Skip to content

Fix #254 - regression where TOFU repos were not working.

username-removed-25042 requested to merge pserwylo/fdroidclient:fix/issue-254-repo-tofu into master

The code for promoting an untrusted repo with no fingerprint, to a repo with a pubkey and a fingerprint, was still there. The problem was that it was being executed after we verified the index.jar cert against the pubkey stored against the repo (which is empty for TOFU repos).

This change makes it so that if we are updating a repo without a fingerprint, then it is a TOFU request, and we don't try to verify the certificates.

Here is some logcats from this branch to show what happens now:

Adding new repo with correct fingerprint (shouldn't use TOFU, but should store the pubkey that it found in the index.jar, if and only if it matches the supplied fingerprint):

D  Getting signed index from https://guardianproject.info/fdroid/repo/ at 2015-05-14 22:45:06
D  Index has 1 signature(s)
D  No public key for repo https://guardianproject.info/fdroid/repo/ yet, but it does have a fingerprint, so comparing them.
D  Repo fingerprint: B7C2EEFD8DAC7806AF67DFCD92EB18126BC08312A7F2D6F3862E46013C7A6135
D  Cert fingerprint: B7C2EEFD8DAC7806AF67DFCD92EB18126BC08312A7F2D6F3862E46013C7A6135
D  Checking repo public key against cert found in jar.
D  Public key found - switching to signed repo for future updates

Updating this repo again (now that it has both a fingerprint and a matching pubkey):

D  Getting signed index from https://guardianproject.info/fdroid/repo/ at 2015-05-14 22:50:47
D  Index has 1 signature(s)
D  Checking repo public key against cert found in jar.

Adding a repo with an incorrect fingerprint:

D  Getting signed index from https://guardianproject.info/fdroid/repo/ at 2015-05-14 22:58:17
D  Index has 1 signature(s)
D  No public key for repo https://guardianproject.info/fdroid/repo/ yet, but it does have a fingerprint, so comparing them.
D  Repo fingerprint: AAA2EEFD8DAC7806AF67DFCD92EB18126BC08312A7F2D6F3862E46013C7
D  Cert fingerprint: B7C2EEFD8DAC7806AF67DFCD92EB18126BC08312A7F2D6F3862E46013C7A6135
E  Error updating repository https://guardianproject.info/fdroid/repo/: Index signature mismatch
E  org.fdroid.fdroid.RepoUpdater$UpdateException: Index signature mismatch

Finally, a TOFU request:

D  Getting signed index from https://guardianproject.info/fdroid/repo at 2015-05-14 22:59:49
I  Implicitly trusting the signature of index.jar, because this is a TOFU request
D  Public key found - saving in the database.

... and then the same repo a second time (after storing the pubkey and fingerprint from the index.jar the first time):

D  Getting signed index from https://guardianproject.info/fdroid/repo at 2015-05-14 23:01:31
D  Index has 1 signature(s)
D  Checking repo public key against cert found in jar.

I rest my case.

Merge request reports