Support for " preferred sig"

Now correctly suggests apps signed by the upstream developer (actually, the signing cert used by the first apk in the metadata for a particular app). Note that it also takes into account the repo priority, so if you have multiple repos with the same apk, signed by a different cert, then it will prefer the one from the repo with the highest priority. This is the repo which is last in the list of repositories.

It includes what I hope are comprehensive tests to cover the behaviour outlined in #1059.

Here is some manual testing steps I've completed also which may be of interest:

• Add http://testy.at.or.at repo.
• Navigate to app details for Orweb.
• See that suggested version of Orweb is v0.6.1. This is due to:
  • First three apks have signature of a0eee... (v0.7.1, v0.7, v0.6.1).
  • Last apk has a sig of 8cc1d... (also v0.7.1).
  • "Preferred" signature is the first (a0eee...).
  • "Suggested version code" is 27, which corresponds to v0.6.1.
• Note also that there are two v0.7.1 available.
• Tap "install" and note that you just installed v0.6.1.
  • Note that there is now only one v0.7.1 available, the other has been excluded due to a mismatched signature.
  • Install the only available v0.7.1.
  • Should install correctly (i.e. it downloaded the apk with correct sig).
  • It still excludes the second v0.7.1 app when viewing the list of versions.
• Uninstall the app
  • Note that all versions now come back.
• Install the suggested version again by tapping "Install".
  • Enable "Unstable updates" in preferences.
  • Note that the "Updates" tab now highlights there is a version to update to.
  • Download and install the suggested update.
  • Note that you now have v0.7.1 installed.
• Enable "Guardian Project" and "Guardian Project Archive" repos.
  • Note that there are now multiple versions visible, some which are duplicates (we should create a separate issue to combine these somehow into "Version 0.6.1, Repository: testy.at.or.at/fdroid/repo and Guardian Project").
• Uninstall your current version:
  • Note that it now also includes the other v0.7.1 from testy.at.or.at/fdroid/repo.
• Install the one signed by 8cc1d (i.e. not the preferred signer).
  • Might require some trial and error to get the correct v0.7.1, because we don't display the signer in the UI (should create an issue for this too, I think we used to do it in expert mode?).
  • (For me it was the first v0.7.1 from testy.at.or.at)
  • Note that it now restricts all versions to only the one single v0.7.1, as all others are signed by a different certificate.
• Uninstall this, disable "unstable updates", and install an old version from GP Archive.
  • Note that "Updates" now displays an update available for "Orweb"
  • Also, the app details screen should show two starred v0.6.1 apks (both should have the exact same has in practice).

unmarked as a Work In Progress

added apksig bazaar labels

changed the description

mentioned in merge request !541 (merged)

changed the description

resolved all discussions

Regarding "we should create a separate issue to combine these somehow into "Version 0.6.1, Repository: testy.at.or.at/fdroid/repo and Guardian Project").", seems OK to have them listed multiple times. Makes things explicit.

Kudos, this is working nicely! I'd merge it, but it has a merge conflict.

changed milestone to %1.0-alpha0

resolved all discussions

merged

Closed, because the merge conflict was trivial, CI passed, and I re-ran my manual tests above and they passed.

mentioned in issue #740 (closed)