If you run a binary repo using fdroidserver and plan to update to the latest code, make sure to first study https://gitlab.com/fdroid/fdroidserver/-/merge_requests/1466 and https://gitlab.com/fdroid/fdroidserver/-/issues/1128 In short, despite of multiple warnings, changes were applied which will reject several legit and absolutely fine APKs, e.g. such using key rotation. You will no longer be able to keep those in your repo once you've updated fdroidserver to that. Cases might be few, so you might be affected or not, but please check to make sure.
Follow
@IzzyOnDroid in the F-Droid dev collection of roughly 260,000 APKs, both proper apps and malware, I have not found any that matches those conditions. If anyone knows of any, please post out!
@eighthave We've pointed out everything in the discussions. Just take an APK with key rotation, for example. And there are APKs in the apksig test suite for which get_jar_signer_certificate() fails. It should be easy to create an APK for which this code fails, as shown by the apksigner source code we linked.
Apart from that, as pointed out in the discussion, I'm not the expert here but just the messenger. And from that I've withdrawn, sorry. Can't anymore.