From 8a0b7e5b1bb0fd9b4720978e3812fb970a0062ed Mon Sep 17 00:00:00 2001 From: "Jason A. Donenfeld" Date: Tue, 18 Apr 2023 13:24:58 +0200 Subject: [PATCH] lint: `binary` or `Binaries` requires `AllowedAPKSigningKeys` Per fdroiddata!12911 the linter should error out if somebody uses `binary` or `Binaries` without supplying an `AllowedAPKSigningKeys`. There are two reasons for this: - Security: this allows full verification that the binaries built match the developers, not just what happened to get uploaded onto github at some later point in time. - Reliable updates: if the signing key changes, users won't be able to update, so this is something we should learn about when upstreams send in commits changing their signing key, rather than just leaving it to chance. --- fdroidserver/lint.py | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) diff --git a/fdroidserver/lint.py b/fdroidserver/lint.py index bc165f30..fb94e258 100644 --- a/fdroidserver/lint.py +++ b/fdroidserver/lint.py @@ -696,6 +696,25 @@ def check_updates_ucm_http_aum_pattern(app): # noqa: D403 yield _("AutoUpdateMode with UpdateCheckMode: HTTP must have a pattern.") +def check_certificate_pinned_binaries(app): + if len(app.get('AllowedAPKSigningKeys')) > 0: + return + if app.get('Binaries') is not None: + yield _( + 'App has Binaries but does not have corresponding AllowedAPKSigningKeys to pin certificate.' + ) + return + builds = app.get('Builds') + if builds is None: + return + for build in builds: + if build.get('binary') is not None: + yield _( + 'App version has binary but does not have corresponding AllowedAPKSigningKeys to pin certificate.' + ) + return + + def main(): global config, options @@ -803,6 +822,7 @@ def main(): check_current_version_code, check_updates_expected, check_updates_ucm_http_aum_pattern, + check_certificate_pinned_binaries, ] for check_func in app_check_funcs: