https://github.com/f-droid/android-sdk-transparency-log

A "binary transparency" log of the Android SDK binaries, as published on https://dl.google.com/android/repository
https://github.com/f-droid/android-sdk-transparency-log

Last synced: about 1 year ago
JSON representation

A "binary transparency" log of the Android SDK binaries, as published on https://dl.google.com/android/repository

• Host: GitHub
• URL: https://github.com/f-droid/android-sdk-transparency-log
• Owner: f-droid
• License: agpl-3.0
• Created: 2021-09-17T06:38:07.000Z (over 4 years ago)
• Default Branch: master
• Last Pushed: 2025-04-01T20:11:09.000Z (about 1 year ago)
• Last Synced: 2025-04-01T21:25:01.589Z (about 1 year ago)
• Language: Python
• Homepage:
• Size: 4.95 MB
• Stars: 10
• Watchers: 1
• Forks: 1
• Open Issues: 0
• Metadata Files:
  • Readme: README.md
  • License: LICENSE

Awesome Lists containing this project

README

          

# Android SDK Transparency Log

This is an automated log of the Android SDK binaries and their

checksums, as posted in the _sdkmanager_ repositories hosted on

https://dl.google.com/android/repository

This serves as a basic [binary

transparency](https://wiki.mozilla.org/Security/Binary_Transparency)

append-only log for anyone to use.  One of the key properties of any

good binary repository is that the binaries never change once they

have been published.  [Maven has been promising

this](https://blog.sonatype.com/2009/04/what-is-a-repository/) since

2009 at least.  F-Droid has for most of its history.  Occasionally,

Google forgets this, and changes packages that have already been

published:

* [Google Issue #70292819 platform-27_r01.zip was overwritten with a new update](https://issuetracker.google.com/issues/70292819) (Google login and Javascript required)

## API

This can also be used as a basic JSON API by getting the JSON files via the raw links:

* [checksums.json](https://gitlab.com/fdroid/android-sdk-transparency-log/-/raw/master/checksums.json) - a simple dictionary of download URLs and matching checksums

* [status_codes.json](https://gitlab.com/fdroid/android-sdk-transparency-log/-/raw/master/status_codes.json) - the HTTP Status Codes of the last download attempt of this process

## Local verification

If there is an F-Droid _buildserver_ instance setup on a machine, it

will cache the Android SDK components in

_~/.cache/fdroidserver_. There is a script here to log all of the

Android SDK binaries found in that folder:

`./index-cache-fdroidserver.py`.  Run that script on the machine and

user account that runs the _buildserver_ instance, and it will add any

unknown packages it finds to the local _checksums.json_.  If there are

no changes to _checksums.json_ after that script successfully

completes, that means no unknown packages were found.

## Signed Checksums

There are [locally verified](sign_and_publish.sh), GPG-signed, versions of

_checksums.json_ available in the _signed/_ sub-directory:

* [_checksums.json_](signed/checksums.json)

* [_checksums.json.asc_](signed/checksums.json.asc)

* [_keyring.gpg_](signed/keyring.gpg)

* [_keyring.gpg.asc_](signed/keyring.gpg.asc)