Reproducible builds: Any plans to publish dual APKs with `Binaries:` build recipe attribute?

I’ve been considering trying to get reproducible builds working for Auxio to appease some security-minded users. However, since prior builds are signed with F-Droid signatures, publishing new APKs with my signature would be a breaking change.

According to this chart on the reproducible builds wiki page, I can get F-Droid to publish dual APKs with F-Droid’s signature and my signature, but only if I provide a signature to metadata/org.oxycblt.auxio/signatures. This is really not ideal, as I want to use auto-update and avoid the hassle of making a PR every release.

Is there any reason why this isn’t done if one were to use Binaries:? Using that would work much easier for me, as GitHub hosts APK downloads that could be referenced automatically with AutoUpdate.

You can have a try. If there is any problem we can help. Even if we can’t publish the apk with your signature soon it’s better to make the unsigned apk reproducible. At lease the users can verify it with apksigcopier.

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.