Hans-Christoph Steiner  

@IzzyOnDroid I'm saying v1 signatures should not be something that anyone relies on any more. Our current thinking is to remove support for v1-only signatures from AllowedAPKSigningKeys because of the weakness of v1 signatures means we cannot provide good security, so it would only provide a false sense of security. For distributing v1-only signed APKs, I'd recommend verifying them via an alternate method other than certificate pinning.

0
Hans-Christoph Steiner  

@IzzyOnDroid Since you're investing a lot of effort into AllowedAPKSigningKeys, I highly recommend switching the effort to parsing the signing certificate from v2+ signatures, and away from inspecting the deprecated v1 signatures. Apps with targetSdkVersion 30 or higher entirely ignore v1 signatures, so they are gradually disappearing from use.

1
Hans-Christoph Steiner boosted
Mastodon  

Today Mastodon is taking another step towards its founding ideals: independence and non-profit ownership. We're transferring ownership of key assets to a new, European not-for-profit entity, ensuring our mission remains true to a decentralised social web, not corporate control. #MastodonNonProfit

blog.joinmastodon.org/2025/01/

1+
Show more

fdroid

71

debian

39

privacy

15

guardianproject

1

gnu

1
Librem Social

Librem Social is an opt-in public network. Messages are shared under Creative Commons BY-SA 4.0 license terms. Policy.

Stay safe. Please abide by our code of conduct.

(Source code)

image/svg+xml Librem Chat image/svg+xml