I'm adding my app to f-droid : What is next step?

Hello !

I just created a merge request to add my application to f-droid : https://gitlab.com/fdroid/fdroiddata/-/merge_requests/10176

Do I have to make something more ? Or I just have to wait maintainer availability ?

Thanks !

If you sign the resulting APK, it runs fine? https://gitlab.com/sevajol-bastien/fdroiddata/-/jobs/1859219241/artifacts/browse/tmp/

Hello @Licaon_Kter

I have multiple question about yours.

  • I suppose unsigned apk is a problem. Where can I see It is a problem on the merge request continuous integration ? (To be able to see when I signed it correctly)
  • How I should sign it for this f-droid integration process ?

Thanks !

It’s not a problem. But you need to sign it to test if it works well.

As said ^^^ I was just asking you to test the output APK for correctness for now.

For publishing in the repo, F-Droid will sign as needed.

Hi again @Licaon_Kter and @linsui , I’m sorry I am a newbie with Android app (this is my first app). You suggest me to sign the APK file like with :

jarsigner -verbose -sigalg SHA1withRSA -digestalg SHA1 -keystore my-release-key.keystore my_application.apk alias_name

To check if signing is working, is that right ? Do you ask about trying to install it on my phone to test the signed apk installation too ?

Look like fine :slight_smile:

➜  rolldash git:(main) ✗ ~/Logiciels/android-studio/jre/bin/jarsigner -verbose -sigalg SHA1withRSA -digestalg SHA1 -keystore /home/bastiensevajol/Documents/Bastien\ Sevajol/Work/Rolling/APK/Key/fr.bux.rollingdashboard.jks /home/bastiensevajol/Téléchargements/fr.bux.rollingdashboard.apk rollingdashboard 
Enter Passphrase for keystore: 
  signing: META-INF/com/android/build/gradle/app-metadata.properties
  signing: META-INF/androidx.activity_activity-ktx.version
  signing: META-INF/androidx.activity_activity.version
  signing: META-INF/androidx.annotation_annotation-experimental.version
  signing: res/zQ.png
  signing: res/zq.xml
  signing: resources.arsc

>>> Signer
    X.509, CN=Bastien Sevajol, O=bux, L=Charavines, ST=Isere, C=FR
    [trusted certificate]

jar signed.

The signer's certificate is self-signed.
The SHA1 algorithm specified for the -digestalg option is considered a security risk. This algorithm will be disabled in a future update.
The SHA1withRSA algorithm specified for the -sigalg option is considered a security risk. This algorithm will be disabled in a future update.
POSIX file permission and/or symlink attributes detected. These attributes are ignored when signing and are not protected by the signature.

Then you just need to wait for reviewers.

1 Like

Signing always works :slight_smile:

Yes, testing the built app is more important.

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.