revert to plain CA-based HTTPS verification
This is to address #80 so we can get a stable release out. Then we should revisit #80 and actually get the pinning and TOFU working properly.
See merge request !30
This reverts to only using standard HTTPS verification based on Certificate
Authorities. This means that self-signed certificates will not work at all
since that is what MemorizingTrustManager was providing. It seems to me
that this was originally working because MemorizingTrustManager was not
correctly validating. I couldn't figure out why PinningTrustManager alone
was not working. But we need to get good stable release out!
I'm leaving all the plumbing in place because this stuff should be included
once its all fixed and working properly. You can see where it was added
here: 254327f9a7700c8196e61f53801f1f12ac825806
refs #80https://gitlab.com/fdroid/fdroidclient/issues/80
The problem arose when we start with no categories other than the
three defaults, then add a repo with multiple categories. The exact
issue was that although the category spinner itself was updated,
the listener for onChange was referencing the list of categories
from before (with only three categories). Changed it to use data
from the category spinner adapter, that way it is always up to
date.
Also fixed some warnings in the file. Instance access of a static
object, and deprecated method warning.
Fix issue #56 -- update.zip
Creates a script create a update.zip file that installs F-Droid to `/system/app` or `/system/priv-app` depending on the android version. Also creates a remove.zip to remove F-Droid. Generates a zip file for every apk in the bin directory, to work with both signed and unsigned apks. Fixes issue #56.
See merge request !29
Fix issues #74 and #75
The indeterminent progress indicator in the `AppDetails` view is now hidden by default on Android 4.0.3 (which is the only reproducing device I had access to). Had to replace a bunch of calls with those provided by appcompat.
As for the "(De-)Installation Error" message when using the root installer, it was due to the timeout being set to 5 seconds for the superuser shell. Note that just accepting the super user prompt takes a minimum of 3 seconds, plus the install time. I changed the timeout to 30 seconds, for reasons explained in the commit.
NOTE: @mvdan, I noted that you mentioned you were not interested in client development any more, so I'm not quite sure if it is worthwhile me submitting this as a MR (FYI - thanks for all the help on the client, also happy that your able to spend more time on build recipies and fdroidserver stuff. Great to see all that moving along). Perhaps @CiaranG, if you had the time to review it you could give it the thumbs up or down? Otherwise, I'll merge it myself.
See merge request !27
The superuser shell has a timeout that can be specified. The timeout
was set to 5 seconds, thus the exit code from the shell is -1 (a
reserved exit code used by libsuperuse to indicate timeout).
By my estimate, it is more likely that a user will hit this error
message and get annoyed, compared to actually hitting a genuine timeout
because of some issue with superuser. Especially when we factor in slow
devices and large apps to install. Thus, the timeout has been bumped
to a more generous 30 seconds.
Replaced progress indicator methods with their "support" equivalents.
Also, it seems that on Android 4.0.4 and 4.0.3 if you request a
progress indicator in your ActionBarActivity (from the support
library), that it is set to visible to begin with. At least, that is
the conclusion I have come to, seeing as the only places it is set to
visible is on installApk() and removeApk(). Setting it to hidden in
onCreate seemed to do the trick (Couldn't use onResume, because we come
back from the "Request super user permissions" dialog, which causes
onResume to be invoked).
This commit uses alpha to make the category menu button appear darker to
match the rest of the dark theme. Since the background is black, the alpha
makes it darker. It is only used on the dark theme since alpha would
lighten the menu button on the light themes, and that would make it a worse
match.
If there is an unknown HTTPS certificate, MemorizingTrustManager puts up a
prompt to ask whether the user wants to trust the certificate. It comes at
a weird time in the lifecycle of the dialogs, so the previous dialog might
be null. Therefore add a null check.
This situation should probably be improved and better integrated.
The current HTTPS trust model is to first check if a site's key is TOFUed,
then check if it is pinned and check the CA, then prompt the user. There
is currently no way to only check the CA for validity. Ultimately, that
should probably not be needed if the repo URLs can include the HTTPS pin
info in the same way that the repo fingerprint is specified. Then it can
be added to the TOFU/POP keystore when the user accepts the Add Repo dialog
Since that idea does not exist yet, this commit adds the sites that are
likely to run their own repos in the near future:
https://f-droid.orghttps://guardianproject.infohttps://s3.amazonaws.com # multiple orgs use this
https://panicbutton.io # Amnesty International's app
https://psiphon.ca # circumvention tool
findbugs tells us:
Incorrect lazy initialization and update of static field org.fdroid.fdroid.
FDroidCertPins.PINLIST in org.fdroid.fdroid.FDroidCertPins.getPinList().
This method contains an unsynchronized lazy initialization of a static
field. After the field is set, the object stored into that location is
further updated or accessed. The setting of the field is visible to other
threads as soon as it is set. If the futher accesses in the method that set
the field serve to initialize the object, then you have a very serious
multithreading bug, unless something else prevents any other thread from
accessing the stored object until it is fully initialized.
Even if you feel confident that the method is never called by multiple
threads, it might be better to not set the static field until the value you
are setting it to is fully populated/initialized.
