So I’m looking into making Feeder reproducible, and it was pretty easy to do.
But I’m confused what should be put in the metadata.
AllowedAPKSigningKeys works, but users who already installed will have to re-install the app since F-Droid will stop building it.
However, adding a
signatures folder is specific to a certain
versionCode. Does this folder get copied automatically when F-Droid detects a new version has been released?
yes, that’s the issue… past apps cared little about the old users, eg. wireguard announced it via their mailling list and mastodon and twitter. One idea is to have some sort of F-Droid Client new function that prompts the user about this, discussed here: reproducible builds and developers losing access to their signing keys (#403) · Issues · F-Droid / admin · GitLab
Depending on app, say if you have backup/restore, it might be easy to uninstall. So at least you should setup a bold NOTE in Description/Changelog explaining what users need to do. But there’s no guarantee that users even see it.
But no autoupdates, you’ll open a MR to add the updated block .yml and the 5-6 files for the extracted signature, for EACH NEW release, eg: Update Bitcoin Wallet [testnet3] to 10.06 (!13662) · Merge requests · F-Droid / Data · GitLab
Also, now F-Droid hosts 2 versions, yours and F-Droids.
Feeder can export the OPML file to backup all feeds. So it’s not a big problem to re-install it. But F-Droid can tell the user that the app need to re-install. If the user can’t get update notification they don’t even know that there is a new version that they can’t install.
Another option would be to provide a second app in F-Droid corresponding to the play store package name which would use reproducible build only. But I’m not a fan of listing the app twice.