Why not publish apks assets of releases on Github?

[corneliusroemer]

Yes, you've mentioned that you don't want to support F-Droid.

But what about putting the apks for all releases on Github as assets?

Many of the critical issues arising today could have been avoided, had you simply published the apks in advance - allowing early adopters to check for problems in devices you consider too exotic to be tested by your team.

If an apk can appear on https://apkpure.com/de/corona-warn-app/de.rki.coronawarnapp why can't it appear here on Github? It's more trustworthy, it would allow testing of bug fixes and features before official release and also avoid the country store problems like corona-warn-app/cwa-app-android#478

What are your reasons against this? Is it not literally just the upload of a file?

---

Internal Tracking ID: EXPOSUREAPP-2140

[Loxad]

Afaik Play Services are needed for the contact tracing, so sideloading may be unwanted in general.

[corneliusroemer]

@Loxad You may know more than me. Are play services not independent of the apk? Is there any difference between Play store apk and sideload apk? I thought they were 100% identical if they're simply copied. Including signature etc

Just an alternative way of distributing. Or maybe I misused sideload. Feel free to explain.

[tomjschwanke]

@Loxad You may know more than me. Are play services not independent of the apk? Is there any difference between Play store apk and sideload apk? I thought they were 100% identical if they're simply copied. Including signature etc

Just an alternative way of distributing. Or maybe I misused sideload. Feel free to explain.

The API used by the App is only available with Google Play Services installed. If you have them installed, you also have the Playstore to download the app.

corona-warn-app/cwa-app-android#477

[corneliusroemer]

@Loxad You may know more than me. Are play services not independent of the apk? Is there any difference between Play store apk and sideload apk? I thought they were 100% identical if they're simply copied. Including signature etc Just an alternative way of distributing. Or maybe I misused sideload. Feel free to explain.

The API used by the App is only available with Google Play Services installed. If you have them installed, you also have the Playstore to download the app.

corona-warn-app/cwa-app-android#477

@tomjschwanke Nope sorry, you're wrong. The app is geo restricted in the playstore.

[tomjschwanke]

@tomjschwanke Nope sorry, you're wrong. The app is geo restricted in the playstore.

You're right, it's not available everywhere, however they've acknowlegded this and are working on lifting that, see corona-warn-app/cwa-app-android#478

[corneliusroemer]

@tomjschwanke Nope sorry, you're wrong. The app is geo restricted in the playstore.

You're right, it's not available everywhere, however they've acknowlegded this and are working on lifting that, see corona-warn-app/cwa-app-android#478

Yes, correct. But why not do both. Plus there's the advance beta testing advantage before it gets pushed to the masses if the apk is available here on Github.

[tomjschwanke]

Yes, correct. But why not do both. Plus there's the advance beta testing advantage before it gets pushed to the masses if the apk is available here on Github.

I must admit, a release on GitHub would be a nice bonus to download old versions (if you want that) and you wouldn't have to go through Google Play. However, you still need Google Play Services. Other stores would be out of scope though, since they'd need to upload them to every single store.

But Google Play + GitHub release would be optimal actually

[vmx]

The API used by the App is only available with Google Play Services installed. If you have them installed, you also have the Playstore to download the app.

You can have Google Play Services installed without having a Google Account connected to it. This way you could use the app, but you cannot install it over the Playstore. I think having an official APK download would be way better having those folks downloading if from random third parties.

Update: Sorry @tomjschwanke, I saw your last comment only after I posted that comment. That sounds great.

[jbauerrfid]

A few words of clarification: GitHub is a SCM (Source Code Management System). It is not intended to host compiled binaries. Another issue might be that APKs must be signed with publishing keys to put them on Google Play, and IMO the RKI does not want to expose these keys to avoid issues with hacked or fake apps, or malware injection. If you need the APK you still have the option to clone this git repo and compile the APK yourself with Android Studio from https://developer.android.com/studio

[Pltiton]

I vote for a already precompiled apk to download as well. It is all about trust. I trust the sourcecode, but I don´t trust Google, Apple oder the Government - isn´t that the reason why the APP is Opensource? I know I can compile it, but thats time consuming and not all the people have the Know-How to do it. With siedloading I am the one who controls the updates - not Google.

[tomjschwanke]

I vote for a already precompiled apk to download as well. It is all about trust. I trust the sourcecode, but I don´t trust Google, Apple oder the Government - isn´t that the reason why the APP is Opensource? I know I can compile it, but thats time consuming and not all the people have the Know-How to do it. With siedloading I am the one who controls the updates - not Google.

The entire Exposure Notification API is from Google. This app interfaces with it.

[Pltiton]

I know, but thats no reason not to sideload it.

[corneliusroemer]

A few words of clarification: GitHub is a SCM (Source Code Management System). It is not intended to host compiled binaries. Another issue might be that APKs must be signed with publishing keys to put them on Google Play, and IMO the RKI does not want to expose these keys to avoid issues with hacked or fake apps, or malware injection. If you need the APK you still have the option to clone this git repo and compile the APK yourself with Android Studio from https://developer.android.com/studio

@jbauerrfid Nope this doesn't work, since you need to have a whitelisted key to access the exposure API

[iMartyn]

A few words of clarification: GitHub is a SCM (Source Code Management System). It is not intended to host compiled binaries.

That's simply not true. Git is an SCM, GitHub is much more than that, we're currently talking in a thread in the Issue Tracking feature of GitHub and there is a Releases feature for the very request we are talking about.

APKs must be signed with publishing keys to put them on Google Play, IMO the RKI does not want to expose these keys to avoid issues with hacked or fake apps, or malware injection.

That's not how public-private-key encryption works, signing of an APK is done with a private key that is not in the APK at all, it is verified by using the public key.

Compiled APKs on the release page would go a long way to building trust. There are valid reasons to have the google services installed and not want to use the play store, and the lack of APKs (that are already compiled as part of CI so can as easily be uploaded to Github as the Play Store) will lead people to getting it via third parties where you don't control the platform, and then malware etc. is a problem.

You're never going to stop APKs getting out there into the wild, by providing them here, you will make this the default place for people who want them, and save people from infections (of both kinds!).

One last point - by not providing the APKs here, it makes it look as if you're trying to hide something, to stop people decompiling the APKs to check that they are actually built from this source. This undermines the benefits of releasing this as opensource.

[nilsalex]

Could someone please clarify this point for me: An officially signed APK (probably extracted from the app bundle? -- I'm not really familiar with all this) would have access to ENF API, just like the version installed from the play store?

[iMartyn]

The app bundle is the APK in android world terms, but yes, as far as I know there is no way to lock down API usage to applications installed in one way or another. There are ways for applications to interrogate the play store API to prevent usage if they were not "purchased" but no API lockdown per se.

[corneliusroemer]

Dear maintainers (@tkowark @SebastianWolf-SAP @jakobmoellersap)

What's the status on this? Would be great if you could comment since there is absolutely nothing the community itself can do without you.

While you are working out the play store issue, isn't this a limited but good workaround?

[immibis]

@jbauerrfid GitHub has the "releases" feature, which is designed for hosting compiled binaries.

I would also like to be able to sideload the app because of the play store issue. (Would you prefer if I compiled it myself? I doubt it)

[nilsalex]

@immibis The thing is, you cannot compile the app yourself. Well, you can, but without using the official key to sign it, the app is pretty much useless because it cannot access the API.

[corneliusroemer]

This issue is very related to the unfortunately closed issue corona-warn-app/cwa-app-android#477

[iMartyn]

@corneliusroemer There has been NO explanation as to why you will not provide an APK for those who have google play services but do not wish to install via the Play Store, nor for those who wish to verify the built APK is the result of the source. By closing this issue with no valid reasoning, again, this retracts from the the trust of the application and endangers users. please reconsider.

