Support F-Droid, APK

[Enrico204]

Current Implementation

Currently, the app is available in (Android) Google Play Store and Huawei AppGallery. So-called "degoogled" phones have no "Play Store" or AppGallery access, mostly because they run on modified/unofficial firmware (for example: LineageOS) and/or smartphone owners might not like proprietary software and/or smartphone owners might be banned by Google for any reason.

Suggested Enhancement

I suggest to support inclusion in F-Droid. This requires a build that follows their inclusion policy.

In addition to, or alternatively, I suggest to build an APK and release it here on GitHub (possibly using only free dependencies).

Expected Benefits

Supporting F-Droid and freely available APKs will help the community, as no private company can interfere with the app distribution. Use free libraries means that no bad behaviors can be injected into apps (no tracking, etc).

Alternative Enhancement

If you don't want to support F-Droid or freely available APKs, would you authorize a community-driven fork to access to get.dgc.gov.it APIs?

[davide-butera]

Please, I need it too since we don't use Google or Huawei and want to automate the deployment

[gioluca2]

Can you release official apk here? I need the installer and I can't download it from the play store or other store.

[gioluca2]

Please, I really need apk version to install on multiple devices controlled by soti mobi control. The only format that it accept is apk. Thanks

[paolo-caroni]

An inclusion on F-Droid would be perfect. I'm actually using CovPassCheck (German) because I can't install VerificaC19, but the rule set is from Germany and not Italy so this can be a problem from 1 feb 2022 since different months value (6 or 9 month). So I have to install it from Apkpure website where the package .apk is available (@gioluca2 you can download .apk on this site, but I'm not sure about virus/malware added).

[rawmain]

Hello @paolo-caroni

I'm actually using CovPassCheck (German) because I can't install VerificaC19, but the rule set is from Germany and not Italy so this can be a problem from 1 feb 2022 since different months value (6 or 9 month).

If you're using such app for DGC Validation in Italian production environments, you should stop immediately... not on February 1st.

Not only because such choice is clearly forbidden by the regulatory requirements, but also because it's already an issue, that leads to wrong validations.

Official verifier-apps from other countries don't comply indeed with the regulatory requirements & operating instructions for DGC validations in Italy, since they fit only their specific countries' rules/settings & don't support quite any technical requirements of Italian DGC Validations :

• Italian Validation Rules

• DGC Revocation Lists

• DGC Scanmodes

• Exemption Certificates

\ This is why the DPCM 12/10/2021 allows to perform DGC validations only through

• Authorized PN-DGC requests by specific platforms (such as NoiPA, INPS, SIDI)

• Official iOS / Android VerificaC19 apps

• Apps/Software, which use specifically authorized SDK/Libraries = DGC-SDK Android/Kotlin and third-party SDK/Libraries - officially approved by the Italian Ministry of Health.

.

So I have to install it from Apkpure website where the package .apk is available

There is really no need to retrieve the Android packages from unofficial third-party sources, rather than from the official ones.

The official VerificaC19 Android packages aren't strictly dependendant neither on GMS - Google Play Services nor on HMS - Huawei Mobile Services.

Besides, the retrieval of the universal APK packages isn't hard at all.

It's indeed the default package format returned by Huawei AppGallery & you can even get it (instead of split APKs) also from Google Play Store - just by using the generic/nodpi device JSON profile for the API request.

[Enrico204]

@rawmain On the second point: not having an official APK distributed somehow freely (F-Droid, GitHub releases, etc.) is the issue here.

I know that AppGallery offers nearly a direct HTTPs link for downloading APKs, however it has some problems:

• first, there is no way for auto-updates
• the link may change any time
• downloading an APK from AppGallery may be a breach of their T&C, especially if the user was banned before (for whatever reason)
• to do it legally, you should sign a contract with them

The same list goes for Google Play Store.

While Google and Huawei requires you to sign a contract, F-Droid and other stores are not. Even GitHub releases can be used freely.

I don't have a Google/Apple/Huawei owned phone. Right now, I have no way to install a public utility app inside my smartphone not because of a technical limitation, but a political intent to support only big corporation distribution centers - or, at very least, a political intent of doing nothing to fix this issue.

I might be rude in this post, however I offered to build a fork in case the maintainers were not willing to support F-Droid. There was no reply at all. No negative response, no positive response, nothing at all.

Do we still need to exchange and download these APKs like if we are smugglers?

