update: allow_disabled_algorithms option to keep MD5 sigs in repo

The new policy is to move APKs with invalid signatures to the archive, and only add those APKs to the archive's index if they have valid MD5 signatures. closes #323 closes #292
2025-09-14 06:52:39 +03:00 · 2017-06-27 21:40:39 +02:00 · 2017-06-27 21:40:39 +02:00 · 746d4bd4cf
commit 746d4bd4cf
parent b7260ea854
9 changed files with 233 additions and 17 deletions
--- a/examples/config.py
+++ b/examples/config.py
@ -71,6 +71,15 @@ archive_description = """
 The repository of older versions of applications from the main demo repository.
 """

+# This allows a specific kind of insecure APK to be included in the
+# 'repo' section.  Since April 2017, APK signatures that use MD5 are
+# no longer considered valid, jarsigner and apksigner will return an
+# error when verifying.  `fdroid update` will move APKs with these
+# disabled signatures to the archive.  This option stops that
+# behavior, and lets those APKs stay part of 'repo'.
+#
+# allow_disabled_algorithms = True
+
 # Normally, all apps are collected into a single app repository, like on
 # https://f-droid.org. For certain situations, it is better to make a repo
 # that is made up of APKs only from a single app. For example, an automated