Skip to content

Support for " preferred sig"

username-removed-25042 requested to merge pserwylo/fdroidclient:issue-1059--preferred-sig into master

Now correctly suggests apps signed by the upstream developer (actually, the signing cert used by the first apk in the metadata for a particular app). Note that it also takes into account the repo priority, so if you have multiple repos with the same apk, signed by a different cert, then it will prefer the one from the repo with the highest priority. This is the repo which is last in the list of repositories.

It includes what I hope are comprehensive tests to cover the behaviour outlined in #1059.

Here is some manual testing steps I've completed also which may be of interest:

  • Add http://testy.at.or.at repo.
  • Navigate to app details for Orweb.
  • See that suggested version of Orweb is v0.6.1. This is due to:
    • First three apks have signature of a0eee... (v0.7.1, v0.7, v0.6.1).
    • Last apk has a sig of 8cc1d... (also v0.7.1).
    • "Preferred" signature is the first (a0eee...).
    • "Suggested version code" is 27, which corresponds to v0.6.1.
  • Note also that there are two v0.7.1 available.
  • Tap "install" and note that you just installed v0.6.1.
    • Note that there is now only one v0.7.1 available, the other has been excluded due to a mismatched signature.
    • Install the only available v0.7.1.
    • Should install correctly (i.e. it downloaded the apk with correct sig).
    • It still excludes the second v0.7.1 app when viewing the list of versions.
  • Uninstall the app
    • Note that all versions now come back.
  • Install the suggested version again by tapping "Install".
    • Enable "Unstable updates" in preferences.
    • Note that the "Updates" tab now highlights there is a version to update to.
    • Download and install the suggested update.
    • Note that you now have v0.7.1 installed.
  • Enable "Guardian Project" and "Guardian Project Archive" repos.
    • Note that there are now multiple versions visible, some which are duplicates (we should create a separate issue to combine these somehow into "Version 0.6.1, Repository: testy.at.or.at/fdroid/repo and Guardian Project").
  • Uninstall your current version:
    • Note that it now also includes the other v0.7.1 from testy.at.or.at/fdroid/repo.
  • Install the one signed by 8cc1d (i.e. not the preferred signer).
    • Might require some trial and error to get the correct v0.7.1, because we don't display the signer in the UI (should create an issue for this too, I think we used to do it in expert mode?).
    • (For me it was the first v0.7.1 from testy.at.or.at)
    • Note that it now restricts all versions to only the one single v0.7.1, as all others are signed by a different certificate.
  • Uninstall this, disable "unstable updates", and install an old version from GP Archive.
    • Note that "Updates" now displays an update available for "Orweb"
    • Also, the app details screen should show two starred v0.6.1 apks (both should have the exact same has in practice).
Edited by username-removed-24982

Merge request reports