make and verify jar signatures in pure python, entirely remove jarsigner support
Between the various flavors of Java (Oracle, OpenJDK, etc) and the many GNU/Linux distros (let alone OSX and Windows), there is a wide variety of ways that jarsigner
can be installed. Having the jar signatures made and verified using python code would eliminate that issue. Here's one example from a user on Arch:
https://f-droid.org/forums/topic/binary-repo-whatsapp-error/
Here is some example code:
- https://github.com/google/keyczar
- http://penguindreams.org/blog/signature-verification-between-java-and-python/
- https://adblockplus.org/blog/signing-firefox-extensions-with-python-and-m2crypto
As a security failsafe, we can make fdroidserver also run jarsigner
if it finds it.
Edited by Hans-Christoph Steiner