Why is there a signature mismatch on a few popular apps lately??

[ppI97]

In the past week or so, i have noticed Uber and Booking.com so far have come up with signature mismatches, what is the reason for this since all these apps are coming from the Google Play Store in essence? I have previously updated them from Yalp store. When i went to play store, uber and booking.com downloaded and installed perfectly, and lets face it F-Droid doesnt have those apps. So whats the deal? or are the download links to these apps not coming directly from play store??

This is worrisome and afraid that something bad is going on behind the scenes.

[yeriomin]

are the download links to these apps not coming directly from play store

They are coming directly from Play Store.

Try disabling delta updates if they are enabled and please don't ignore the issue template if you want a meaningful answer.

[Rikk]

Why is there a signature mismatch on a few popular apps lately?

I think it is because of this change Google is implementing: https://www.androidpolice.com/2018/06/19/google-adding-distributed-google-play-metadata-apks/ Imo, it is lacking a lot of explanation about the metadata contents and the reasons Google is doing this look very obscure...

[yeriomin]

@Rikk Since there are no technical details, it is hard to say, but I think they just mean they will be putting something new into the APK signing block of the Signature Scheme v2. So it would not make the signature invalid/different.

the reasons Google is doing this look very obscure

This gives the following reason:

In the future, for apps obtained through Play-approved distribution channels, we'll be able to determine app authenticity while a device is offline, add those shared apps to a user's Play Library, and manage app updates when the device comes back online. This will give people more confidence when using Play-approved peer-to-peer sharing apps.

[ppI97]

Try disabling delta updates

Thanks that worked! no idea when i even activated that setting!

[Rikk]

Oops I think I read or wrongly understood the first post as 'hash mismatch', sorry.

[ale5000-git]

Doesn't this mean that there is a bug in delta updates?

[yeriomin]

@ale5000-git The process itself - no, but some phone vendors supply their devices with apps signed differently than the Play Store version. Play Store app, apparently, checks the signature before download and decides to install the whole update instead of a delta update in this case. Yalp Store can not do that because the signature/hash sent with the download link response has an unknown algorithm (to me at least). The resulting hash does not even resemble the result of the popular hashing algos.

That's why delta updates are no longer on by default.