612
Android won't kill sideloading after all, but new verification rules will make it harder
(www.techspot.com)
this post was submitted on 21 Jan 2026
612 points (98.9% liked)
Technology
79061 readers
3009 users here now
This is a most excellent place for technology news and articles.
Our Rules
- Follow the lemmy.world rules.
- Only tech related news or articles.
- Be excellent to each other!
- Mod approved content bots can post up to 10 articles per day.
- Threads asking for personal tech support may be deleted.
- Politics threads may be removed.
- No memes allowed as posts, OK to post as comments.
- Only approved bots from the list below, this includes using AI responses and summaries. To ask if your bot can be added please contact a mod.
- Check for duplicates before posting, duplicates may be removed
- Accounts 7 days and younger will have their posts automatically removed.
Approved Bots
founded 2 years ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
Weird that they want to do all the verification themselves and not just allow certificate signing using verified CAs. Oh well it's not weird because we all know Google does this to fight back against third party stores and to get developers back to their shitty one and of course to better track them.
I'm guessing what you're suggesting is that Google's proposal is the same as requiring all packages be signed and accompanied by an Extended Validation or Oragnisation Validation X.509 certificate.
While that would technically work, the problem with using the existing PKI is that it's still very expensive to get EV/OV certificates. And the most common of these certs (those for TLS purposes) will soon only last 47 days which is, to put it mildly, would be a pain in the ass to use for package-signing.
My project uses a free one from SignPath. They offer this for opensource projects and require a verifiable GitHub build process. It's not EV certs but it's good enough and free.