feature request: f-droid store

[neonknight]

Please also publish on f-droid.org (free/open source android catalogue)

[gryphius]

After some fiddling I think I've got a working version on https://gitlab.com/gryphius/fdroiddata/commit/3e74d44783580b9660a631ca873fbdff99312b51

However, it looks like this would not be merged in its current form as it is not allowed to include dependency downloads in the build process. Need to figure out how to let fdroid build dnsjava as well.

I personally have never used fdroid, any help from someone more familiar with the process appreciated.

[IzzySoft]

I've filed an RFP (Request For Packaging) with F-Droid, please keep an eye on it (maintainers might have questions). Meanwhile, the app is already available via my repo (see #10) to be used with the F-Droid client.

@gryphius you might wish to chime in "over there", maybe you can establish the use of a "reproducable build". That way the .apk in the main repo would be the one you have signed, and thus people can easily switch over from the one in my repo or the one you've uploaded to Playstore.

[TPS]

@IzzySoft Glad you added it to your repo, @ least.

[IzzySoft]

Sure thing, @TPS

[gryphius]

Apparently it has been included, see https://gitlab.com/fdroid/rfp/issues/446

Thanks!

[IzzySoft]

Indeed, Michel seems to have added it yesterday. Might take a few days for it to pop up in the lists, though: there were some issues with the build server lately (again), so now it has to "catch up". I saw 2 new apps appearing yesterday, but I know there must be several more in the queue.

As soon as it's there, we should consider removing it from mine to avoid confusion: unless it uses reproducible builds (which IMHO it doesn't), the signatures won't match. So it's no help that updates come faster with my repo if the user installed from the official one, as cross-updates won't work – which would only "annoy" users. I'd keep the metadata just in case, so if for some reason F-Droid stops updating you'd only need to drop me a note to re-establish it. What's your opinion in this regard?

[gryphius]

TBH I haven't looked into this so far. If cross updating is really a thing in the f-droid world and enabling reproducible builds is somewhat straight-forward and doesn't involve uploading private key material to third parties I certainly don't mind supporting it. I'd need some guidance or even better a PR tho, I haven't done this so far.

[IzzySoft]

For reproducible builds you basically need two things:

• a tag from which F-Droid can build
• an APK you build from the very same tag and sign with your key

F-Droid then builds from that tag, and "diffs" its APK against the one you provide. If the two match (except for the signature of course), your APK goes to the repo. So no witchcraft, and your private key definitely stays with you. Simply leave a note on the Gitlab issue linked, a maintainer will certainly help out.

[mimi89999]

@gryphius Could you change the apk name from androdns_1_4.apk to androdns.apk? Currently, we can only put version name in the URL...

[gryphius]

@mimi89999 sure! I've copied the apk and added it as androdns.apk to the 1.4 release.
https://github.com/gryphius/androdns/releases/tag/v1.4

I'm leaving the existing androdns_1_4.apk in place in order not to break anyones current links. In the future I'll name all release files just androdns.apk if that makes your builds easier.

[IzzySoft]

:cool: that sounds as if Michel is going for reproducible builds, phantastic! In that case, I see no hurry to remove it at my end unless you want me to, Oli. No confusion for the user (signatures will match) – just whoever has my repo configured in the F-Droid client will usually receive updates a bit earlier than those who have not :innocent:

[mimi89999]

The build server won't follow redirects 😞

michel@debian:~/git/fdroiddata$ curl https://github.com/gryphius/androdns/releases/download/v1.4/androdns.apk
<html><body>You are being <a href="https://github-production-release-asset-2e65be.s3.amazonaws.com/84719535/3088fa84-fc55-11e7-8492-93f64a88f9bb?X-Amz-Algorithm=AWS4-HMAC-SHA256&amp;X-Amz-Credential=AKIAIWNJYAX4CSVEH53A%2F20180118%2Fus-east-1%2Fs3%2Faws4_request&amp;X-Amz-Date=20180118T214224Z&amp;X-Amz-Expires=300&amp;X-Amz-Signature=049cb12db139cfefdbe05377021a021cd45e9c57e556bbbe7c6e8d319f1335b9&amp;X-Amz-SignedHeaders=host&amp;actor_id=0&amp;response-content-disposition=attachment%3B%20filename%3Dandrodns.apk&amp;response-content-type=application%2Fvnd.android.package-archive">redirected</a>.</body></html>

[IzzySoft]

@mimi89999 could you add the -L option to the curl call? "The -L flag instructs cURL to follow any redirect so that you reach the eventual endpoint." (source)

[gryphius]

reopening this, I was asked on twitter realised that the f-droid release doesn't work

https://f-droid.org/wiki/page/androdns.android.leetdreams.ch.androdns says:

We can't build this version: The build for this version was manually disabled. Reason: verification fails

Version code: 6

Maybe some day I'm inspired to dig into the f-droid build process myself, but until then I'll flag this with "help wanted" and hope for the best .

