On 2024-02-05 08:58, Simon Josefsson wrote:
What would be involved is to 1) during signing of artifacts, also sign and upload into Sigstore/Sigsum, and 2) during verification in the f-droid app, also verify that the signature has been committed to the Sigstore/Sigsum logs. Both projects have clients written in Go which should work on Android, but the rest of the details are sketchy to me. I'm happy to continue discuss and help with design if you are interested, to understand what the limitations of your environments are and how to resolve them.
One weirdness with the release keys we use is that they are technically able to sign independently, but practically only ever appear next to the archive signing key. That gives us an escape hatch to update the key set when we managed to lose the archive key, I guess.
Obviously you'd need to have an efficient way to test against a transparency log - I don't think it's sufficient for just tracking the signatures if your worry is that someone MITMs you with a malicious signature. I'll note that Firefox also still does not implement Certificate Transparency checks. (Which I find quite surprising and makes it less secure in my book.)
Kind regards Philipp Kern
