[Security Alert] Latest Orbot is signed by different key.

Latest Orbot on F-Droid is signed by different key. When tried to upgrade, F-Droid urge user to delete Orbot to install the latest one.

Why do you change key?

Trac:
Username: ikurua22

added component::applications/orbot owner::n8fr8 priority::medium reporter::ikurua22 resolution::fixed severity::critical status::closed type::defect labels

About

15.1.2 (tor 0.2.7.5)

Trac:
Username: ikurua22

If you install Orbot from the public F-Droid repo, then the key uses there is the F-Droid signing key, since they build Orbot from source.

If you install Orbot from Google Play, the Guardian Project F-Droid repo, or the direct APK download, it will be signed with the Tor Project signing key.

It is likely you switched from one stream to the other accidentally.

I don't use GooglePlay, only F-droid with official repo + Guardian repo.

Hmm... So, 15.1.2 is released from Guardian...?

IIRC, I switched from v15.0.1-RC-3-PIE.

If the "Orbot on F-Droid" and "Guardian FDroid's Orbot" are different, please consider merging into one, or delete Orbot from F-Droid.org.

Trac:
Username: ikurua22

Yes, so there is a problem which is Orbot is in both F-Droid.org and the Guardian Project repo. The F-Droid app makes it hard to know where you are getting it from.

15.1.2 is indeed from us, and from our F-Droid repo.

I agree Orbot should be removed from the main repo.

Also though we are working with them on a new system where they would build the source code, compare it to ours, and then use binary signed with our key, if it matches up.

(apologies for the trouble/confusion)

Trac:
Resolution: N/A to fixed
Status: new to closed

closed