[rawmain]

Hello @Enrico204

I might be rude in this post, however I offered to build a fork in case the maintainers were not willing to support F-Droid. There was no reply at all. No negative response, no positive response, nothing at all.

Since October 13th 2021... DPCM 12/10/2021 also allows anyone (even you) to mantain/build an unofficial community-driven Android fork & publish it into F-Droid.

Developers/publishers obviously have to comply at least with the following basic requirements :

1. Artt. 12-13 DPCM 12/10/2021 requirements for Validation data process/privacy management & usage-terms of the official DGC-SDK Android/Kotlin

2. The unofficial apps must NOT use the VerificaC19 / Italian Ministry of Health names/marks/icons/logos/etc. = there must be NO misleading elements (not even in the package name / ID n.d.r.), that could mislead users into thinking that it's an official app version.

For further details about it you can send an official (PEC) information request message to DGSI - Italian Ministry of Health.

Besides, the same contact channel can be - contextually or alternatively - used to officially (& politely) ask the Italian Ministry of Health to evaluate further official distribution channels for the VerificaC19 app, such as the release of the officially signed APK packages in the Github release-tracker and/or in F-Droid repo.

[Enrico204]

Hi @rawmain , shall I consider your answer an official answer/statement? (meaning: are you entitled to say that I should forward this issue to DGSI?)

[rawmain]

Hello @Enrico204

are you entitled to say that I should forward this issue to DGSI?

The PN-DGC / VerificaC19 official documentation says so. Just read it.

DGSI is indeed officially designated as the institutional contact of the Italian Ministry of Health for PN-DGC data/privacy questions & for evaluation/authorization requests about the usage of DPCM 12/10/2021 compliant SDKs (official DGC-SDK Android/Kotlin and authorized 3rd-party SDK/Libraries).

[Enrico204]

Hi @rawmain , the contact you indicated is for SDKs & data/privacy questions. Let me recap the first message in this issue: is the Italian Ministry of Health willing to support F-Droid (or other ways) for APKs distribution?

As you can see, there is no official reply here. Team members replies here on GitHub on these matters, as you can see in some issues. Also, this issue was not closed during this time, suggesting that they are avoiding taking a position (if it had been closed, it would have been clear the intent to not support F-Droid or other distribution channels). Finally, if the question was not intended to be answered here, there was a plenty of time to close the issue with a comment saying that.

The community-driven fork was under the "Alternative" part. However the "Suggested Enhancement" was neither rejected nor accepted.

[rawmain]

Hello @Enrico204

the contact you indicated is [...]

There was a second link too in my former message... = SDK-onboarding repo, where you can even read DGSI's PEC for the official communications.

That's just because DGSI (not other directorates/areas) is the institutional contact of the Italian Ministry of Health for evaluation/authorization requests about the usage of DPCM 12/10/2021 compliant SDKs.

Let me recap [...]

Nah...

Now you know both the right institutional contact (DGSI) & how to officially submit (PEC) such kind of questions to VerificaC19's publisher & official controller - aka the Italian Ministry of Health.

So just ask the Ministry directly.

The community-driven fork was under the "Alternative" part

Honestly, on August it was under the "Fuffa" part of your message...

Alternative fork-proposals were NOT feasible at all 5 months ago... since it was even explicitly forbidden by the regulations of the time.

The official iOS / Android versions of VerificaC19 were indeed the only authorized verifier-platforms for DGC Validations in Italy.

As I've written, it has been instead technically & legally allowed just 3 months ago by DPCM 12/10/2021 = new regulations about the allowed verifier-apps/platforms in Italy,

However [...]

If you ask the Ministry directly (& politely), you'll get an answer.

[dottorblaster]

If you ask the Ministry directly (& politely), you'll get an answer.

i honestly don't see how these requests are unpolite.

Anyway, what is the specific paragraph in these documents that prevents a software artifact built from the sources in this repo to be uploaded to an arbitrary artfiact hub instead of Google Play? I still see that possibilty as feasible, am I wrong?

[rawmain]

Buongiorno @dottorblaster

Scrivo in italiano, onde evitare fraintendimenti, considerando la platea italiana (prevalente) del thread.

what is the specific paragraph in these documents that prevents a software artifact built from the sources in this repo to be uploaded to an arbitrary artfiact hub instead of Google Play? I still see that possibilty as feasible, am I wrong?

Pls rileggi attentamente i messaggi anteriori, visto che nessuno ha indicato che sia una possibilità preclusa a priori né tantomeno fatto riferimento a divieti espliciti in normative/documentazione ITA.

