search

ImranR98 / Obtainium

Get Android app updates straight from the source.
https://obtainium.imranr.dev
GNU General Public License v3.0
5.93k stars 140 forks source link

Import from list of installed apps #163

Open mon-jai opened 1 year ago

mon-jai commented 1 year ago

It would be great if we could import from the list of installed apps, so that we don't need to manually search them one by one in Obtainium.

To do this, Obtainium should...

  1. Search f-droid for all installed apps
  2. If a match is found, verify if the app is signed by f-droid
mon-jai commented 1 year ago

Maybe we can also include an option to switch release channel from f-droid to the corresponding GitHub repo.

It shouldn't be too hard to implement since there is a "source code" field in f-droid metadata, pointing to a GitHub repo for most apps.

ImranR98 commented 1 year ago

It's a good idea, but I'd rather not support F-Droid because Android doesn't let you update an App if the new version has a different signing key. So switching between F-Droid and GitHub would not be worth the trouble, and I'd like to discourage F-Droid as a Source in general.

Instead it might be better to grab the names of installed Apps from the OS, the feed those in to the existing search feature (currently supports GitHub but others could be added). But that would lead to rate limit errors very quickly, and require a lot of user interaction (they'd have to manually pick between search results).

So I'm not sure if this should be considered at all.

Efreak commented 1 year ago

While I'm not sure if this is a good idea or not, the fdroid index includes both package name and source URL for each app. You can parse the index to search for the app, verify that it's not signed by fdroid and add it. The index should also include a hash of the app and possibly the public key, which you can check against the installed app to ensure that you don't accidentally add an app that you can't update. Then you only add GitHub/other repos for those apps that are both installed and not already listed.

ImranR98 commented 2 months ago

You can parse the index to search for the app, verify that it's not signed by fdroid and add it. The index should also include a hash of the app and possibly the public key, which you can check against the installed app to ensure that you don't accidentally add an app that you can't update.

I don't see how we could verify the app's signature without downloading its APK. The 2 sources of info from F-Droid as far as I know are the API and GitLab repo and neither contain this info. For example:

Even if we could, I think the vast majority of F-Droid apps are signed by them, not the developer, so we wouldn't be able to use F-Droid-sourced APKs most of the time.

Instead we would have to grab releases from the source URL provided by F-Droid as you suggested. But for each source, there are various additional settings that we wouldn't know how to set automatically. For instance, the OpenCamera example above points to a SourceForge URL, which Obtainium can't handle without manual setting changes by the user. Another good example is Brave Browser. Some repos even have multiple unrelated APKs in a single release with different version numbers etc. So an automatic import process would not be very reliable - users would still have to deal with a lot of apps that failed to be added, or that were added with bad settings.