search

organicmaps / organicmaps

🍃 Organic Maps is a free Android & iOS offline maps app for travelers, tourists, hikers, and cyclists. It uses crowd-sourced OpenStreetMap data and is developed with love by MapsWithMe (MapsMe) founders and our community. No ads, no tracking, no data collection, no crapware. Please donate to support the development!
https://organicmaps.app
Apache License 2.0
9.52k stars 914 forks source link

publish hashes of signing keys #8932

Open grrrrr opened 1 month ago

grrrrr commented 1 month ago

On Android, you can use AppVerifier to confirm if an apk was signed by the owners or an untrusted key (as well as other methods). This can be combined with Obtanium to check at install time.

The hashes could be published in a number of places for additional trust. e.g

Jean-BaptisteC commented 1 month ago

Hash is available on Github releases https://github.com/organicmaps/organicmaps/releases/tag/2024.07.27-8-android

grrrrr commented 1 month ago

Different hash. The one on the releases page is the hash of the specific apk.

I'm talking about the hash of your signing keys, to verify that it is properly signed

I'm essentially trying to add an additional later or security and make [this process]https://developer.android.com/tools/apksigner#examples-verify) as seamless as possible for users who install apk from the releases page for by fetching it with obtanium

  1. getting the hash of your signing keys - a one off process, at least until your signing keys change
  2. use obtanium to install organic maps from the release page
  3. obtanium passis the apk to AppVerifier to confirm you and not someone else signed the key by verifying the hash from step one (or having it added to AppVerifier db)
  4. AppVerifier passes back to Obtanium to finishes the install.