security updates for added repos
These commits fix a couple of security issues with adding repos, they should be included in the 0.65 release. Here is the bug report from Adam Pritchard, these issues should be fixed:
But wait, you say? Where's the "EF" at the start? F-Droid actually shows (and takes) a version of the fingerprint with the first byte (first two hex) dropped. Bwah?
You can see this with Guardian's fingerprint here: https://guardianproject.info/2012/03/15/our-new-f-droid-app-repository/ len('050C8155DCA377F23D5A15B77D3713400CDBD8B42FBFBE0E3F38096E68CECE') / 2 * 8 == 248 ...But it should be 256.
On purpose?
And it seems like there's a bug in F-Droid. If you enter the fingerprint when adding the repo, the repo gets flagged with "Unsigned", but if you add the repo without entering the fingerprint it doesn't.
Reproduction:
- Add https://guardianproject.info/repo/ and enter 050C8155DCA377F23D5A15B77D3713400CDBD8B42FBFBE0E3F38096E68CECE
- Refresh
- It's say "Unsigned" in red text under the repo name
- Delete the repo
- Add it again, but without the fingerprint
- It won't have any red text
This is surely unintended?