feat: Verify patches signature #2082
Labels
Feature request
Requesting a new feature that's not implemented yet
ReVanced Manager Compose
Regarding the Compose rewrite of ReVanced Manager
Milestone
Feature Description
Starting with ReVanced API v3, the signature is sent along with the patches file. ReVanced Manager should, by default, trust the public keys of the configured API. The API provides a field at https://api.revanced.app/v3/about called "keys," which links to the keychain. If the signature is invalid, ReVanced Manager must not load the patches to prevent the execution of arbitrary code. Since third-party patch sources do not necessarily use the API, ReVanced Manager cannot verify the signature of these patches by default.
UI
Since the API supplies the keychain, the settings where the API can be configured should make the keychain auditable.
In the patch bundles screen, verified patch bundles should display a checkmark or similar icon to indicate verification. The signature should be auditable, for instance, when viewing the bundle info screen or clicking on the verification icon.
Unverified patch bundles must not be loaded and should appear as unavailable and unverified. If a signature is present but does not match the patches file, this should be clearly indicated. The signature should be auditable unless it is broken or missing, in which case the UI should inform the user. A signature also checks the integrity of the patches, ensuring the file and its signature are unmodified.
A toggle in the settings can disable signature verification. Additionally, a per-patch bundle setting to override the global setting can be added for more granular control, allowing users to check the signature of other bundles but not their personal ones.
Process
When a user adds a third-party bundle, a warning must be displayed indicating that the signature cannot be verified. The signature should be auditable at this point. The user can click "continue" to dismiss the warning. Since the bundle is not loaded and unavailable at this point, the user cannot use the patches while the global setting is on. The user can toggle off signature checks for the specific bundle by entering its screen and toggling off signature verification globally, allowing the manager to load the bundle. An indication regarding the missing signature verification should be displayed at all times.
In the ReVanced Manager settings, users should be able to import keychains from bundle suppliers. If the user imports the keychain first and then the bundle, the signature would be verified successfully, and the patch bundle can be loaded and used. If the user adds the bundle first, the warning about the untrusted signature can also suggest importing the keychain. The user can either dismiss the warning or proceed to import the keychain, with ReVanced Manager directing them to the settings page where keychains can be managed.
Updating
Whenever a bundle updates, the signature must be validated. A proposal for handling third-party bundles without active signature verification is not yet available.
Opt-In Signature Verification
An alternative approach is to disable signature verification by default, which is not advisable. The UI would display a greyed-out icon indicating an unchecked signature. The user can manually enable global signature verification or override the setting for each bundle. This approach is less intrusive for the user but is less recommended due to security implications.
Motivation
Patches execute arbitrary code. Signature checks allow users to ensure that patches come from a trusted source.
Acknowledgements
The text was updated successfully, but these errors were encountered: