Bug #3336

changing pin fingerprint in fdroid does not trigger any error, warning

Added by hans over 3 years ago. Updated over 3 years ago.

Status:ClosedStart date:05/02/2014
Priority:NormalDue date:
Assignee:pd0x% Done:

0%

Category:-
Target version:improved security/usability
Component:

Description

If I change the fingerprint of the SPKI in `FDroidCertPins.java`, then run the update, this does not cause any error or warning, and FDroid happily updates from https://f-droid.org. That does not seem like the right behavior to me since a pin should represent the sole valid private key for that domain.


Related issues

Related to Bazaar - Task #2896: write tests for F-Droid HTTPS chain verifier Closed 01/22/2014
Related to Bazaar - Task #3309: add relevant HTTPS cert pins to FDroidCertPins Closed 04/26/2014

History

#1 Updated by hans over 3 years ago

  • Status changed from New to Closed

AndroidPinning has been removed from the FDroid app for now until it is more stable. A change in the f-droid.org certificate caused AndroidPinning to mark it as invalid, even though browsers think it is fine. I'm going to close this in favor of moving activity to this bug report:

https://gitlab.com/fdroid/fdroidclient/issues/80

Also available in: Atom PDF