Project

General

Profile

F-Droid Privileged Extension signatures

Added by Ellen Ripley about 1 month ago

Hi,

I have just upgraded my Replicant phone (Galaxy S3) to Replicant 6.0 -and I am very happy about it! When I open F-Droid, it says there is an update available for F-Droid Privileged Extension. The installed version of F-Droid Priviledged Extension is 0.2.4, the new one available is 0.2.5. I press the Upgrade button and it shows:

"The new version is signed with a different key to the old one. To install the new version, the old one must be uninstalled first. Please do this and try again. (Note that uninstalling will erase any internal data stored by the application)"

When looking a bit more into it, I can also see:

"Signed: 4f8135124ff61b24b85749e368ce7f0d"

I guess that signature is for Version 0.2.5. I'm not sure, when I press on "Version 0.2.4 - Installed (from unknown source)" then F-Droid crashes.

Why are they signed with different keys?
What should I do?

Thank you.


Replies (5)

RE: F-Droid Privileged Extension signatures - Added by Wolfgang Wiedmeyer about 1 month ago

The crash definitely shouldn't happen. The same crash also happens when pressing the uninstall button and upstream F-Droid is aware of that: https://gitlab.com/fdroid/fdroidclient/issues/755

Replicant 6.0 ships the privileged extension. It is built from source as part of an image build for a device and is signed with one of the keys used for the release. You can find them on the ReplicantImages page. The privileged extension, that you would install from F-Droid if the update would work, is signed with their release key which is different.

For now, you probably can't do much without manually removing some files and this is likely not worth it. Updating or uninstalling the extension from F-Droid obviously doesn't work (yet). And the improvements that come with the new version seem to only include some translation changes for a few languages and changes related to the creation of an update zip for installation through the recovery which isn't relevant for Replicant anyway. The improvements can be followed here.

The next Replicant 6.0 update will include an updated privileged extension.

RE: F-Droid Privileged Extension signatures - Added by Jeremy Rand about 1 month ago

I've encountered this issue as well (I didn't try to uninstall the old version, so can't confirm whether it crashes for me). Wolfgang, is there a reason why Replicant doesn't just ship the APK that's signed by F-Droid? If the issue is security concerns, would Replicant reconsider this policy once F-Droid's reproducible builds effort has progressed further?

RE: F-Droid Privileged Extension signatures - Added by Wolfgang Wiedmeyer about 1 month ago

The extension is actually intended to be built and shipped as part of an Android distro. I prefer to build as much as possible from source.
Regarding fixing the issue, I was advised by the developers of the extension to rename the extension shipped with Replicant. But this temporary fix doesn't work as the extension isn't recognized anymore by the F-Droid client then.

A fix is planned on their side in the coming weeks.

RE: F-Droid Privileged Extension signatures - Added by Jeremy Rand 30 days ago

Wolfgang Wiedmeyer wrote:

The extension is actually intended to be built and shipped as part of an Android distro. I prefer to build as much as possible from source.
Regarding fixing the issue, I was advised by the developers of the extension to rename the extension shipped with Replicant. But this temporary fix doesn't work as the extension isn't recognized anymore by the F-Droid client then.

A fix is planned on their side in the coming weeks.

It seems unfortunate for an Android distro upgrade to be needed in order to update a package that's available in F-Droid. (I suspect that F-Droid will usually ship security updates faster than Replicant.) Reproducible builds would make it irrelevant which project distributed the APK, hence why I asked whether F-Droid's reproducible builds effort would change the logic here.

RE: F-Droid Privileged Extension signatures - Added by Wolfgang Wiedmeyer 28 days ago

Updating it from F-Droid shouldn't work anyway. The Readme says:

Installing the F-Droid Privileged Extension directly from the F-Droid app requires root access and is only possible on Android versions older than 5.0. It is not possible on Android 5.1, 6.0, and newer.

If it would be reproducible using a reproducible SDK like the Debian Android SDK, then yes, this would make a difference. There is an open issue for this.

    (1-5/5)