well as being hosted in the fdroid official repo. The app hosted in fdroid is built and signed by the fdroid developers, which some view as a security issue. Apps like Obtainium are becoming more popular and allow users to track updates to apps and directly download the apk from github, but those users should have a way to verify that the build was signed by the developer. Posting the sha-256 hash of the developer signing key multiple locations, such as in the project README and on the Fossify website, would limit future tampering.

Based on the downloaded gallery-9-foss-release.apk, the hash appears to be: AF:FD:B1:24:D3:F4:72:0C:2F:98:DB:CA:9E:AC:BA:05:14:FB:A4:30:6E:20:A2:78:6C:86:1C:3C:0D:6F:F2:92

I'm happy to create a PR for the README if you are amenable to inclusion.

Thank you for your consideration.

Expected behavior

Post sha256 hash of the developer signing key in multiple locations, such as README and website.

Actual behavior

No hash of the signing key is available.

Screenshots/Screen recordings

No response

Additional information

No response

naveensingh commented 1 month ago

The app hosted in fdroid is built and signed by the fdroid developers

The official website still says that but it is not true for reproducible builds. All Fossify apps downloaded via F-Droid are built and signed by Fossify.

users should have a way to verify that the build was signed by the developer.

I absolutely agree but posting the hash on GitHub isn't exactly user-friendly or broadly accessible. Instead, I'm working on something that will be available in the Fossify Thank You app (even though it's supposed to be a 'thank you', it'll still be released here).

Thanks!

shrimprugbysnowowl commented 1 month ago

The app hosted in fdroid is built and signed by the fdroid developers

The official website still says that but it is not true for reproducible builds. All Fossify apps downloaded via F-Droid are built and signed by Fossify.

It indeed appears that I was mistaken. The version of Gallery that I have installed has been signed by the same developer key that signed the latest apk version hosted on Github. I will have to dig into this more.

users should have a way to verify that the build was signed by the developer.

I absolutely agree but posting the hash on GitHub isn't exactly user-friendly or broadly accessible. Instead, I'm working on something that will be available in the Fossify Thank You app (even though it's supposed to be a 'thank you', it'll still be released here).

The users who would be looking to verify the hash likely wouldn't be using f-droid (because f-droid doesn't give you the option to download the apk, and you'd ideally verify the hash before installing) or google play, but Obtainium, or visiting Fossify's Github directly for the download.

FossifyOrg / Gallery