Make signing keyaliases config public
Such information is useful for ppl need to trust the signature of apps which published on F-Droid.
v2ray-plugin kind of have such problem, the official shadowsocks-android refused to trust the signature of F-Droid build of v2ray-plugin tho. But forks like mine shadowsocks-android-foss still could trust F-Droid signature of v2ray-plugin. fdroiddata!6105 (comment 270232849)
It could cause problems if keyalias changes make an App trust additional app, public keyaliases configuration makes it easier for ppl to notice and check.
Seems so far only NextCloud have shared key configuration. #68 (closed)
It's possible to check signature by checking <sig>
in index.xml/index-v1.json, but it's not easy to find all of apps which use shared keys this way. maybe make keyaliases
config (and may also keydname
) public somewhere?