Embedded signatures discussion

Marcus Hoffmann bubu at bubu1.eu
Mon Apr 20 15:07:35 UTC 2020

Hello all,

I just opened

I'd appreciate input on the final question I wrote in that issue:

> So while we can say "These two apk's are identical modulo signature",
I'm currently unsure what this actually communicates to a user. It
certainly doesn't mean they'll behave identical.

I have mentioned a few examples in the issue, why this maters in practice.

My current thought process:

We can reproduce/verify unsigned builds of an apk and then we might have
a list of valid signatures for that apk which can be applied to it. But
the resulting apks are really different things again.


More information about the rb-general mailing list