PRNGFixes.apply() is run in FDroidApp.onCreate(). This is enough,
according to Google, and their instructions say to disable this lint
warning once the workaround is included since lint cannot detech whether
the workaround is applied.
This the code format was also automatically corrected by the Eclipse plugin
The third parameter in the MemorizingTrustManager constructor was not good
apparently. Here's the email from Ge0rg, the MemorizingTrustManager author:
As you added MTM into the f-droid client, I'm writing to inform you that
the MTM constructor API was incorrect, and has been changed in current
git master:
When using the three-parameter constructor, the second parameter, a
trustmanager, was only used until the user stored a certificate into
MTM, and was overwritten after that.
Please use the new MTM constructor, and pass it the pinMgr as the only
trust manager parameter.
bug fixes for 0.71
I fixed the compact layout to make more sense. There seems to be something about the appcompat stuff that is preventing it from being short as it was before. There are some other bug fixes here, and I also included the Guardian Project repo by default, but disabled. @CiaranG proposed doing that a while back, now I finally did it!.
See merge request !25
This should help is there is ever multithreaded access to this variable.
This is an unlikely scenario, but the fix is easy.
findbugs reported this issue like this:
Incorrect lazy initialization and update of static field org.fdroid.fdroid.
FDroidApp.selectedApps in org.fdroid.fdroid.views.fragments.
SelectLocalAppsFragment.onActivityCreated(Bundle)
This method contains an unsynchronized lazy initialization of a static
field. After the field is set, the object stored into that location is
further updated or accessed. The setting of the field is visible to other
threads as soon as it is set. If the futher accesses in the method that set
the field serve to initialize the object, then you have a very serious
multithreading bug, unless something else prevents any other thread from
accessing the stored object until it is fully initialized.
findbugs found this problem and reported it like this:
Nullcheck of org.fdroid.fdroid.data.App.installedApk at line 191 of value
previously dereferenced in org.fdroid.fdroid.localrepo.LocalRepoManager.copyApksToRepo(List)
A value is checked here to see whether it is null, but this value can't be
null because it was previously dereferenced and if it were null a null
pointer exception would have occurred at the earlier dereference.
Essentially, this code and the previous dereference disagree as to whether
this value is allowed to be null. Either the check is redundant or the
previous dereference is erroneous.
This restores the Compact Layout being smaller than the normal layout, and
properly centers the icon in both. This stuff could use some refactoring
to work better with all the appcompat styles.
fixes#61https://gitlab.com/fdroid/fdroidclient/issues/61
default_repo_count is not used at all, and the numbering scheme is just a
vestige of that. This switches all the variables to have clear names of
what they are representing.
On Android 4.x, the category menu is showing up as pure black, and looks
very much like an app list item. I've personally witnessed many new users
struggle to find an app because the category is on "What's New" by default
and the app they are looking for is not new. Some even had troubles
remembering about the category menu after I told them. This small change
makes the category dropdown look the same on all Android versions, and
makes it a lot more apparent on newer Android releases.
This is a temporary usability fix until we can do something much better
than the category dropdown menu.
This merge request is a lot of porting code to use Android Support
appcompat-v7, now that it is in place. There are places where old custom
compat layers are replaced by appcompat, and other places like the local repo
stuff, where appcompat allows for full support on platforms older than 11.
onNewIntent() is called because ManageReposActivity is set to "singleTask"
launchMode, but it is only called if ManageReposActivity is already
running. onResume() is always called, and called after onNewIntent() if it
is called, so use onNewIntent() only to set the current Intent, then parse
the Intent only in onResume().
Here is how to reproduce the original bug:
1. Close F-Droid properly and start it again.
2. Click on https://guardianproject.info/fdroid/repo in a browser (and tell
it to open with F-Droid)
3. Hit cancel on the add repo dialog
4. Leave F-Droid open and switch back to the browser
5. Open that link again.
This should result in two dialogs on top of one another. Happened from both
Firefox, Chrome, and Android browsers.
When someone clicks on a URL that F-Droid can accept, i.e. a repo URL, then
Android puts up a chooser where the user can select which app to VIEW the
URL with. That was showing up with the title "Repositories", which is the
title used for that Activity when viewing it. This keeps the Activity
title the same while changing the title in the chooser.
Instead of just sticking whatever URL is in the clipboard into the "Add
Repo" dialog, this attempts to sanitize the URL in case it has some garbage
or came from a QR Code, and therefore was all uppercase (that makes for
smaller QR Codes). It also checks if there is a fingerprint in the query
string of the URL, and sticks that into the fingerprint box.
fixes#50https://gitlab.com/fdroid/fdroidclient/issues/50
The swap stuff will also need to handle incoming Intents that represent
new repos, so the parsing logic is now its own class NewRepoConfig, which
is something like the Repo class, but using getters instead of properties.
Since the new repo data does not change once FDroid receives it, the only
way to set the values of a NewRepoConfig is via the constructor.
This is based on some incomplete work from @pserwylo:
71cb12ef5c (diff-6)
and
71cb12ef5c (diff-7)
AppListFragmentPageAdapter is a subclass of FragmentPagerAdapter, so it
should include the same spelling to make that clear and easy to trace,
grep for, etc.
