Hacker News new | past | comments | ask | show | jobs | submit login

i've been using this app and i honestly prefer it this way.

Lets not forget that certificates are created and checked for github.com, so unlikely for a middleman to get in.

I trust github much more than google right now. Especially since the object being fetched is generic as opposed to a appstore. Google's app store has only shown to hinder publishing. Take syncthing for instance.

The only thing I wish was better was the .apk selection process. It would be nice if a database existed with filename formats or a little extra metadata to match the correct asset.




> Lets not forget that certificates are created and checked for github.com, so unlikely for a middleman to get in.

What?

Don't assume that the APKs are generated by GitHub's CI, anyhow, anything can be uploaded as a release


A great example of this would be the XZ backdoor, which never got commited to the source tree, but got implanted in the release tarballs, which were built on the attacker's systems


Github should provide a certificate when binaries are built from source with their tools.


They added something to verify if the binary came out of their CI only a few months ago; I haven't checked now, but it seemed extremely convoluted

In any case, there's for sure no GitHub certificate added to the APKs


NPM has support for github CI provenance. So you can verify that the package on npm was built on the github actions of the repo mentioned in npm.


I saw, nice

It seems to not check it automatically, though?

reply


Yeah, you have to set provenance flag to true.

  - uses: JS-DevTools/npm-publish@v2
  with:
      token: ${{ secrets.NPM_TOKEN }}
      access: public
      provenance: true
For example

reply


Do you mean https://apps.obtainium.imranr.dev/ or something else? That seems to be a crowdsources list of configurations for different apps.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: