Comment on Android won't kill sideloading after all, but new verification rules will make it harder
x00z@lemmy.world 2 weeks ago
Weird that they want to do all the verification themselves and not just allow certificate signing using verified CAs. Oh well it’s not weird because we all know Google does this to fight back against third party stores and to get developers back to their shitty one and of course to better track them.
NateNate60@lemmy.world 2 weeks ago
I’m guessing what you’re suggesting is that Google’s proposal is the same as requiring all packages be signed and accompanied by an Extended Validation or Oragnisation Validation X.509 certificate.
While that would technically work, the problem with using the existing PKI is that it’s still very expensive to get EV/OV certificates. And the most common of these certs (those for TLS purposes) will soon only last 47 days which is, to put it mildly, would be a pain in the ass to use for package-signing.
x00z@lemmy.world 2 weeks ago
My project uses a free one from SignPath. They offer this for opensource projects and require a verifiable GitHub build process. It’s not EV certs but it’s good enough and free.