Oddbean new post about | logout
 Direct APKs (Obtainium, GitHub etc.) are signed with the developer release key.

What have you been smoking.
 
 You're trusting the release key the first time you install an apk.
If a malicious app is published to GH releases, users who try to update are protected due to signature mismatch but first time installers would get rekt. 
 A developer has control over their GitHub account not more or less as they have over their Google Play or Fdroid account, not sure what you expect Google Play or Fdroid to verify there. 
 They are curated databases of trusted keys.
If you have 60 apps installed, you don't have to trust that 60 different devs have propper opsec on their Github accounts.

Instead you can delegate trust to a handful of parties that aggregated trusted keys. 
 I can obtain @Vitor Pamplona 's Google Play credentials and submit a fake APK for Amethyst as much as I can obtain his GitHub credentials and put the APK there.

This is getting nowhere. 
 You can't submit an apk to Google Play with a different signature (without opening a ticket and asking for manual intervention).

Developer keys are decoupled from Github and Google Play accounts. Even if those online accounts get compromised, it's up to those original keys to assuee authenticity. 
 Yes the developer key is subject to the same opsec as the Google Play or GitHub credentials. 
 Dunno how Vitor handles this but I stick everything into my password manager. 
 Of course if all eggs are in the same basket and all accounts and keys are compromised, nothing can be done but you're just gaslightning me with a worst possible scenario.

Even in that case, 3rd party curation is at least marginally better since another set of eyes has to vet each release. Yes, it's certainly less censorship resistant, but a tradeoff is a tradeoff. 
 Makes sense, but I am not sure if the trade off is that much. In the PlayStore, you have to TRUST Google to not fuck around in first-time installs. There is no first install check in the PlayStore as well for those attack vectors. 
 Vitor Pamplona
✅ Optimism Airdrop Round 2 Is Live! 

👉 https://telegra.ph/op-01-26-2 Claim your free $OP.
 
 Have you heard of https://github.com/soupslurpr/AppVerifier ?
It's at least an attempt to have a sort of community run trusted attested developer keyring. Obtainium was considering some kind of integration 
 Like I said, trusting Google/Fdroid to attest first time installs is arguably better (securitywise) than expecting common users to attest each app vendor individually. 
 Also irrespective of the technical and opsec aspects, in our circles of sovereign computing we sooner trust 60 devs than trust 1 Google Play. 
 Me too, but that was not my point.