[corneliusroemer]

@iMartyn I agree with your points. But I'm confused why I'm tagged and why you posted what you wrote here :)

[vmx]

For everyone who wants to install the app without the Play Store, it's a security risk as you need to download it from random websites like:

https://apktada.com/app/de.rki.coronawarnapp https://www.apkmirror.com/apk/robert-koch-institut/corona-warn-app/corona-warn-app-1-0-0-release/corona-warn-app-1-0-0-android-apk-download/

I downloaded version 1.0.0 from my phone (I got it via Aurora Store) and from the websites above. The downloads have the same checksums as the file I got from the phone. They are:

MD5: eee459f2b1533a39fbac76e4ded254c9
SHA1: 4f2fe3fd93f2f538153acdbe304b27880443af3c
SHA256: a2c7979dd32f05cc1bd93d992a382f9b60c8556641e34458588bfbee65d927b2
Blake2: 165f3224e3497fef75371b3182d1d1bc5cc581a250550a57a20c57f95077dd0483432fc1c2af7cab9b3c3dd6223ad1acdb8d6e6d2332b36246bf08b3209bf105

Even if you cannot provide the APK, it would be nice if you could provide official checksums. It would make APK downloads from website at least a bit safer and you wouldn't need to trust strangers posting checksums.

[iMartyn]

@corneliusroemer sorry about the confusion, on the mobile interface the "mentioned a closed issue" and "closed this issue" line look almost identical, I thought that you had closed this issue! :-D

[Matombo]

Well this issue is what prevents me from installing the app, too. Not getting the app outside of the playstore is activly blocking people from using the app, which is against the intended purpose i guess?

[Pltiton]

@vmx : Thank you for the Information, wasn´t the most recent App version the 1.02? The one in the store is 1.0.0

[tomjschwanke]

@vmx : Thank you for the Information, wasn´t the most recent App version the 1.02? The one in the store is 1.0.0

Yesterday an update to 1.0.2 was published to the Google Playstore

[corneliusroemer]

@corneliusroemer sorry about the confusion, on the mobile interface the "mentioned a closed issue" and "closed this issue" line look almost identical, I thought that you had closed this issue! :-D

@iMartyn All good, thanks for clarifying, now it makes sense. If you read a bit around on my comments on this project you will notice that I'm in fact doing the opposite of what you thought I did. I reopen issues that are closed without proper justification and get myself into hot water with the maintainers. See corona-warn-app/cwa-app-android#478 and corona-warn-app/cwa-app-android#600. In fact I opened this very issue after a similar one reported by someone else got closed with insufficient justification: corona-warn-app/cwa-app-android#477

Here's the reasoning:

We already clarified very early that we can't provide APKs and/or F-Droid releases. Please see corona-warn-app/cwa-documentation#5 for details. Mit freundlichen Grüßen/Best regards, SW Corona Warn-App Open Source Team

Which references:

Really an interesting discussion, but I'm sorry to tell you that there is no additional information from our side beyond the comments that @MalteJ already made in corona-warn-app/cwa-app-android#5 (comment) and corona-warn-app/cwa-app-android#5 (comment).

Deutsche Telekom and SAP have the task to develop an application based on the Google/Apple framework which can be delivered to the public via the respective stores. Any functionality/capability which goes beyond that can't be guaranteed by us and would probably need to be implemented by the community by code/reuse or an alternative implementation of the specification. Mit freundlichen Grüßen/Best regards, SW Corona Warn-App Open Source Team

The maintainers don't take into account that the app cannot be self-compiled from source because of special whitelisting. This is one reason why a Github hosted APK would be so useful. They mix various unrelated issues into one and say they can't do much about it.

That's the history more or less for people who are new to the discussion ;)

[nilsalex]

If the agreement with the Bundesregierung is to only publish via the stores (this seems to be the issue, right?), surely they could re-negotiate this point? Would go a long way towards building trust in the app if it could be used without a google account and solve the problems related to availability.

