[josephg]

Piling on here, thats super weird.

The reason for digital signatures is that they make a claim. "As a representative of organisation A, the binary with shasum XXXX is our work. We stand behind it." Why would I generate a private key, then share my private key with google? If google wants to claim that a binary they're shipping to users is same the one they received, they don't need my private key to do that. They can make their own signature, with their own key. Using a key I generated then handed to them is just dangerous security theatre. Google is asking me to vouch for binaries they sign and serve. But I can't vouch for those binaries - I didn't produce them and can't make any claim about their provenance.

[nodamage]

> If google wants to claim that a binary they're shipping to users is same the one they received, they don't need my private key to do that. They can make their own signature, with their own key.

IIRC this is how it works by default for new apps. Uploading your existing signing key is only necessary for backwards compatibility to allow you to update existing apps that have already been published using that key.

[mcny]

> IIRC this is how it works by default for new apps.

Personally, I'd like to see Apple, Google, and possibly Microsoft take this to what I think is the obvious conclusion: developers and independent software vendors submit source code, artwork and other such "assets", sufficient meta data, and build instructions to the store, the store builds and publishes the applications and makes them available to users. F-Droid builds and publishes using its own keys and while there are problems with delay for some time-sensitive apps (most notably Newpipe, an application to watch YouTube videos), it works out quite well for the most part. I can't imagine why Apple and Google couldn't have what are essentially multiple build runners running at the same time to cut this time shorter to something like an hour at the most?

In return at least for Android (Apple is a bit of a special case), I would like to see it made possible at least for F-Droid or something similar to be able to update apps without requiring user intervention. Not sure how the technology will work exactly but my understanding (please correct me if I am wrong) is Google Play Store has super cow powers and I think it should be able to "bless" other applications to have the same super powers?

[Iolaum]

The F-Droid ecosystem is also working towards reproducible builds[0] so you can have more verification options for what you, as a user, received.

Not sure how that would work with a proprietary app store like Play store.

[0]: https://f-droid.org/en/docs/Reproducible_Builds/

[m4rtink]

BTW, with F-Droid does is basically the same what major Linux distros do - build everything from source on trusted infrastructure.

[ce4]

The model also shields to a certain extent against conflict of interests (the product is the user, i.e. ads/tracking/hostile maintainership takeover)

[izacus]

> The model also shields to a certain extent against conflict of interests (the product is the user, i.e. ads/tracking/hostile maintainership takeover)

Can you explain how? Since I've published things to F-Droid and since they also control signing and building (just like Apple and Google in this article), they can freely modify and change what's published on their store.

Just like with Google and Apple, you need to inherently trust them that they don't let people with access tamper with your app.

[e3bc54b2]

The question is more of where the money is coming from. Google gets paid by advertisements so that's where their loyalties are.

F-droid is funded by contributions and donations, and they need both. They also have everything out in the open, which brings extra scrutiny.

And the last part is just culture. F-droid is a community project with clear set goals. Google also has clear set goals, they just don't happen to align with their users for the most part.

[ce4]

One example would be basic apps and games like flashlights, editors, sudoku, minesweeper, note taking apps etc, of which 95% on the play store are ad/tracking infested. I just skip those and install f-droid's "reccomendation", problem solved. Also: Fennec is great (a rebuild of Mozilla Firefox mobile) and they also offer older versions in parallel (also via their archive). Their Firefox "fennec" build while not being a fork nevertheless has some tweaks, optimizations and brought back addons (via collections, you need to read the whole thread, it's long though), much appreciated:

https://forum.f-droid.org/t/welcome-a-new-fennec-f-droid/111...

    I have just submitted 882 a Fennec update to 81.1.1. Should be available soon™. This version brings a lot of changes, like a new UI and modular codebase. The bad news:

    Mozilla now tracks you even more actively using proprietary 3rd party services. I removed all tracking I found. (Firebase, Adjust and Leanplum libraries were replaced with stubs, so some analyzers can erroneously report their presence in the APK.)
    The new UI may break your habits and disappoint you. (IMHO it’s not that bad as one can conclude from reading r/Firefox.)
    Android 5.0 or later is now required. Mozilla decided so.
    x86 devices are not supported anymore. I stumbled upon linkage errors and gave up. Help is welcome.

    The good news is that Fennec F-Droid is alive and continues to be truly free software."

[mcny]

> Can you explain how? Since I've published things to F-Droid and since they also control signing and building (just like Apple and Google in this article), they can freely modify and change what's published on their store.

I think the perspective is that the distribution shields its users from possible upstream shenanigans (think stories that we used to hear about how popular free and open source Chrome extensions get bought and sold and ended up showing ads on Chrome opening page)

[mcny]

> The model also shields to a certain extent against conflict of interests (the product is the user, i.e. ads/tracking/hostile maintainership takeover)

What I find difficult to wrap my head around is that the Debian model (I know other distributions do this as well but just have to give it some name) is very difficult to scale. We basically need maintainers at every single Linux distributions who will (I imagine) go through all the changesets/diffs and painstakingly build the deployable artifacts for their distributions. I can't imagine a single maintainer being able to maintain more than a dozen or so packages and there is a lot of duplicated effort. The Play Store has about three million apps. I know we want to be able to escalate to a human when necessary but I imagine some automation is necessary.

As I write this, I can see the contradiction in what I am asking for... if the store builds, signs, and distributes binaries using the store's credentials but cannot vouch for the quality of the application. ...

I was just thinking that if the app stores had access to the source code and the build instructions maybe that would help somehow but I didn't think it through.

[pas]

Everything is standardized and automated. There's no need for human interaction. You can tweak your code if it fails to build. The important thing is, that it's easier for Google/Apple to inspect your app if they have the code. (Maybe.)

For example they can simply refuse to release/publish anything if the code looks shit/obfuscated. They can explicitly ask questions about sections of code.

But since probably 99.9+% of "app review" is already automated ... likely there's no point in spending resources on creating a "GitHub clone" for submitting code to the various app stores.

[soarfourmore]

It’s even weirder that Google’s security engineers would sign off on such a design. I am astounded

[UncleMeat]

The signing keys are more important for the security model of the device than for people to confirm that an apk was actually created by a particular corporation. Every single android user makes use of the former feature. There are 1B+ android users. I'd wager that well under 10,000 have ever checked the signature on an apk file themselves.

Most developers will let Google just generate the keys for them.