Skip to content

This jar contains entries whose certificate chain is not validated.

After updating fdroid server to latest master, fdroid update gives this output for each apk:

WARNING: Using Java's jarsigner, not recommended for verifying APKs! Use apksigner

jar verified, with signer errors.

Error:
This jar contains entries whose certificate chain is not validated.

Warning:
This jar contains signatures that does not include a timestamp. Without a timestamp, users may not be able to validate this jar after the signer certificate's expiration date (2039-06-13) or after any future revocation date.

Re-run with the -verbose and -certs options for more details.

I tried using fdroid init to test it with default configs, but it's the same.

I guess that means the apks are signed with self-signed certificates? Is it possible for fdroid to ignore that like before?

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information