|
|
Subscribe / Log in / New account

OpenPGP for application developers

OpenPGP for application developers

Posted Dec 15, 2023 16:31 UTC (Fri) by LtWorf (subscriber, #124958)
In reply to: OpenPGP for application developers by mjg59
Parent article: OpenPGP for application developers

How can a single person guarantee that the .apk I get from the store is the same as the .apk you get from the store?

An apk that we can't verify because it isn't the same as the one the nerds get from the signal website or compile themselves.

to post comments

OpenPGP for application developers

Posted Dec 18, 2023 1:16 UTC (Mon) by mathstuf (subscriber, #69389) [Link]

Signal signs them with its own key. It is TOFU-based trust though, so Google can do one of:

- send a bogus binary on first install and provide self-signed binaries into the future (I believe `adb` can do this, but so can the Android API[1]…though also subject to bogus Google deployments); or
- send an older Signal-signed binary with a known vulnerability that can be used.

[1] https://stackoverflow.com/a/38558640


Copyright © 2025, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds