Sign release APK?

[IzzySoft]

Currently, at releases there's an unsigned APK attached. While advanced users and developers surely can sign themselves, average users can't. Would you mind attaching a signed APK?

Besides, what licence is protecting the app? Your repo or the code do not say, so currently it's "all rights reserved" – which is a legally uncertain situation for potential contributors as well as for those wanting to re-use code from your app – and also for those who want to share your app with friends :wink:

[albertogeniola]

Hi @IzzySoft , I am not providing signed apps from GitHub as I am actively managing releases via Google Play Store. The apps I release here are only meant for advanced users who do not want to wait for Google Play Store validation or who want to "rollback" to a previous version (that's not possible via the PlayStore). Thus, for those use cases, I expect the users to know how to deal with code and APKs.

Regarding the license, you are right, I'll update he repo with the some more specific information about that.

[albertogeniola]

Licensing terms added in https://github.com/albertogeniola/Custom-Meross-Pairer/commit/81698bb70e83b13d6323da1a9c5df8cbf5f643ad .

[IzzySoft]

Thanks! So what about those users without access to Play – because they have a device not supporting that (Huawei etc), because not having a Google Account intentionally (e.g. avoiding GAFAM tracking), and so on? Speaking in a picture: you've got a free bird here but put it into a cage :wink: (beside the fact a private key IMHO should stay private, and not be given to an ad company – who can say what they might add one day :speak_no_evil:)

[albertogeniola]

Ok, I see there is a use case I was not considering: devices with no Google Play support. In that case, I might consider releasing signed APKs on this repo, if that works for you. In such a case, the user might still need to explicitly trust "untrusted sources" for installing this app, right?

[IzzySoft]

Yes, but just for a single app. Let me drop a link here: https://apt.izzysoft.de/fdroid – that's the background that brought me here, I planned to add your app there. Users of that repo (and of the main F-Droid.org repo) have already white-listed their favorite F-Droid client for this purpose, so no extra action needed.

For some background: The "F-Droid system" can be compared with what Linux users are familiar with from their packaging system. There are "official repos" (here: F-Droid & F-Droid Archive plus the same 2 from the Guardian project), and you can add additional repositories. In theory, everyone and their little sister can even run their own repo, and so there are several third party repositories. Mine is (with currently 800+ apps listed) the biggest of those and, me being one of the maintainers at F-Droid itself, often serves as "stepping stone" for new apps not yet ready to meet the stricter criteria of F-Droid itself. Some apps stay with my repo "forever" as they either cannot meet those said criteria, or decide to stay nevertheless (some e.g. have their "early adopter", or "testing/beta" versions in my repo for easier access by their testers, while the "stable releases" are offered via F-Droid for the "regular users").

TL;DR: If you can provide a signed APK and keep attaching that with each new release you publish, it will be available via my repo in usually less than 24h; users then get a notification of the available update, and can install that without any hazzle – same way as others use Play Store. No additional steps required. If the F-Droid client was included with the ROM (several custom ROMs have it), the app can even be updated fully automatically.

[IzzySoft]

Hi @albertogeniola, I see the pre-releases are signed now. Do you want me starting with those – or rather wait for the next release? Or would you add a signed APK to the last stable release, so I start with that (ignoring the pre-releases)?