security updates for added repos
These commits fix a couple of security issues with adding repos, they should be included in the 0.65 release. Here is the bug report from Adam Pritchard, these issues should be fixed:
2.
But wait, you say? Where's the "EF" at the start? F-Droid actually shows
(and takes) a version of the fingerprint with the first byte (first two
hex) dropped. Bwah?
You can see this with Guardian's fingerprint here:
https://guardianproject.info/2012/03/15/our-new-f-droid-app-repository/
len('050C8155DCA377F23D5A15B77D3713400CDBD8B42FBFBE0E3F38096E68CECE') / 2 *
8 == 248
...But it should be 256.
On purpose?
3.
And it seems like there's a bug in F-Droid. If you enter the fingerprint
when adding the repo, the repo gets flagged with "Unsigned", but if you add
the repo without entering the fingerprint it doesn't.
Reproduction:
- Add https://guardianproject.info/repo/ and enter
050C8155DCA377F23D5A15B77D3713400CDBD8B42FBFBE0E3F38096E68CECE
- Refresh
- It's say "Unsigned" in red text under the repo name
- Delete the repo
- Add it again, but without the fingerprint
- It won't have any red text
This is surely unintended?
If a repo was configured with a fingerprint, but it has not yet updated and
gotten the pubkey from the index.jar, then it will be in an "unverified"
state, i.e. the signing key fingerprint is stored, but it has not yet been
used to check against the pubkey in the index.jar
The logic here is crufty, so I slapped a flag in there to make sure that
the pubkey gets stored when someone configures a repo and includes the
fingerprint. When the fingerprint is set, it will first download the
index.jar and verify it against that fingerprint. The logic for storing
the pubkey permanently happens later in the XML parsing, so there needs to
be a flag to signal to store the pubkey in this case.
Before the flow was always index.xml -> get pubkey -> index.jar. Really,
there should no longer be support for unsigned repos, then all of this
stuff can be dramatically simplified.
fixes#2924https://dev.guardianproject.info/issues/2924
refs #2960https://dev.guardianproject.info/issues/2960
This was causing the first byte of the signature to be chopped off, so
therefore it would not validate since the fingerprint of the cert from
the net connection had the right fingerprint, but it was compared to the
stored, truncated version.
This also means that the database version needs to be bumped to trigger an
upgrade so that the bad 62 char fingerprints are removed from the database.
Since before, incoming repo Intents where handled in the Fragment's
onCreate(), an Intent that was received while the Fragment was visible was
just ignored. Activities have onNewIntent() for that, but Fragments don't
so the repo Intent handling had to be moved to the ManageRepo Activity.
That makes for a more direct relationship anyway, since ManageRepo is what
is configured as receiving all those Intents in AndroidManifest.xml.
Doesn't work because:
* In this installer, we are not a system app
* Our intent action is of type ACTION_VIEW, not ACTION_INSTALL_PACKAGE
The equivalent of "we are not an unknown source" would be the other
installers, such as the Root and System ones.
There were some weird edge cases that couldn't quite be pinned down,
whereby installing an app would result in a unique key violation being
hit. One example was when somebody was installing an apk from a file
manager. It seems that this doesn't trigger a PACKAGE_CHANGED, but
rather a PACKAGE_INSTALLED. The end result is that it attempts to insert
a record that already exists in the installed apps table. Because we
have a unique key constraing on the appId, it breaks.
This commit changes the way that we insert installed app details.
Instead of inserting some times, and updating other times, we always
insert. If we hit a unique key violation, the row is deleted, and then
the new values are reinserted.
send any installed app via NFC/Beam or Bluetooth
Building upon the NFC+Bluetooth sending of the FDroid.apk, these two commits allow the user to send any installed app via Bluetooth or NFC/Android Beam.
This takes the code used for sending the FDroid.apk and applies it to any
installed app. So the user can go to the AppDetails for any installed app
and select "Send via Bluetooth" from the menu, and send the app to another
phone.
If you are viewing the AppDetails screen for an installed app, this code
configures Android Beam to send the APK for that installed app if the you
initiate via NFC.
Also move the SDK checks into each method so that they are easier to use
without doing the wrong thing.
If a new repo comes in via Intent, like from clicking a link, scanning a QR
Code, etc., then stay in FDroid once the add dialog is complete.
Previously, it would sometimes stay in FDroid and sometimes go back to the
sending Activity, depending on the sending Activity. It was confusing and
annoying behavior.
