From 7ce12e20fabba73fb1dc4d0531f5c6034dbc698f Mon Sep 17 00:00:00 2001
From: Wonderfall <wonderfall@protonmail.com>
Date: Sat, 26 Feb 2022 19:14:56 +0100
Subject: [PATCH] clarify

---
 content/posts/fdroid-issues.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/content/posts/fdroid-issues.md b/content/posts/fdroid-issues.md
index 7f574da..e486a25 100644
--- a/content/posts/fdroid-issues.md
+++ b/content/posts/fdroid-issues.md
@@ -18,7 +18,7 @@ Before we start, a few things to keep in mind:
 ## 1. The trusted party problem
 To understand why this is a problem, you'll have to understand a bit about F-Droid's architecture, the things it does very differently from other app repositories, and the [Android platform security model](https://arxiv.org/pdf/1904.05572.pdf).
 
-Unlike other repositories, F-Droid signs all the apps in the main repository with **its own signing keys** at the exception of the very few [reproducible builds](https://f-droid.org/en/docs/Reproducible_Builds/). A signature is a mathematical scheme that guarantees the authenticity of the applications you download. Upon the installation of an app, Android pins the signature across the entire OS (including user profiles): that's what we call a *trust-on-first-use* model since all subsequent updates of the app must have the corresponding signature to be installed.
+Unlike other repositories, F-Droid signs all the apps in the main repository with **its own signing keys** (unique per app) at the exception of the very few [reproducible builds](https://f-droid.org/en/docs/Reproducible_Builds/). A signature is a mathematical scheme that guarantees the authenticity of the applications you download. Upon the installation of an app, Android pins the signature across the entire OS (including user profiles): that's what we call a *trust-on-first-use* model since all subsequent updates of the app must have the corresponding signature to be installed.
 
 Normally, the developer is supposed to sign their own app prior to its upload on a distribution channel, whether that is a website or a traditional repository (or both). You don't have to trust the source (usually recommended by the developer) except for the first installation: future updates will have their authenticity cryptographically guaranteed. The issue with F-Droid is that all apps are signed by the same party (F-Droid) which is also not the developer. You're now adding another party you'll have to trust since **you still have to trust the developer** anyway, which isn't ideal: **the fewer parties, the better**.