[SecJoe]

You have to accept their decision if they don't want to provide APK assets in GitHub. Nevertheless, you can extract the APK from you Android (lets say an old testing device or an emulator) if you have downloaded it before with Google Play. Afterwards, install it on your real device via sideload. The APK is locatated in the internal app folder and you can get it without root. So that's an option to solve your problems, but accept if they want to upload every APK here as a service. Anyway, with the view to OpenSource, APK asset uploads on lets say GitHub are used often.

[Pltiton]

The Government is spending a hell of money, goes the Open Source way, to generate trust. I do trust the programmers - but I don´t trust the government. I have automatic updates turned on, and I don´t want to change that just for one app. In the future, I could possibly get a complete different code through an update which then generates data profiles - as the Government is the owner of the Google account, that is easy. The government wants me to install the app - not the other way around. So no apk - no instal - its as simple as that. To be honest, thats the typical way of the government, promise something and don´t do it fully.

[bersbersbers]

@Pltiton

I have automatic updates turned on, and I don´t want to change that just for one app.

You don't need to: simply exclude this one app from auto-updates. You're welcome.

The app will update automatically when updates are available. To turn off automatic updates, uncheck the box. https://support.google.com/googleplay/answer/113412?hl=en

Die App wird automatisch aktualisiert, sobald Updates verfügbar sind. Entfernen Sie das Häkchen, wenn keine automatischen Aktualisierungen erfolgen sollen. https://support.google.com/googleplay/answer/113412?hl=de

[iMartyn]

You say

You have to accept their decision if they don't want to provide APK assets in GitHub.

I disagree fundementally - I don't have to accept the decision, and this project is not being open about why they do not want to.

(snipped random workaround that ignores all the reasons why people want this) So that's an option to solve your problems, but accept if they want to upload every APK here as a service.

A. This is a bad workaround and shouldn't be necessary and B. They already have a pipeline for building and uploading APKs. It's not us asking for "a service", it's asking for them to use Github releases as they are intended.

Anyway, with the view to OpenSource, APK asset uploads on lets say GitHub are used often.

Yes, so at least we agree here, this is the common, expected thing. When people say "we'll do this open-source on github" it's not unreasonable for people to expect that they do it properly, like most other opensource developers do.

[nilsalex]

@iMartyn +1 Although I personally don't care, it should be possible for people who don't want to use a google account to just download an official release of the app and use it on their phone. Especially because there has been no argument given to the contrary, just an "not part of the agreement". Any workaround involves using a google account or trusting an unofficial source.

[ad2003]

The Problem with this whole project is: It is only partly OpenSource. While I appreciate the idea of making the development an open source project, it all makes absolutely no sense in case of open source, when there is no way to use the app without the closed sources from Google / Apple.

It is a simply a lie, when you praise this project as Open Source, while you cannot compile this app on your own from GitHub and use it. If you cannot compile the working app from Source, it is not 100% OpenSource. How would someone know what is uploaded on the Store?

Wouldn't SAP / Telekom / Governemnt have to trust third party (aka Google, Apple) with UserData when using their closed sources? Please correct me if I am wrong here.

[nilsalex]

I agree, but this is not in scope for this issue. Here, we are asking why the apk is not being provided. This is a solvable issue.

[ad2003]

I guess, that is the problem: It is not the idea of having the APKs in the wild, but on the App Stores.

[iMartyn]

Again, for clarity, the APKs will always be in the wild from untrusted sources. There is no feasable way to stop that. They will also be a massive target for hijacking. What we are asking for is that they are provided here as a reputable source, to protect users.

[ad2003]

No need to "again" me :).

I understand what this topic is about and what is asked here for - apks from reputable source. Yeah, would have been great to have those APKs from day 1 instead from App Stores. Let's see if this going to happen.

[lordyavin]

Hey maintainers (@tkowark @SebastianWolf-SAP @jakobmoellersap), please respond to this request.

The work on this project is or will be paid by an obscenely high amount of tax money. According to heise 20 million euros for development and up to 3.5 million for operation. So there is no reason to ignore justified and meaningful requests from citizens or users.

