Hacker News new | past | comments | ask | show | jobs | submit login

That is an excellent and very helpful writeup!

I'm particularly disappointed to hear that Google doesn't provide any way to rotate the signing key for an app. Is there an issue for that file with them anywhere, or more discussion?

Some day, I hope reputable services have migrated to The Update Framework, which has been pointing out and solving these and other problems related to software updates for several years now.


Actually, a quick search leads to this - is it indeed possible to rotate your key, at least for Android's Pie version?


So yes, Google Play has let you rotate your key for a few years now, but a) Riot/Android was set up before that was a thing, b) It gives Google the ability to push their own updates to your app, which some of the more paranoid users might object to. So we set it back up with our own key again this time, but this time will protect it with our lives...

Edit: https://developer.android.com/studio/publish/app-signing#app... is the type of key rotation i was talking about here.

actually, the mechanism described in https://www.androidpolice.com/2018/08/13/android-pie-include... sounds different to this, but given it mandates Android 9.0, we can't use that either yet. (Our minimum Android is still 4.1...)

Hi, former lead researcher at NYU for The Update Framework (TUF) here, now security engineer at Datadog taking TUF further. Planning to help PyPA apply TUF to PyPI. Happy to help answer questions, just reach out to me here, thanks.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact