licaon-kter
commented
1 year ago It would be a nice start to test a way to switch existing users from F-Droid's signature to... whatever is better :) both signatures or only upstream or magic. :)
Open eighthave opened 1 year ago
licaon-kter
commented
1 year ago It would be a nice start to test a way to switch existing users from F-Droid's signature to... whatever is better :) both signatures or only upstream or magic. :)
markusfisch
commented
1 year ago Yes, of course, I would very much like to try that.
If I understand this correctly, all I would have to do is to extract the signature once and import to F-Droid, right?
eighthave
commented
1 year ago Since BinaryEye is already in f-droid.org signed by the f-droid.org key, that
should also be maintained. So using fdroid signatures is the right approach,
since that will add your signatures to f-droid.org while maintaining the
f-droid.org signature as well. But I just realized that still needs to be
submitted manually via merge request. I think we should be able to improve that
process, so I file an issue:
https://gitlab.com/fdroid/fdroidserver/-/issues/1104
If you're willing to submit the signatures via merge request, then I think it should be pretty easy to publish BinaryEye with both your signature and the f-droid.org signature.
markusfisch
commented
1 year ago Just made a merge request with the signatures: https://gitlab.com/fdroid/fdroiddata/-/merge_requests/12710
I hope this is correct?
linsui
commented
1 year ago I thought we can only do this for new versions.
grote
commented
1 year ago No, I think the way this works is that new install use the version with the developer signature, so they are compatible with other releases. However, existing users upgrade with the version signed by F-Droid which publishes both from then on.
However, the users on the official signature might have delayed updates if the reproducible builds ever fail.
linsui
commented
1 year ago I meant that only adding the signature can't trigger the build. I thought we need to start from the next version.
markusfisch
commented
1 year ago So I should add metadata/de.markusfisch.android.binaryeye/signatures/117 for the next version already too?
linsui
commented
1 year ago You need to disable the autoupdate. Then for every version you need to open an MR adding the new version and the signatures.
eighthave
commented
1 year ago And then hopefully in the future, we can automate the process of opening that merge request. Off the top of my head, seems doable.
All the recent releases on f-droid.org have been reproducible on our verification server: https://verification.f-droid.org/de.markusfisch.android.binaryeye.json
That makes this app a prime candidate for shipping via the F-Droid reproducible builds process. Is that something you are willing to try? @linsui @licaon-kter and @obfusk have a lot of experience helping apps through the process.
FYI @grote