During my research on Signal inclusion in F-Droid, I have noticed it’s not exactly clear how to ship author signatures on APKs in F-Droid. There’s this wiki page that documents the “dream of reproducible builds”:
Yet the summary (“How it is implemented as of now”) is very short, and doesn’t clearly tell authors or F-Droid repository maintainers how to actually do this, step by step (unless I am missing something obvious).
For example, there’s this “Open question: how to migrate users to new signing key?” which seems critical. For Signal, I had to backups using Oandbackup, uninstall the old app, install the new app and restore. I managed to fail the process through some SNAFU, but I guess this could be a solution… The “General Plan” below also seems a bit unclear - it’s talking about Lil’ Debian reproducibility - but it’s not clear exactly if the dream is accomplished or not.
Can we ship official binary APKs on F-Droid now with original signatures, assuming that they are free software of course?
If so, what’s the best documentation on how to do so?
I guess the answer could be added to this FAQ entry as well:
Oh, and what’s with this issue:
Is that necessary to get producible builds?