Verify non-mainline f-droid repo indexes correctly
Hainish opened this issue · 5 comments
The mainline F-Droid repository verifies the package index correctly with v1 signatures.
As per discussion in #15, most repositories are failing package index verification. This has something to do with the underlying verification crates - e.g. https://docs.rs/x509-certificate/ and https://docs.rs/cryptographic-message-syntax/.
@eighthave Am I correct when I believe this relates to fdroidserver update's --create-key flag, which seems to default to the fqdn?
I can confirm my personal repo set up using https://github.com/TheLastProject/Docker-F-Droid-Binary-Repo fails like this as well:
Verifying...
certificate signature verification failed
Could not verify F-Droid package index. Exiting.
Sadly, I don't know much about this subject and I can't find what prints "certificate signature verification failed" in apkeep so I'm not 100% sure why it is failing. My guess in my case may be that it probably grabbed Docker's container name which won't be the outward-facing URL and that's why it failed but I am not sure how to figure this out.
@TheLastProject the certificate signature verification failed error comes specifically from this line:
Line 363 in 9cad878
A number of issues (indygreg/PyOxidizer#521, indygreg/PyOxidizer#525, indygreg/PyOxidizer#528) have been filed and fixed in the x509-certificates and cryptographic-message-syntax upstream dependencies. I'm awaiting a new release of these crates, at which point this issue should be resolved pending a final check.