Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]
Groups > comp.mobile.android > #146887
| From | Marion <marion@facts.com> |
|---|---|
| Newsgroups | comp.mobile.android |
| Subject | Re: Why does open source software include a "signing key"? |
| Date | 2025-02-28 19:19 +0000 |
| Organization | BWH Usenet Archive (https://usenet.blueworldhosting.com) |
| Message-ID | <vpt27q$2mns$1@nnrp.usenet.blueworldhosting.com> (permalink) |
| References | <vpo1h2$2pfr$1@nnrp.usenet.blueworldhosting.com> <m2d8qqFo6b0U1@mid.individual.net> |
On Fri, 28 Feb 2025 09:01:30 +0100, Arno Welzel wrote : >> So it seems that the signing key is there so we can tell if the file has >> been modified and also that it was signed by the actual real developers. >> <https://archive.newpipe.net/fdroid/repo/NewPipe_v0.27.6.apk> > > No, the idea is to verify the integrity by *Google* when uploading > applications to Google Play. > > In the past this was only done using a private key stored in a local key > store. However this has changed over time. > > Also see: > > <https://support.google.com/googleplay/android-developer/answer/9842756?hl=en> > > <https://ashuvssut.hashnode.dev/android-app-signing> Thank you for trying to help us all better understand app APK signing. It's confusing to me, but I don't doubt the facts you kindly provided. a. App signing key b. Upload key From your references, there seems to be a distinction between the "app signing key" (managed by Google) and the "upload key" (managed by the developer) where what seems different are the roles of the app signing key (for device installation) & for the upload key (for Google Play uploads). Remember what brought this issue to the fore was NewPipe's signing key. <https://newpipe.net/#download> "Signing key (SHA256 fingerprint): CB:84:06:9B:D6:81:16:BA:FA:E5:EE:4E:E5:B0:8A:56:7A:A6:D8:98:40:4E:7C:B1:2F:9E:75:6D:F5:CF:5C:AB" NewPipe, as you're well aware, has nothing whatsoever to do with the Google Play Store repository - as it's an Apple that directly replaces YouTube. So it's confusing to me that you say the idea is to "verify the integrity by *Google*", but maybe you meant to verify the integrity by *Android*? Digging deeper, I found out that Android's security model inherently requires APKs to be signed regardless of the distribution channel. Apparently, even if an app isn't on Google Play, it still needs to be signed for an Android device to install it. Does that seem right to you? Note: I need to do more research as this is all confusing to me when it comes to how open source apps work, since I don't even have Google Play Store on my non-rootable Android 13 phone.
Back to comp.mobile.android | Previous | Next — Previous in thread | Next in thread | Find similar | Unroll thread
Why does open source software include a "signing key"? Marion <marion@facts.com> - 2025-02-26 21:36 +0000
Re: Why does open source software include a "signing key"? Marion <marion@facts.com> - 2025-02-26 21:44 +0000
Re: Why does open source software include a "signing key"? Marion <marion@facts.com> - 2025-02-26 22:36 +0000
Re: Why does open source software include a "signing key"? "R.Wieser" <address@is.invalid> - 2025-02-28 08:43 +0100
Re: Why does open source software include a "signing key"? Marion <marion@facts.com> - 2025-02-28 19:30 +0000
Re: Why does open source software include a "signing key"? Marion <marion@facts.com> - 2025-02-28 19:46 +0000
Re: Why does open source software include a "signing key"? "R.Wieser" <address@is.invalid> - 2025-02-28 21:42 +0100
Re: Why does open source software include a "signing key"? Arno Welzel <usenet@arnowelzel.de> - 2025-02-28 09:01 +0100
Re: Why does open source software include a "signing key"? Marion <marion@facts.com> - 2025-02-28 19:19 +0000
Re: Why does open source software include a "signing key"? Arno Welzel <usenet@arnowelzel.de> - 2025-03-01 10:00 +0100
Re: Why does open source software include a "signing key"? Marion <marion@facts.com> - 2025-03-01 09:54 +0000
Re: Why does open source software include a "signing key"? Marion <marion@facts.com> - 2025-03-01 10:12 +0000
Re: Why does open source software include a "signing key"? Marion <marion@facts.com> - 2025-03-01 10:27 +0000
Re: Why does open source software include a "signing key"? "R.Wieser" <address@is.invalid> - 2025-03-01 11:44 +0100
Re: Why does open source software include a "signing key"? "R.Wieser" <address@is.invalid> - 2025-03-01 11:36 +0100
Re: Why does open source software include a "signing key"? Arno Welzel <usenet@arnowelzel.de> - 2025-03-01 14:22 +0100
Re: Why does open source software include a "signing key"? "R.Wieser" <address@is.invalid> - 2025-03-01 15:40 +0100
Re: Why does open source software include a "signing key"? Arno Welzel <usenet@arnowelzel.de> - 2025-03-06 11:30 +0100
Re: Why does open source software include a "signing key"? "R.Wieser" <address@is.invalid> - 2025-03-06 12:29 +0100
Re: Why does open source software include a "signing key"? Arno Welzel <usenet@arnowelzel.de> - 2025-03-07 09:01 +0100
Re: Why does open source software include a "signing key"? "R.Wieser" <address@is.invalid> - 2025-03-07 09:50 +0100
Re: Why does open source software include a "signing key"? Arno Welzel <usenet@arnowelzel.de> - 2025-03-07 14:37 +0100
Re: Why does open source software include a "signing key"? "R.Wieser" <address@is.invalid> - 2025-03-07 14:58 +0100
csiph-web