added test of "Master Key"-style exploit based

This does not seem affected, I made a quick and dirty zip with two
index.xml files in it following these instructions:
http://www.saurik.com/id/17

refs #39 https://gitlab.com/fdroid/fdroidclient/issues/39

test/src/org/fdroid/fdroid/updater/SignedRepoUpdaterTest.java

@@ -12,7 +12,11 @@ import org.fdroid.fdroid.Utils;
 import org.fdroid.fdroid.data.Repo;
 import org.fdroid.fdroid.updater.RepoUpdater.UpdateException;
 
-import java.io.*;
+import java.io.File;
+import java.io.FileOutputStream;
+import java.io.IOException;
+import java.io.InputStream;
+import java.io.OutputStream;
 
 @TargetApi(8)
 public class SignedRepoUpdaterTest extends InstrumentationTestCase {
@@ -165,4 +169,18 @@ public class SignedRepoUpdaterTest extends InstrumentationTestCase {
             // success!
         }
     }
+
+    public void testExtractIndexFromMasterKeyIndexJar() {
+        if (!testFilesDir.canWrite())
+            return;
+        // this is supposed to fail
+        try {
+            repoUpdater.getIndexFromFile(getTestFile("masterKeyIndex.jar"));
+            fail();
+        } catch (UpdateException e) {
+            // success!
+        } catch (SecurityException e) {
+            // success!
+        }
+    }
 }