Confused about metadata recommended for reproducible builds

So I’m looking into making Feeder reproducible, and it was pretty easy to do.

But I’m confused what should be put in the metadata.

Adding Binaries and AllowedAPKSigningKeys works, but users who already installed will have to re-install the app since F-Droid will stop building it.

However, adding a signatures folder is specific to a certain versionCode. Does this folder get copied automatically when F-Droid detects a new version has been released?

yes, that’s the issue… past apps cared little about the old users, eg. wireguard announced it via their mailling list and mastodon and twitter. One idea is to have some sort of F-Droid Client new function that prompts the user about this, discussed here: reproducible builds and developers losing access to their signing keys (#403) · Issues · F-Droid / admin · GitLab

Depending on app, say if you have backup/restore, it might be easy to uninstall. So at least you should setup a bold NOTE in Description/Changelog explaining what users need to do. But there’s no guarantee that users even see it.

But no autoupdates, you’ll open a MR to add the updated block .yml and the 5-6 files for the extracted signature, for EACH NEW release, eg: Update Bitcoin Wallet [testnet3] to 10.06 (!13662) · Merge requests · F-Droid / Data · GitLab

Also, now F-Droid hosts 2 versions, yours and F-Droids.

1 Like

Feeder can export the OPML file to backup all feeds. So it’s not a big problem to re-install it. But F-Droid can tell the user that the app need to re-install. If the user can’t get update notification they don’t even know that there is a new version that they can’t install.

Another option would be to provide a second app in F-Droid corresponding to the play store package name which would use reproducible build only. But I’m not a fan of listing the app twice.

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.