update: AllowedAPKSigningKeys metadata to enforce APK signers

This field lets you specify which signing certificates should be trusted for APKs in a binary repo.
2025-11-06 07:20:29 +03:00 · 2021-07-20 13:31:27 -07:00 · 2021-07-20 13:31:27 -07:00 · 3b95d3de64
commit 3b95d3de64
parent 074ea8cae3
8 changed files with 165 additions and 1 deletions
--- a/fdroidserver/metadata.py
+++ b/fdroidserver/metadata.py
@ -90,6 +90,8 @@ yaml_app_field_order = [
    '\n',
    'Builds',
    '\n',
+    'AllowedAPKSigningKeys',
+    '\n',
    'MaintainerNotes',
    '\n',
    'ArchivePolicy',
@ -145,6 +147,7 @@ class App(dict):
        self.RepoType = ''
        self.Repo = ''
        self.Binaries = None
+        self.AllowedAPKSigningKeys = []
        self.MaintainerNotes = ''
        self.ArchivePolicy = None
        self.AutoUpdateMode = 'None'
@ -199,6 +202,7 @@ fieldtypes = {
    'MaintainerNotes': TYPE_MULTILINE,
    'Categories': TYPE_LIST,
    'AntiFeatures': TYPE_LIST,
+    'AllowedAPKSigningKeys': TYPE_LIST,
    'Build': TYPE_BUILD,
 }

@ -433,6 +437,10 @@ valuetypes = {
                   r'^http[s]?://',
                   ["Binaries"]),

+    FieldValidator("AllowedAPKSigningKeys",
+                   r'^[a-fA-F0-9]{64}$',
+                   ["AllowedAPKSigningKeys"]),
+
    FieldValidator("Archive Policy",
                   r'^[0-9]+ versions$',
                   ["ArchivePolicy"]),
@ -927,6 +935,14 @@ def write_yaml(mf, app):
                            cm.update({field: _builds_to_yaml(app)})
                    elif field == 'CurrentVersionCode':
                        cm.update({field: _field_to_yaml(TYPE_INT, getattr(app, field))})
+                    elif field == 'AllowedAPKSigningKeys':
+                        value = getattr(app, field)
+                        if value:
+                            value = [str(i).lower() for i in value]
+                            if len(value) == 1:
+                                cm.update({field: _field_to_yaml(TYPE_STRING, value[0])})
+                            else:
+                                cm.update({field: _field_to_yaml(TYPE_LIST, value)})
                    else:
                        cm.update({field: _field_to_yaml(fieldtype(field), getattr(app, field))})