Open eighthave opened 1 year ago
It would be a nice start to test a way to switch existing users from F-Droid's signature to... whatever is better :) both signatures or only upstream or magic. :)
Yes, of course, I would very much like to try that.
If I understand this correctly, all I would have to do is to extract the signature once and import to F-Droid, right?
Since BinaryEye is already in f-droid.org signed by the f-droid.org key, that
should also be maintained. So using fdroid signatures
is the right approach,
since that will add your signatures to f-droid.org while maintaining the
f-droid.org signature as well. But I just realized that still needs to be
submitted manually via merge request. I think we should be able to improve that
process, so I file an issue:
https://gitlab.com/fdroid/fdroidserver/-/issues/1104
If you're willing to submit the signatures via merge request, then I think it should be pretty easy to publish BinaryEye with both your signature and the f-droid.org signature.
Just made a merge request with the signatures: https://gitlab.com/fdroid/fdroiddata/-/merge_requests/12710
I hope this is correct?
I thought we can only do this for new versions.
No, I think the way this works is that new install use the version with the developer signature, so they are compatible with other releases. However, existing users upgrade with the version signed by F-Droid which publishes both from then on.
However, the users on the official signature might have delayed updates if the reproducible builds ever fail.
I meant that only adding the signature can't trigger the build. I thought we need to start from the next version.
So I should add metadata/de.markusfisch.android.binaryeye/signatures/117
for the next version already too?
You need to disable the autoupdate. Then for every version you need to open an MR adding the new version and the signatures.
And then hopefully in the future, we can automate the process of opening that merge request. Off the top of my head, seems doable.
All the recent releases on f-droid.org have been reproducible on our verification server: https://verification.f-droid.org/de.markusfisch.android.binaryeye.json
That makes this app a prime candidate for shipping via the F-Droid reproducible builds process. Is that something you are willing to try? @linsui @licaon-kter and @obfusk have a lot of experience helping apps through the process.
FYI @grote