I’m coding a new app and it’ll eventually on f-droid. It features an update checker that open GitHub release in browser if a new version is detected.
Now there’s a problem: There’ll be self-signed apk on GitHub and f-droid-signed apk on f-droid, and cross-update is impossible. Now I’m looking for a way to detect where did an installed apk come from, and open its update page instead.
Currently there’re two possible ways to do this:
Runtime detection. F-droid built apks are f-droid-signed, by fetching PackageInfo object, the app could get its signature and compare with pre-defined values. The problem is that whether f-droid signature varies between apps or not is not clear; the detection code itself also could be considered redudant and ‘dirty’.
Buildtime detection. It’s said that f-droid utilizes their own gradle wrapper, it may be detected and defined in BuildConfig. There could be also other things unique on f-droid’s building container, such as env, specific files in /etc, unique executables, etc., which can be detected by gradle. But what is different is completely unknown at present.
with 2 entries, the Client will install the developer version, by default, and the website shows them reversed (bugs, bugs everywhere) with the second one being the one of the developer.
all the other apps, with no AllowedAPKSigningKeys line are signed by F-Droid
Yeah I’d like to have f-droid sign it (no AllowedAPKSigningKeys). Now what I need to know is whether it is signed by f-droid, better to have it during gradle configuration. So is it possible to do this, by detecting fdroid-gradlew executable? Or there’s something significant in f-droid’s containers, like some key file with a specific hash?
If you don’t want reproducible builds, then it won’t matter, as F-Droid will build a flavor that won’t need to check for updates, since F-Droid takes care of that.
And your Github release can check whatever it wants.
