Hacker News new | ask | show | jobs
by remram 1876 days ago
It's just a little bit weird that Google designed the Play Store and Android with key signing if they then have to ask for those keys. They control the OS and the store, couldn't they just make devices trust Google's app-repackaging-service's key? This would be easier for everyone, and more honest for the consumer user who gets packages signed by whoever actually built it.
1 comments
jayd16 1876 days ago
This solution is backwards compatible. Changing the installation verification process is not.
link
pas 1876 days ago
Why? They control the Play app itself anyway. Isn't verification done by the privileged "Google Play Services" special background service? Which is basically the userspace, which is where Google pushes security updates (because carriers and phone makers don't).
link
jayd16 1876 days ago
Signatures are verified at the OS level, outside the playstore. Even if you side load apps, signatures are checked for consistency.
link
remram 1876 days ago
I'm not suggesting we remove signing, just that Google use their own signing key for apps they build.
link
jayd16 1875 days ago
That won't work. For google to take over the signing of existing apps they need the existing keys.
link
remram 1875 days ago
I see, so the limitation is that app updates have to keep using the same key, and that's enforced by the OS? Couldn't the Play Store uninstall then reinstall in that situation, to update to the new key?
link
codeflo 1876 days ago
So Google’s inability to update Android causes them to compromise on its security?
link
jayd16 1875 days ago
Google imposing their own root keys on every device seems like a much much bigger overreach than wanting to repackage apps in their store.
link
remram 1874 days ago
Is it? They control the store, which can install apps remotely, and most developers are handing them their private keys for convenience. You also have to trust that Google gave you the right one every time you install a new app.

What is the practical advantage of having apps signed by long-lived keys that were handed to Google without your knowledge over a Google key bundled with the store?

Either way, you keep the same option of installing an alternate store like F-Droid or downloading APKs if you don't trust Google.

link