Path: csiph.com!fu-berlin.de!uni-berlin.de!individual.net!not-for-mail From: Arno Welzel Newsgroups: comp.mobile.android Subject: Re: Why does open source software include a "signing key"? Date: Fri, 28 Feb 2025 09:01:30 +0100 Lines: 30 Message-ID: References: Mime-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit X-Trace: individual.net 6GNjDQrAweWlyiRrCMBHXwcvbBTS/jOGHLt5U86KaFXokJKEec Cancel-Lock: sha1:H0hQDNTVkSZtG4Xgl/bivmyS8CA= sha256:68WlypciN2nRSZkTVWQxpJ2yy+a2mmUB4ZlgGwZRQ2E= Content-Language: de-DE In-Reply-To: Xref: csiph.com comp.mobile.android:146884 Marion, 2025-02-26 22:36: > I just downloaded the latest version of NewPipe and the download page > provides the hash (which I understand how to use) plus a signing key. > > > The hash is there to verify that the file hasn't been changed, and the > signing key is there to also verify that it came from the developers. > > So it seems that the signing key is there so we can tell if the file has > been modified and also that it was signed by the actual real developers. > No, the idea is to verify the integrity by *Google* when uploading applications to Google Play. In the past this was only done using a private key stored in a local key store. However this has changed over time. Also see: -- Arno Welzel https://arnowelzel.de