[SebastianWolf-SAP]

Dear colleagues,

similar to the discussion around the release of the Corona-Warn-App in international app stores this is something that needs to be discussed with our partners, especially the Robert Koch-Institute.

As we don't have any update if that can be done (current status see FAQ), we will move it to cwa-wishlist for now. Please continue discussing and especially voting, so that things can change...

Mit freundlichen Grüßen/Best regards, SW Corona Warn-App Open Source Team

[ironjan]

@SebastianWolf-SAP the FAQ-entry is quite in need for improvement. In fact, some of the points it states are false. This comment is structured as follows. First, it picks apart the FAQ entry sentence by sentence. Secondly, it presents a summary of the discussions related to releases outside Google Play and a list of potential reasons. Finally, the comment will be concluded by a TLDR section that oversimplifies the comment.

(Parts are separated by lines)

---

Android: The app isn’t available as an APK, neither on GitHub nor on F-Droid etc. Will you also deliver the app as an APK?

This headline already mixes two very different topics and hints that SAP/Telekom must have a deeper discussion with RKI about the topic. Short:

• F-Droid does not allow Google Play Services
• APK releases are "enable download without Google Play by providing the download thing outside Google Play"

There are no plans to deliver the app as an APK at the moment because the app requires Google Play.

The app does not require Google Play. It requires Google Play Services. The only need for Google Play (notice the missing "Services") is "there is no other way to install it". Google Play Services can be installed on a device without Google Play as stated in multiple iterations of this issue.

I assume that the "no plans" part is true. Otherwise someone would have been tasked with the task to gather all currently released versions and upload them to Github.

By distributing the app via Google Play Store, we can be sure that we meet all requirements for the app. However, the developer community is currently checking if the app can be enhanced so we can also make it available as an independent APK.

The community consensus seems - by a very far margin - "just upload to github releases what you upload to Google Play. This can even be done via your CD pipeline!".

The app itself does not require any changes to be distributable as APK or AAB.

Distribution via Google Play makes things a little bit easier for the developers and users that use the German Play Store.

For details, please see https://github.com/corona-warn-app/cwa-documentation/issues/5 and https://github.com/corona-warn-app/cwa-wishlist/issues/57.

Well. The linked issues can be summarized as "No FDroid because of Play Services, hence CoraLibra" and "Could you just upload on Github what is uploaded on the Play Store?".

---

As far as I remember all discussions, the actual reasons that prevent a release via APK are not related to the reasons stated in the FAQ:

• Process Based: the APK release needs to be discussed with RKI and the results are not community-ready.
• Legal Reasons: as you already hint at - SAP/Telekom is bound by the RKI's decision.
• Technical Reasons: the app does not verify its environment completely after start, e.g., it does not verify if there actually is a Bluetooth device (just an example as this would be ensured by Google Play installation and the AndroidManifest's uses-feature)
  • Usability Based: technical reasons may lead to UX problems, e.g.: no Bluetooth, no tracking. User is confused.

The FAQ entry makes it seem that "Technical Reasons" is the main concern. However, IMHO, the other two reasons outweigh this by, don't know, being the actual reasons.

The developer community can actually solve technical reasons. The developer community cannot "solve" RKI's decision not to distribute via APK/AAB.

---

TLDR: The FAQ entry states wrong facts and confuses multiple topics. It does not outline the actual reasons that prevent a distribution via APK/AAB and just diverts. It moves the "fault" for not providing APKs/AABs to the "developer community" despite the reasons most likely being process-based and legal.

[SebastianWolf-SAP]

Thanks, @ironjan. You are completely right. We explicitly decided to merge both topics in one FAQ entry as questions also often mix things here. Of course, technically and from an organizational perspective they can be addressed independently.

Anyway: We just updated the text accordingly. Hopefully, it now fits reality and previous explanations better.

