mirror of
https://github.com/f-droid/fdroidserver.git
synced 2026-01-28 17:21:53 -05:00
998b6245e9
The ZIP format allows multiple entries with the exact same filename, and on top of that, it does not allow deleting or updating entries. To make the `fdroid verify` procedure failsafe, it needs to create a new temporary APK that is made up on the contents of the "unsigned APK" and the signature from the "signed APK". Since it would be possible to give a signed APK as in the unsigned one's position, `fdroid verify` was not able to update the signature since it was just adding the new signature to the end of the ZIP file. When reading a ZIP, the first entry is used.