when fdroid client prompts user that signing key doesn't match, give user actions
|Target version:||implement swap UI|
When FDroid client finds that an update has a different signing key, like when FDroid is trying to update an APK installed via Google Play, it should walk the user through actions they can take, like ignoring future updates. Ideally, it would be able to check the signature from the Google Play APK to provide better context to the user for decision making. maybe https://androidobservatory.org or something like that can provide info like that.
#1 Updated by daithib8 almost 4 years ago
The approach would be different depending on whether the update is from the same repo than when it is from some other well-established repo and again than when the original or update is from a local ephemeral repo.
Considering the latter: Do you want to grab updates from an ephemeral repo while you have the chance, given that it could be the last update you'll see? Maybe. Generally, a sensible approach would be to recommend the one with the highest version code that is less than the current version code of that repo. This isn't <i>always</i> reliable: developers tend to use version codes with very small orders which makes it tricky to slip updates in between, so the version code scheme is sometimes tweaked by kangers (see Vercode Operation in F-Droid metadata). By rights, the package name should always be changed when this happens and could make sense to recommend this more firmly in the f-droid manual. Once this is agreed you would need to some intelligence as to the status of the repo using the current signature: if it's likely to get an update within the next few days, there's no point in having the user uninstall an app.
Now if only Android would do like my OpenSUSE box and change vendor of the packages unexpectedly every time I do a distribution upgrade, then I would be half as annoyed as when Android says "Not installed", after I give it an APK with a different signature ;-).
#3 Updated by hans over 3 years ago
Some discussion here: