Verify generated key alias uniqueness

Refuses to sign in the event of any problem - see comments for details

diff --git a/fdroidserver/publish.py b/fdroidserver/publish.py
index 9ec10a7f9eb1aff3b3fd4eb727392e9d9957c6e4..4d984916de9914058c4583808a72bf310057c980 100644 (file)
--- a/fdroidserver/publish.py
+++ b/fdroidserver/publish.py
@@ -66,6 +66,28 @@ def main():
         print "No unsigned directory - nothing to do"
         sys.exit(0)
 
+    # It was suggested at https://dev.guardianproject.info/projects/bazaar/wiki/FDroid_Audit
+    # that a package could be crafted, such that it would use the same signing
+    # key as an existing app. While it may be theoretically possible for such a
+    # colliding package ID to be generated, it seems virtually impossible that
+    # the colliding ID would be something that would be a) a valid package ID,
+    # and b) a sane-looking ID that would make its way into the repo.
+    # Nonetheless, to be sure, before publishing we check that there are no
+    # collisions, and refuse to do any publishing if that's the case...
+    apps = common.read_metadata()
+    allaliases = []
+    for app in apps:
+        m = md5.new()
+        m.update(app['id'])
+        keyalias = m.hexdigest()[:8]
+        if keyalias in allaliases:
+            print "There is a keyalias collision - publishing halted"
+            sys.exit(1)
+        allaliases.append(keyalias)
+    if options.verbose:
+        print "{0} apps, {0} key aliases".format(len(apps), len(allaliases))
+
+    # Process any apks that are waiting to be signed...
     for apkfile in sorted(glob.glob(os.path.join(unsigned_dir, '*.apk'))):
 
         apkfilename = os.path.basename(apkfile)