security updates for added repos (!7) · Merge requests · F-Droid / Client

username-removed-24982 requested to merge eighthave/fdroidclient:master into master Apr 26, 2014

These commits fix a couple of security issues with adding repos, they should be included in the 0.65 release. Here is the bug report from Adam Pritchard, these issues should be fixed:

But wait, you say? Where's the "EF" at the start? F-Droid actually shows (and takes) a version of the fingerprint with the first byte (first two hex) dropped. Bwah?

You can see this with Guardian's fingerprint here: https://guardianproject.info/2012/03/15/our-new-f-droid-app-repository/ len('050C8155DCA377F23D5A15B77D3713400CDBD8B42FBFBE0E3F38096E68CECE') / 2 * 8 == 248 ...But it should be 256.

On purpose?

And it seems like there's a bug in F-Droid. If you enter the fingerprint when adding the repo, the repo gets flagged with "Unsigned", but if you add the repo without entering the fingerprint it doesn't.

Reproduction:

Add https://guardianproject.info/repo/ and enter 050C8155DCA377F23D5A15B77D3713400CDBD8B42FBFBE0E3F38096E68CECE
Refresh
It's say "Unsigned" in red text under the repo name
Delete the repo
Add it again, but without the fingerprint
It won't have any red text

This is surely unintended?

Admin message

Admin message

security updates for added repos

Merge request reports