Signing the Local APK Index¶

Threat model¶

Protect against:

• MITM between Alice and Bob
• Package modified by Mallory and supplied to Bob who is gullible. How does Alice detect this?

Overview¶

The fdroid client (presently) only checks one signature on the index.jar. When you first configure the repo if it finds a pubkey attribute on the index.xml's repo XML then it will subsequently compare that cached attribute value making sure it's the Signature on the index.jar. it doesn't care how many signatures there are as long as the one specified in the index.xml from repo install is there. there isn't any support for more than one pubkey attribute in the XML

• the sig is a hash of the PKCS7 bytes

Signing using the local HTTPS key¶

Bazaar will generate a key for use in local HTTPS connections and for signing the index.jar that is generated locally.

Implied signature over OTRDATA¶

When data is transmitted over a secure / authenticated channel, such as OTRDATA the sender implicitly confirms that the repository as a whole and the files are as they are stored on the source (Bob's)system. This doesn't mean that the APKs were not modified before they reached Bob.

Signing using the user's OTR key¶

Another idea is to have ChatSecure somehow sign the index.jar using the user's existing and trusted OTR private key. This would be useful because it would then have existing trust relationships, but it would be tricky to get Bazaar talking to ChatSecure in the right way.

There are a few ideas on how to do this:

• make ChatSecure be a Certificate Authority and sign Certificate Signing Requests
• make ChatSecure sign arbitrary files from other apps
• make ChatSecure generate secret key, then sign them and pass them to an app