gitlab-ci: automatically verify https://f-droid.org/FDroid.apk (!164) · Merge requests · F-Droid / Website

Hans-Christoph Steiner requested to merge eighthave/fdroid-website:gitlab-ci-verify-fdroid-apk into master Jan 07, 2018

Download and verify that the FDroid.apk is signed by the right PGP key. The only time that F-Droid's signed metadata does not verify the APK is the initial download and install of F-Droid itself. An attacker could replace the FDroid.apk and PGP signature on the website. The gpg key model is to trust only the key that is included in this script, so there is a test to check that it is starting with an empty keyring.

This is the gitlab CI version of fdroidserver@dfbe114a

gitlab-ci: automatically verify https://f-droid.org/FDroid.apk

Merge request reports