social.tchncs.de is one of the many independent Mastodon servers you can use to participate in the fediverse.
A friendly server from Germany – which tends to attract techy people, but welcomes everybody. This is one of the oldest Mastodon instances.

Administered by:

Server stats:

3.9K
active users

Before the update run completes & app-rain toot comes, some other exciting news from the #IzzyOnDroid repo that won't fit in there:

* JetNote was removed as it still used a debug key for signing.
* Occtax switched to a new and proper signing key, using key rotation, so even direct updates are possible*.

So gitlab.com/IzzyOnDroid/repo/-/ could finally be closed. There should be no debug-signed apps at IzzyOnDroid anymore after the next sync.

(1/2)

GitLabscan existing APKs for use of debug keys (#477) · Issues · IzzyOnDroid / repo · GitLabonce #475 has been completed, existing APKs should be scanned for...

(2/2)

*Your F-Droid client will most likely not even show the update unless you have "show incompatible signatures" turned on – and even then refuse to update. But downloading the APK and installing it via your file manager, or using "adb install" should work to update it without uninstalling, keeping all data intact.

PS: The only F-Droid client handling such issues *right now* is Neo Store (you just have to "disable signature check" in settings so it passes the APK to the Android system). Droid-ify will allow that in its next release, there it was implemented about 2 weeks ago but not yet released.

@Sentinel999 Which repo did you install from – and which repo are you trying to update from? IoD cannot have shipped a different signature than before as signing keys are pinned here:

@IzzyOnDroid I dont change anything, since yesterday updates failed. I disable the sig check only.

@Sentinel999 and now look at the "provided by": Installed from F-Droid, update from IzzyOnDroid. Most likely FairEmail is not RB at F-Droid, but let me check… Bingo. So F-Droid ships a version signed with their key, while IoD ships it signed with Marcel's key. Expected behavior.

> I disable the sig check only.

Which is why the update now is offered to you *despite the different sig*. This only makes sense if you override sig check in the system eg via an Xposed module. Better switch it back 😉

@Sentinel999 and today we learned what the signature check is for 😄 While in this specific case a cross-update would (hopefully 😉) be harmless, in another case someone could have put up an altered APK with harmful code. So the signature check prevents you from installing such "altered APKs" – only APKs with the same signature (or a proper key rotation, in which case you'd need to disable sigcheck once *for that update only* in Neo Store, eg with the current Occtax) will be accepted by Android.