Hacker News new | ask | show | jobs
by sneak 2255 days ago
F-Droid has the same potential tampering issue: apps there are signed by the F-Droid key, not the developer’s key.

An F-Droid compromise could backdoor every app.
1 comments
ta1771 2255 days ago
Any history of this?

For anyone: Why don't they cross-sign with their key+dev key?

link
folmar 2255 days ago
Because the builds are (generally) not reproducible
link
sneak 2255 days ago
I think cross-signing implies adding a second signature (notarization) to an existing dev-signed build, not doing a rebuild.

Does apk support such a thing?

link