Question regarding open source

[editicalu]

Happy to hear the app is open source!

I have a few questions for when the app will be generally available:

• Will it be possible to use the app compiled from sources, or does it need some kind of private information entered first (API keys etc.)?
• Will the app be available in other app stores, such as F-droid and the Amazon App Store? Not every Belgian uses the Play Store.

[roidelapluie]

The app requires to use the proprietary google API's for covid exposure notification. I guess you will only be able to run it on phones which have the Google services enables (and thus play store).

[editicalu]

Hmm, I guess so. Tried to compile it yesterday and was greeted with errors about not having the exposure API. So I guess no.

It's really sad to see such an important app be proprietary and, from a developer perspective, not having the ability to have reproducible builds. This might seem nit-picky, but for me, that's a reason not to fully trust it.

[sdebruyn]

@editicalu The build is reproducible, what @roidelapluie said is that you can't just run it on AOSP Android (<> Google Android). Which errors did you get? Did you install all the required Android SDKs?

[editicalu]

I meant: can I compile it, put it on my phone and use it in the production environment as if I downloaded it from the Play Store? So I can use it and be sure that no code modifications from this open source version were made before uploading a compiled version to the Play Store.

I opened the project in Android Studio, pressed run and that's all I tried so far. Android SDK updated to latest versions.

[ArthurAttout]

@editicalu, I just cloned the repo on commit https://github.com/covid-be-app/cwa-app-android/commit/e37a616330fdd5902253dac1c5389732b6ee23f6, compiled with 0 errors. Installed generated APK on physical device with no issues.

Using Android Studio 4.0.1 Build #AI-193.6911.18.40.6626763, built on June 25, 2020

[sdebruyn]

@editicalu Nobody can help you if you don't tell us which errors you are getting

[editicalu]

@sdebruyn Installing works, but I get errors when running the app (sometimes when I get to the exposure screen, sometimes only when I activate it). Errors around the Exposure API not being available. Similar issues seem to indicate that it is not possible, because I'm not whitelisted as developer.

I didn't ask for help. My question to the developers is if there was a way to use it from source as is, but the comments on the German app seem to indicate that this is not possible due to Google blocking API access to non-whitelisted apps/signatures/...

[sdebruyn]

So the build is reproducible and this issue is a duplicate of #85?

[editicalu]

Well, no, because there's no way to know whether the version in the Play Store is the exact same one that you'd get if you build the app from scratch, because apparently we cannot use the app from scratch in production.

I'd like to compare it to the pacman (package manager) approach, where you could get and use the build instructions (in the form of PKGBUILD files). You'd get the exact same binary as the original packager (or you'd notice).

[sdebruyn]

You do get the same binary. What is the difference?

[ArthurAttout]

I think to fully use the app from source, since it requires some touchy functionalities from Google API, you'd need to generate a signed APK, with your own keystore.

[leroynicolasalexi]

Only the apk signed for the play store works with the google exposure api as the keystore certificate has to be whitelisted by google.

[editicalu]

@leroynicolasalexi Thank you for your response. That summarizes my questions.

To summarize for anyone reading this in the future:

Due to the Google API rejecting unofficial keystores and their signatures, it will not be possible to compile from source. This makes it unable to be pushed to F-Droid. I do understand the reasons for doing that (namely avoid people abusing the system by e.g. sending out false information), it does make compiling and using the project impossible.

That said, it might work with Micro-G, as said in #85.

[ArthurAttout]

Well, it's not impossible, you 'just' need to opt in for a Google Play signed APK