[feature request] Reproducible F-Droid app

[jindamvani]

@cvzi If possible can you please make reproducible F-Droid app. For more information see Towards a reproducible F-Droid.

• see also:
  ** Total number of apps using RB: 6 + 75 = 81. Last updated: 2023-03-04
  ** Encourage new apps enable reproducible build

[cvzi]

Is this possible for "old" apps? The documentation only talkes about new apps, not apps that are already in Fdroid.

[jindamvani]

Is this possible for "old" apps?

@cvzi I asked exactly same question: Reproducible F-Droid app not possible for published apps?

[jindamvani]

The documentation only talkes about new apps, not apps that are already in Fdroid.

fdroid devs are making effort to make reproducible apps by default for all new apps.

[cvzi]

I did a quick test and the apk is reproducible.

But I am not sure yet if I want to do it or not.
Autoupdates won't work, meaning I would have to open a pull request to the F-Droid/Data repository for every app update.

[licaon-kter]

Autoupdates should work as expected... what do you think otherwise? @cvzi

[cvzi]

@licaon-kter That's what I understood from: https://forum.f-droid.org/t/reproducible-f-droid-app-not-possible-for-published-apps/21530/5

The whole process is a bit elusive to me though

[licaon-kter]

There are two issues, both feature the word "autoupdate" :)

So, first, are the new releases still (auto)updated/added in the F-Droid metadata when you Tag as usual? Yes

Second, are OLD users (auto)updated to the NEW version with the changed signer? No, as Android does not allow this

OLD users need to UNinstall and REinstall the app, once the repro builds are available.

Solution applied for now, human touch, eg.:

• https://github.com/mehrvarz/webcall-android -> change to repro builds, has an in app news channel for the used server that announced the signer change
• Wireguard, changed to repro builds, announced on https://lists.zx2c4.com/pipermail/wireguard/2023-April/008045.html and https://floss.social/@fdroidorg/110181469096544486
• Mastodon, changed away from repro :( https://floss.social/@fdroidorg/110334276768072552

[cvzi]

It think this way is not a good idea at the moment.
The problem is that the app doesn't have a way to export/import its settings. If people need to uninstall and reinstall they will lose the app settings.
First I would need to add an export/import function for the settings. I guess many apps have such a function included, so I could probably look at other apps and see how it is done.

However:

hans wrote:

You can enable reproducible builds for an existing app, there are two approaches
on F-Droid with reproducible builds:

• only publish with the upstream signer
• publish both with the upstream signer and f-droid.org signer

linsui wrote:

But currently if you want to publish both apks, you need to add the signature to the fdroiddata repo manully for every version.

As I understood that, what you described is the first option. But there is a the second option that would allow old users to keep getting updates, "publish both with the upstream signer and f-droid.org signer". Therefore I focused on the second option.
I interpreted linsui's comment as: I would have to make a pull request to F-Droid/Data for every new version.

[licaon-kter]

Yes, second has both, so old users still get updates, but then the burden is on you to manually add a new MR for each new version.