Embedded signatures discussion
bubu at bubu1.eu
Mon Apr 20 15:07:35 UTC 2020
I just opened
I'd appreciate input on the final question I wrote in that issue:
> So while we can say "These two apk's are identical modulo signature",
I'm currently unsure what this actually communicates to a user. It
certainly doesn't mean they'll behave identical.
I have mentioned a few examples in the issue, why this maters in practice.
My current thought process:
We can reproduce/verify unsigned builds of an apk and then we might have
a list of valid signatures for that apk which can be applied to it. But
the resulting apks are really different things again.
More information about the rb-general