Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

How are the Play Store and F-Droid packages carrying the same signatures? #9288

Closed
xcpn opened this issue Oct 31, 2024 · 2 comments
Closed

How are the Play Store and F-Droid packages carrying the same signatures? #9288

xcpn opened this issue Oct 31, 2024 · 2 comments
Labels
build/packaging 📦 OS-android🤖

Comments

@xcpn
Copy link

xcpn commented Oct 31, 2024

I installed Electrum via Play Store a long time ago. A couple days ago Electrum showed up in the list of available updates on F-Droid and I thought it was an error or something, so I left it alone.

Today I saw it again and went to the Play Store updates section to see if there's an update for Electrum there, but there wasn't. Tapped on update via F-Droid expecting to get an error due to different signatures but to my surprise Electrum updated successfully.

I thought all packages published on F-Droid are signed by F-Droid themselves and since Play Store has different signatures it wouldn't be possible to simply update via F-Droid while the package is already installed via Play Store.

Am I missing something?
@SomberNight
Copy link
Member

I thought all packages published on F-Droid are signed by F-Droid themselves and since Play Store has different signatures it wouldn't be possible to simply update via F-Droid while the package is already installed via Play Store.

F-Droid has support for reproducible builds: if the fdroid buildserver can reproduce the upstream apk, there is an option for the buildserver to simply copy the upstream developer's signature instead of signing it with an fdroid-specific key.

See
https://f-droid.org/docs/Reproducible_Builds/
https://f-droid.org/2023/01/15/towards-a-reproducible-fdroid.html

We are using this option (see build script) and so the apk hosted by F-Droid is signed by a key owned by the Electrum project. This is the same key that we use to sign the apk hosted on the website.

Also relevantly, Google Play allows apks to be signed by the upstream developer, at least for now, for old apps. Luckily Electrum was first published to the play store before they made "Play App Signing" mandatory (that is, started requiring developers to hand over their private keys to Google) so it is old enough. Hence, we are gracefully allowed not to give our private key to them and have them sign it, but to have a key of our own.

As a consequence, the F-Droid apk, the Google Play apk, and the website apk, are all signed by the same key that only the project has, and so users can conveniently switch between stores and install an upgrade from any of these sources.

@xcpn
Copy link
Author

xcpn commented Nov 1, 2024

Thank you for the info @SomberNight, was not aware of this option. Excellent explanation!

@xcpn xcpn closed this as completed Nov 2, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
build/packaging 📦 OS-android🤖
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@SomberNight @xcpn