KeePassDX
KeePassDX copied to clipboard
Kunzisoft
verify the authenticity of the downloaded app from github
https://github.com/Kunzisoft/KeePassDX#verify-the-authenticity-of-the-downloaded-app-from-github
Oh and to comment on this while I made you @J-Jamet look at the verification.f-droid.org server. Notice what the verification server does, it actually cut's the signature certificates off then pastes them back on. Because this is demonstratably done checking for a good signature only as you have here https://github.com/Kunzisoft/KeePassDX#verify-the-authenticity-of-the-downloaded-app-from-github does not verify authenticity. All this seems to be doing is verifying the certificate which can have simply been pasted on as you see was done with the f-droid verification server process. In order to verify the authenticity of the app some tool would need to be used to verify signed data. This is essentially the same cryptography process which PGP and GPG use. Not check for any pasted on certificatr. You need to verify signed data with a trusted key.
I'll say it again, if you don't want to use the application I generate locally and sign with my certificate because you don't trust me, you can use your own compiler that you can install on servers if you want. ~~The procedure in the Readme ensures that the APKs generated and uploaded to the Github repository have been built and signed by my certificates.~~
If you want to use F-Droid's multiserver build and verification tools, you can, it's just another method.
I don't know what you mean by "the certificate which can have simply been pasted" and "not check for any pasted on certificatr", a certificate intrinsically works in the same way as an encryption system with public and private keys. I give the public keys that prove that I'm the one who built the applications, that's all.
In order to verify the authenticity of the app some tool would need to be used to verify signed data
~~Yes Keytool, it's in the terminal command. Then for each build, I make a hash of the generated APK so you can check the integrity of the file.~~
What I mean is just what I say. The demonstration is all spelled out for you here https://f-droid.org/docs/Reproducible_Builds/#reproducible-signatures you have to read the page. What you will see is that it is quite possible to cut an embedded key out and simply paste it into an unsigned APK. Your keytool instructions only print the signature fingerprint which may have been simply slapped onto any APK. This is what I am telling you with the title that your process means nothing. You would have to take the next step and do the equivication of GPG "verify signed data".
I've read the article and what it says is that the signature is extracted and copied back into the unsigned APK which corresponds to the same sources of the first APK. If the two APKs are then identical, then the sources have not been modified. This doesn't mean you can extract the signature and paste it into any other APK to certify it.
Tools to do that : https://github.com/obfusk/apksigcopier https://developer.android.com/tools/apksigner
To check that the APK is well signed, use this type of command :
apksigner verify --verbose --print-certs KeePassDX-4.0.8-libre.apk
You will see "Verified using v2 scheme (APK Signature Scheme v2): true", I'll update the APK signature scheme which is still in v2 and the Readme.
Here, if you want to use the same Fdroid method with the APKs I deploy on github, you have to rebuild from source, extract my certificate and reimplement it in your built APK. (But you'll probably run into problems explained here : https://f-droid.org/docs/Reproducible_Builds/#potential-sources-of-unreproducible-builds)
[And please, write only one answer]
I understand better what you mean now, it's simply the KeyTool command to be replaced by ApkSigner.
But it wasn't obvious for this ticket, you start by pointing out that F-Droid cuts certificates for its APK validation method and then you talk about PGP.
If you had simply said that the Keytool command doesn't check the APK, but only the certificate signature, which could be copied into any APK. That would have sufficed.
The section of the Readme that uses the command comes from an external Pull Request. And I thought it was good to add this simple check to find out which certificate is affixed to the APK, I didn't go any further, there was nothing before.
If the documentation is not suitable, one solution was also to Pull Request that updates the documentation directly. If I have to guess what users are thinking, I'm not done yet.
Why not ApkSigner? What do you endorse then? It's an Android project, it's the right tool for me, the one I usually use and in the official doc. So please explain I can't guess what you're thinking.
I mean what I say.
You've said that several times. But the aim is to understand each other, just concise and point out what's technically wrong without interpreting it. I didn't understand the purpose of this issue, you put the link to the Readme and started talking about F-Droid.
I did say something to that effect.
~~You didn't even mention "Keytool" anywhere.~~ I reread, indeed you indicated, my bad. I just didn't understand this issue.
You took a bad pull.
Indeed, I had to either change the title or change the command. I just didn't pay attention because it's a doc.
You show a lack of cryptography knowledge therefor it is a wonder why you are developer of this cryptography intensive app KeepassDX.
What is the purpose of this remark? How did you measure my level in cryptography with a few exchanges? Is it to support a documentation error in order to denigrate the knowledge and entire work carried out? It's to demotivate me? I'm doing this project in my spare time, so if there are any mistakes, I'll correct them, I learn and be done with it.
But above all, I expect kind and concise exchanges, you go off in different directions to explain simple things. If we can learn from each other, then that's beneficial, but let's keep it technical, not personal. Thank you.
The Readme section has been deleted manually. I'll rewrite it when I have time.