hiding data/code in Android APK embedded signatures

Holger Levsen holger at layer-acht.org
Wed Feb 1 20:53:23 UTC 2023

On Wed, Feb 01, 2023 at 12:53:24PM -0500, David A. Wheeler wrote:
> I recommend that the reproducible-builds website have a short article
> *specifically* recommending how signatures, OmniBOR data, & similar metadata should be shared.
> Is there agreement on adding such a page?

Yes, I'd say so. I'm not sooo sure about agreement for what exactly should be on that
page ;) So, yes, please, patches welcome, also incrementially!

> At least one person I've talked to claims that reproducible builds are a security vulnerability,
> because he assumes that signatures must be embedded within executables.
> That's wrong, but making it clear to others why it's wrong would be helpful.


 ⣾⠁⢠⠒⠀⣿⡁  holger@(debian|reproducible-builds|layer-acht).org
 ⢿⡄⠘⠷⠚⠋⠀  OpenPGP: B8BF54137B09D35CF026FE9D 091AB856069AAA1C

"In just 6 decades, roughly the life span of a blue whale, humans took blue whale
population down from 360,000 to just 1,000. In one century, whalers killed two
million baleen whales, which together weighed twice as much as all wild mammals
on Earth today."
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://lists.reproducible-builds.org/pipermail/rb-general/attachments/20230201/725e2f26/attachment.sig>

More information about the rb-general mailing list