Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]


Groups > comp.mobile.android > #146889

Re: Why does open source software include a "signing key"?

From Marion <marion@facts.com>
Newsgroups comp.mobile.android
Subject Re: Why does open source software include a "signing key"?
Date 2025-02-28 19:46 +0000
Organization BWH Usenet Archive (https://usenet.blueworldhosting.com)
Message-ID <vpt3qo$1tta$1@nnrp.usenet.blueworldhosting.com> (permalink)
References <vpo1h2$2pfr$1@nnrp.usenet.blueworldhosting.com> <vprpg0$3infk$1@dont-email.me> <vpt2sp$1cfq$1@nnrp.usenet.blueworldhosting.com>

Show all headers | View raw


On Fri, 28 Feb 2025 19:30:34 -0000 (UTC), Marion wrote :


> Apparently, instead, NewPipe uses a single signing key to sign its APKs.
> As far as I can tell, this key serves both the purpose of verifying the
> app's authenticity and ensuring that updates come from the same source.

Oh, I think I know what Rudy was trying to say, which is the "we" should be
changed to "Android", in that this signature key is for Android, not us.

Newpipe uses a self signed certificate. 
This is why the SHA256 hash is so important.
Android can verify self-signed certificates, as long as the signature
matches the APK contents.

Digging deeper into how *Android* handles NewPipe's app signature key, 
it seems the vast majority of attempts to modify an APK will invalidate the
signature, which Android will notice & therefore Android won't install it.

But apparently there is still a "we" involved (in addition to Android).

The part about "we" is the SHA256 fingerprint is apparently an extra level
of protection. It allows the end user to verify that the downloaded file is
the exact same file that the developer produced. If the end user checks the
SHA256, then the end user can know that the file has not been modified.

To summarize, NewPipe provides both a signing key fingerprint (SHA256) and
a signature (which "we" don't directly see as a separate file, but is
embedded in the APK & which is what Android looks at to validate the APK).

It seems, from my research, that Android uses the NewPipe developers'
public key (which is also embedded in the app APK certificate, apparently)
to decrypt the signature inside the APK and compare it to a newly generated
hash of the APK. If the hashes match, the sig is valid.

Thanks for keying me into these important distinctions on how Android works 
(where FOSS apps typically are not found on the Google Play Store repos).

Back to comp.mobile.android | Previous | NextPrevious in thread | Next in thread | Find similar | Unroll thread


Thread

Why does open source software include a "signing key"? Marion <marion@facts.com> - 2025-02-26 21:36 +0000
  Re: Why does open source software include a "signing key"? Marion <marion@facts.com> - 2025-02-26 21:44 +0000
    Re: Why does open source software include a "signing key"? Marion <marion@facts.com> - 2025-02-26 22:36 +0000
  Re: Why does open source software include a "signing key"? "R.Wieser" <address@is.invalid> - 2025-02-28 08:43 +0100
    Re: Why does open source software include a "signing key"? Marion <marion@facts.com> - 2025-02-28 19:30 +0000
      Re: Why does open source software include a "signing key"? Marion <marion@facts.com> - 2025-02-28 19:46 +0000
        Re: Why does open source software include a "signing key"? "R.Wieser" <address@is.invalid> - 2025-02-28 21:42 +0100
  Re: Why does open source software include a "signing key"? Arno Welzel <usenet@arnowelzel.de> - 2025-02-28 09:01 +0100
    Re: Why does open source software include a "signing key"? Marion <marion@facts.com> - 2025-02-28 19:19 +0000
      Re: Why does open source software include a "signing key"? Arno Welzel <usenet@arnowelzel.de> - 2025-03-01 10:00 +0100
        Re: Why does open source software include a "signing key"? Marion <marion@facts.com> - 2025-03-01 09:54 +0000
          Re: Why does open source software include a "signing key"? Marion <marion@facts.com> - 2025-03-01 10:12 +0000
            Re: Why does open source software include a "signing key"? Marion <marion@facts.com> - 2025-03-01 10:27 +0000
            Re: Why does open source software include a "signing key"? "R.Wieser" <address@is.invalid> - 2025-03-01 11:44 +0100
        Re: Why does open source software include a "signing key"? "R.Wieser" <address@is.invalid> - 2025-03-01 11:36 +0100
          Re: Why does open source software include a "signing key"? Arno Welzel <usenet@arnowelzel.de> - 2025-03-01 14:22 +0100
            Re: Why does open source software include a "signing key"? "R.Wieser" <address@is.invalid> - 2025-03-01 15:40 +0100
              Re: Why does open source software include a "signing key"? Arno Welzel <usenet@arnowelzel.de> - 2025-03-06 11:30 +0100
                Re: Why does open source software include a "signing key"? "R.Wieser" <address@is.invalid> - 2025-03-06 12:29 +0100
                Re: Why does open source software include a "signing key"? Arno Welzel <usenet@arnowelzel.de> - 2025-03-07 09:01 +0100
                Re: Why does open source software include a "signing key"? "R.Wieser" <address@is.invalid> - 2025-03-07 09:50 +0100
                Re: Why does open source software include a "signing key"? Arno Welzel <usenet@arnowelzel.de> - 2025-03-07 14:37 +0100
                Re: Why does open source software include a "signing key"? "R.Wieser" <address@is.invalid> - 2025-03-07 14:58 +0100

csiph-web