mirror of
https://gitlab.com/fdroid/fdroidserver.git
synced 2024-10-02 09:10:11 +02:00
lint: binary
or Binaries
requires AllowedAPKSigningKeys
Per fdroiddata!12911 the linter should error out if somebody uses `binary` or `Binaries` without supplying an `AllowedAPKSigningKeys`. There are two reasons for this: - Security: this allows full verification that the binaries built match the developers, not just what happened to get uploaded onto github at some later point in time. - Reliable updates: if the signing key changes, users won't be able to update, so this is something we should learn about when upstreams send in commits changing their signing key, rather than just leaving it to chance.
This commit is contained in:
parent
41104e217b
commit
8a0b7e5b1b
@ -696,6 +696,25 @@ def check_updates_ucm_http_aum_pattern(app): # noqa: D403
|
||||
yield _("AutoUpdateMode with UpdateCheckMode: HTTP must have a pattern.")
|
||||
|
||||
|
||||
def check_certificate_pinned_binaries(app):
|
||||
if len(app.get('AllowedAPKSigningKeys')) > 0:
|
||||
return
|
||||
if app.get('Binaries') is not None:
|
||||
yield _(
|
||||
'App has Binaries but does not have corresponding AllowedAPKSigningKeys to pin certificate.'
|
||||
)
|
||||
return
|
||||
builds = app.get('Builds')
|
||||
if builds is None:
|
||||
return
|
||||
for build in builds:
|
||||
if build.get('binary') is not None:
|
||||
yield _(
|
||||
'App version has binary but does not have corresponding AllowedAPKSigningKeys to pin certificate.'
|
||||
)
|
||||
return
|
||||
|
||||
|
||||
def main():
|
||||
global config, options
|
||||
|
||||
@ -803,6 +822,7 @@ def main():
|
||||
check_current_version_code,
|
||||
check_updates_expected,
|
||||
check_updates_ucm_http_aum_pattern,
|
||||
check_certificate_pinned_binaries,
|
||||
]
|
||||
|
||||
for check_func in app_check_funcs:
|
||||
|
Loading…
Reference in New Issue
Block a user