Comment on Android won't kill sideloading after all, but new verification rules will make it harder
x00z@lemmy.world 8 hours ago
Weird that they want to do all the verification themselves and not just allow certificate signing using verified CAs. Oh well it’s not weird because we all know Google does this to fight back against third party stores and to get developers back to their shitty one and of course to better track them.
NateNate60@lemmy.world 1 hour ago
I’m guessing what you’re suggesting is that Google’s proposal is the same as requiring all packages be signed and accompanied by an Extended Validation or Oragnisation Validation X.509 certificate.
While that would technically work, the problem with using the existing PKI is that it’s still very expensive to get EV/OV certificates. And the most common of these certs (those for TLS purposes) will soon only last 47 days which is, to put it mildly, would be a pain in the ass to use for package-signing.