index.jar vulnerable to "Master Key" style attack

The "Master Key" attack for inserting code into a signed APK relies on a bug where the Android code would check the signature of the first file named classes.dex while actually running the last file called classes.dex, and it turns out that the ZIP format allows multiple files with the same name.

FDroid's index.jar is most likely vulnerable to the exact same attack: the attacker could insert a second, spoofed index.xml in the jar. This is not as big of a problem as with APKs for a number of reasons, https://f-droid.org uses HTTPS, the attack is a lot more complicated with more moving parts, etc. But it is something that needs to be fixed.

I'll try taking a look tonight.