Semplicemente, ieri - dopo 5+ mesi di quasi-totale inattività in questo issue-thread (anche da parte del suo stesso autore n.d.r.) :

• Ho riportato i riferimenti utili per contatto con DGSI, onde consentire - ad autore / altri proponenti in merito - di scalare adeguatamente di livello nella proposizione, inviando direttamente via PEC la richiesta di valutazione pubblicazione signed-build ufficiali anche in Github release-tracker e/o in F-Droid Repo & proprio al corretto referente c/o Ministero della Salute.

• Ho anche riportato le condizioni basilari, onde procedere legittimamente con sviluppo+pubblicazione di community-driven fork, visto che cmq l'autore ne aveva anche chiesto la fattibilità in apertura issue, come eventuale alternativa in caso di KO della proposta primaria. Tale soluzione alternativa non era percorribile 5 mesi fa, in quanto espressamente vietata da norme/prescrizioni di allora, ma è divenuta fattibile solo 2 mesi dopo - in virtù appunto delle nuove disposizioni del DPCM 12/10/2021.

• Ho (banalmente) suggerito di tarare comunque adeguatamente linguaggio/toni in funzione di natura della comunicazione & del relativo destinatario istituzionale. Non essendo certo a priori che l'autore o altri eviterebbero per tale comunicazione diretta l'utilizzo dei medesimi toni rude & termini/statement fuori luogo, ravvisati in alcuni messaggi pub di questo thread, ho ritenuto adeguato inserire appunto quel politely tra parentesi.

---

Sono stati forniti quindi dettagli/suggerimenti utili, onde sottoporre la questione in modo corretto & diretto al Ministero.

Aggiungo infine un altro suggerimento - omesso ieri, onde evitare ulteriori degradi del tono - già polemico/indisponente di suo - dell'autore.

Ossia il suggerimento di motivare/supportare una proposta/richiesta alt-repo ufficiale, facendo leva semmai sui casi di altri publisher di verifier-app ufficiali (ved. DE CovPassCheck - Robert Koch Institute & CH COVID Certificate Check - UFSP Ufficio Federale della Sanità Pubblica)... piuttosto che su opinionated rant vs big corp (quando parlo di statement fuori luogo, mi riferisco p.es. a questo "political intent to support only big corporation distribution centers"...).

[dottorblaster]

@rawmain capisco, e ti ringrazio infinitamente della risposta, tuttavia mi sfugge il motivo per cui l'apertura di un canale di distribuzione ulteriore sia qualcosa, proprio per via dei documenti linkati e parlando di puri dettagli implementativi, non alla portata del team di sviluppo / technical execution. Dato il mindset che viene fatto trasparire dall'eccelente esecuzione del triage delle issue e dall'apertura del progetto su una piattaforma come Github, possiamo aspettarci un determinato grado di attenzione verso questa issue o il modello di governance di questo repository prevede che vada mandata una PEC per interagire con il team (non team di sviluppo, ma team in accezione allargata: product department, et al.) a qualsiasi livello che sia leggermente superiore alla segnalazione di bug?

Riguardo ai toni, nonostante reputo che sia vero che ci si sia scaldati un po', d'altro canto non posso dare torto agli "opinionated rant vs big corp" perché poi la fotografia dello stato dell'arte è più o meno quella. Spero sia volontà di qualcuno correggere questa fotografia (e di conseguenza l'opinione pubblica).

[CDimonaco]

Mi permetto di entrare nella discussione, e' possibile, ricevere da una fonte istituzionale, che non sia la pec del ministero, una risposta su questa issue?

Perche' altrimenti mi sfugge il senso di aver tutto open, tutto trasparente, ma su una issue cosi' importante, che sembra avere ripercussioni non solo tecniche, ma anche di tipo amministrativo, non vi e' la minima di traccia di un commento da parte di qualcuno coinvolto in queste decisioni o quantomeno nel processo di release-publishing.

Sono d'accordo sul mantenere i toni polite, ma non perche' questo sia un repository che goda di particolare importanza, ma come segno del vivere civile e di una minima netiquette.

Non credo le richieste siano folli, si sta semplicemente chiedendo di avere l'apk reperibile da una fonte che non sia il play store, non necessariamente fdroid o similaria, ma anche un semplicissimo spazio ministeriale dove poter scaricare l'apk con le stesse firme e le stesse garanzie del play store.

[stale[bot]]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.