[mimi89999]

Right. I will take care of it.

[mimi89999]

Enabled it: https://gitlab.com/fdroid/fdroiddata/commit/71b54ba142b58fe46e0eb150a34f3b7ee67155c6

[IzzySoft]

For the time being, you can find the app in my repo (added it there about a year ago). Just add https://apt.izzysoft.de/fdroid/repo as source in your F-Droid client.

[mimi89999]

It doesn't build reproducibly. How exactly was it built?

[gryphius]

In Android Studio i select "Generate Signed APK", enter my keystore pw, tell it to build a release.

[gryphius]

Btw, I'm planning to publish a new release in soonish, with DoT / DoH support and maybe DNSSEC validation (working on that right now) - if you need me to make any changes to my release process, just let me know

[gryphius]

@mimi89999 would it help if I made a beta release from a current commit where we have the updated gradle version?

[gryphius]

also: does it make a difference for reproducible builds if I use V1 Jar Signatures or V2 APK signatures?

[mimi89999]

@gryphius

would it help if I made a beta release from a current commit where we have the updated gradle version?

I could always check if I can reproduce the build locally.

also: does it make a difference for reproducible builds if I use V1 Jar Signatures or V2 APK signatures?

I remember that some time ago there was an issue with V2 signatures, but I think that it might have been fixed by now.

[mimi89999]

Sorry. V2 signatures aren't supported yet.

[IzzySoft]

Sorry. V2 signatures aren't supported yet.

Are you sure @mimi89999? I vaguely remember we had been working on that in fdroidserver quite a while ago. But I cannot find a related issue, though.

@gryphius the one doesn't exclude the other. You could use both v1 and v2 at the same time. That's even recommended AFAIR: while v2 is more thorough, an additional v1 would make it legit for clients not (yet) supporting v2 (so it's a fallback solution).

[gryphius]

Btw, I'm planning to publish a new release in soonish, with DoT / DoH support and maybe DNSSEC validation (working on that right now) - if you need me to make any changes to my release process, just let me know

Now released: https://github.com/gryphius/androdns/releases/tag/v1.5

:cocktail:

[mimi89999]

It almost built reproducibely. The only difference was in the resources file. I opened a PR to disable resource shrinking.

[gryphius]

I've added a new release 1.5.1: https://github.com/gryphius/androdns/releases/tag/v1.5.1

[mimi89999]

https://issuetracker.google.com/issues/110237303

resources.arsc doesn't build reproducible unless built in a special filesystem.

[mimi89999]

@gryphius Could you please rebuild 1.5.0 and 1.5.1 inside disorderfs?

[gryphius]

I failed building disorderfs on OSX. I'll set up a linux dev env and try again, but it may take a while (-ENOTIME)

[gryphius]

ok, 1.5 and 1.5.1 are now rebuilt on linux with disorderfs and uploaded. I used the options as documented in https://issuetracker.google.com/issues/110237303, i.e. --sort-dirents=yes --reverse-dirents=no

[mimi89999]

Also enabled it in F-Droid: https://gitlab.com/fdroid/fdroiddata/commit/2bf12c76

[gryphius]

if I understood the thread in https://issuetracker.google.com/issues/110237303 correctly , this bug has been fixed. I have therefore built AndroDNS 1.6 without disorderfs again. However I'm not sure how/if I can verify this myself. Would anyone be so kind and tell me if AndroDNS 1.6 can be built in F-Droid?

[neufeind]

Is this meanwhile resolved? 1.8 was released to f-droid on Oct 1st 2023.

[IzzySoft]

1.8 was released to f-droid on Oct 1st 2023.

:eyes: Where's your DeLorean parked, @neufeind? My calendar says it's Aug 28 2023 today. :speak_no_evil: :dash:

[gryphius]

given that 1.8 was released on f-droid automatically apparently without issue, I'm closing this.