Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]


Groups > comp.mobile.android > #146888

Re: Why does open source software include a "signing key"?

From Marion <marion@facts.com>
Newsgroups comp.mobile.android
Subject Re: Why does open source software include a "signing key"?
Date 2025-02-28 19:30 +0000
Organization BWH Usenet Archive (https://usenet.blueworldhosting.com)
Message-ID <vpt2sp$1cfq$1@nnrp.usenet.blueworldhosting.com> (permalink)
References <vpo1h2$2pfr$1@nnrp.usenet.blueworldhosting.com> <vprpg0$3infk$1@dont-email.me>

Show all headers | View raw


On Fri, 28 Feb 2025 08:43:39 +0100, R.Wieser wrote :


>> So it seems that the signing key is there so *we* can tell if the file has 
>> been modified and also that it was signed by the actual real developers.
> 
> (emphasis mine)  No.

I'm confused by that answer, but it may be that Rudy knows more than I do.

I don't know anything about signatures, so it "could" be that Rudy knows
more, but, my research shows that statement above to be true, not false.

Given I don't even have the Google Play Store app APK on my phone, and yet
I install APKs from the Google Play repository all the time, in addition to
installing apps (like <https://newpipe.net/#download>) which have nothing
to do with the Google Play store, that answer doesn't help to explain how
the ecosystem works with respect to signing of apps NOT on the Google Play
Store ecosystem.

Arno kindly brought up the point that there could be two related keys:
a. App signing key
b. Upload key 

However, if we focus on FOSS tools such as NewPipe, which is distributed
outside of the Google Play Store, we can completely disregard the concept
of the "upload key" entirely.

Since NewPipe isn't on the Google Play Store, it doesn't utilize Google
Play App Signing. Therefore, there's no separation of an upload key and an
app signing key as described in Arno's suggested Google Play web cites.

Apparently, instead, NewPipe uses a single signing key to sign its APKs.

As far as I can tell, this key serves both the purpose of verifying the
app's authenticity and ensuring that updates come from the same source.

Why do you (seem to) think otherwise, Rudy?

Back to comp.mobile.android | Previous | NextPrevious in thread | Next in thread | Find similar | Unroll thread


Thread

Why does open source software include a "signing key"? Marion <marion@facts.com> - 2025-02-26 21:36 +0000
  Re: Why does open source software include a "signing key"? Marion <marion@facts.com> - 2025-02-26 21:44 +0000
    Re: Why does open source software include a "signing key"? Marion <marion@facts.com> - 2025-02-26 22:36 +0000
  Re: Why does open source software include a "signing key"? "R.Wieser" <address@is.invalid> - 2025-02-28 08:43 +0100
    Re: Why does open source software include a "signing key"? Marion <marion@facts.com> - 2025-02-28 19:30 +0000
      Re: Why does open source software include a "signing key"? Marion <marion@facts.com> - 2025-02-28 19:46 +0000
        Re: Why does open source software include a "signing key"? "R.Wieser" <address@is.invalid> - 2025-02-28 21:42 +0100
  Re: Why does open source software include a "signing key"? Arno Welzel <usenet@arnowelzel.de> - 2025-02-28 09:01 +0100
    Re: Why does open source software include a "signing key"? Marion <marion@facts.com> - 2025-02-28 19:19 +0000
      Re: Why does open source software include a "signing key"? Arno Welzel <usenet@arnowelzel.de> - 2025-03-01 10:00 +0100
        Re: Why does open source software include a "signing key"? Marion <marion@facts.com> - 2025-03-01 09:54 +0000
          Re: Why does open source software include a "signing key"? Marion <marion@facts.com> - 2025-03-01 10:12 +0000
            Re: Why does open source software include a "signing key"? Marion <marion@facts.com> - 2025-03-01 10:27 +0000
            Re: Why does open source software include a "signing key"? "R.Wieser" <address@is.invalid> - 2025-03-01 11:44 +0100
        Re: Why does open source software include a "signing key"? "R.Wieser" <address@is.invalid> - 2025-03-01 11:36 +0100
          Re: Why does open source software include a "signing key"? Arno Welzel <usenet@arnowelzel.de> - 2025-03-01 14:22 +0100
            Re: Why does open source software include a "signing key"? "R.Wieser" <address@is.invalid> - 2025-03-01 15:40 +0100
              Re: Why does open source software include a "signing key"? Arno Welzel <usenet@arnowelzel.de> - 2025-03-06 11:30 +0100
                Re: Why does open source software include a "signing key"? "R.Wieser" <address@is.invalid> - 2025-03-06 12:29 +0100
                Re: Why does open source software include a "signing key"? Arno Welzel <usenet@arnowelzel.de> - 2025-03-07 09:01 +0100
                Re: Why does open source software include a "signing key"? "R.Wieser" <address@is.invalid> - 2025-03-07 09:50 +0100
                Re: Why does open source software include a "signing key"? Arno Welzel <usenet@arnowelzel.de> - 2025-03-07 14:37 +0100
                Re: Why does open source software include a "signing key"? "R.Wieser" <address@is.invalid> - 2025-03-07 14:58 +0100

csiph-web