• German: https://www.coronawarn.app/de/faq/#apk
• English: https://www.coronawarn.app/en/faq/#apk

Mit freundlichen Grüßen/Best regards, SW Corona Warn-App Open Source Team

[ironjan]

@SebastianWolf-SAP Thank you, the improved version is certainly better. With the new explanation, the developer community could actually tackle the technical constraints that prevent APK/AAB distribution: adding a smoke-check that verifies the environment (probably already there since an installation via Play Store does not magically install Play Services, their existence must always be verified).

Could you also notify RKI to pro-actively provide access to the legal assessments that drive these decisions? These assessments would probably needed to be made available if requested via IFG anyway, so there would be less work for everyone.

[SebastianWolf-SAP]

Well, we are in constant contact with the RKI on these topics, but things are not that easy, mainly because of legal aspects as you could see in the international app store story... We'll definitely keep on working in that direction. :)

Mit freundlichen Grüßen/Best regards, SW Corona Warn-App Open Source Team

[ronnaldmcdonnald]

When it isn't possible to offer the .apk here in github, may you perhaps publish the hashsums of the official apk-versions so I can be sure not to install a corrupted version? Best regards Ronnaldmcdonnald.

[alohapersona]

Given that CWA can now run with microG [1][2] and thus without Google Play Services, distributing the .apk outside of Play Store sounds sensible.

[1] https://github.com/microg/android_packages_apps_GmsCore/releases/tag/v0.2.12.203315 [2] https://gruene.social/@norbert/104827407990149571

[IzzySoft]

This is kind of schizophrenic: the RKI wants us to use the app – but it doesn't want to give us the APK so we can install it. After now 4 months, the main argument still is the RKI has not given its OK. To me (and all those not using Play Store for various reasons), this makes the app "dead meat". Admitted, it might concern a minority – but it's needlessly excluding several groups of people from using the app:

• visitors from abroad (due to geo-locking; OK, this might be worked on or even solved already, I don't know)
• people with devices that come without Play Store etc (e.g. Huawei; these will certainly miss Play Services as well and thus are just mentioned for completeness here, but for obvious reasons they might not be able to use the app anyway – but those folks might have decided to settle with microG as they don't need the "full Google package")
• privacy focused folks who for good reasons capped their "Google bindings". The subgroup of these having microG installed (like me) could use the app if they could get the APK – which this is about.
  • no, installing it on a second device to grab the APK from there is not a solution. First it would mean using a Google account again (which is exactly what us privacy folks try to avoid), second it involves a bunch of unneeded extra-steps, and third it's impractical (especially for those not able to deal with ADB and other "technical stuff")
  • no, as already stated: though some of this group might be able to compile the app from its sources, they couldn't sign it with a key that would be accepted. And even if, that would just help a very small subgroup
  • no, as already started: grabbing it from "some wild places" where other folks thankfully uploaded the APK is no solution – it's rather a security risk (apart from the fact one rarely gets an up-to-date version that way)

I guess I'm speaking for many participants of this issue (and even more not having actively participated in it) if I say: without the APK being available outside Play Store at an official place (and none better than Github releases), I won't be able to use it. So if you want us to use it, please make it available – and don't wait with this decision for multiple quarters (of course, this is addressed at the RKI – if it's only the RKI holding back here; no offense meant to those willing but having their hands tied behind their backs in this issue).

PS: a "political statement": by not making the APK available here you're putting a minority at a higher risk. By doing so, you increase the risk of the majority as well. This somehow goes against the purpose of this app, don't you think?

[rugk]

FYI there is a slightly related issue about publishing the app on F-Droid and using reproducible builds. What actually also matters for this issue here is the description there that you now do not need Google Play Services anymore for this to work, as you now can use microG.

[IzzySoft]

@rugk that's related to on device – inside the app, you still need those proprietary libs, there's no replacement available yet. But I see I posted my last comment to the wrong issue, in answer to your comment "over there":

As the BfDI was just interviewed on this topic, I've asked them to "animate" the RKI in this direction. Maybe it helps a bit if the voice comes from "upstairs" instead just from us "peasants below" :roll_eyes: