« Previous | Next » 

Revision 0e64736d

Parent 625bdceb, 527f649f
Child f374fbbe

Added by pserwylo over 3 years ago

Merge branch 'master' into 'master'

security updates for added repos

These commits fix a couple of security issues with adding repos, they should be included in the 0.65 release. Here is the bug report from Adam Pritchard, these issues should be fixed:


But wait, you say? Where's the "EF" at the start? F-Droid actually shows
(and takes) a version of the fingerprint with the first byte (first two
hex) dropped. Bwah?

You can see this with Guardian's fingerprint here:
len('050C8155DCA377F23D5A15B77D3713400CDBD8B42FBFBE0E3F38096E68CECE') / 2 *
8 == 248
...But it should be 256.

On purpose?


And it seems like there's a bug in F-Droid. If you enter the fingerprint
when adding the repo, the repo gets flagged with "Unsigned", but if you add
the repo without entering the fingerprint it doesn't.


- Add https://guardianproject.info/repo/ and enter
- Refresh
- It's say "Unsigned" in red text under the repo name
- Delete the repo
- Add it again, but without the fingerprint
- It won't have any red text

This is surely unintended?


  • added
  • modified
  • copied
  • renamed
  • deleted