I’ve been considering trying to get reproducible builds working for Auxio to appease some security-minded users. However, since prior builds are signed with F-Droid signatures, publishing new APKs with my signature would be a breaking change.
According to this chart on the reproducible builds wiki page, I can get F-Droid to publish dual APKs with F-Droid’s signature and my signature, but only if I provide a signature to
metadata/org.oxycblt.auxio/signatures. This is really not ideal, as I want to use auto-update and avoid the hassle of making a PR every release.
Is there any reason why this isn’t done if one were to use
Binaries:? Using that would work much easier for me, as GitHub hosts APK downloads that could be referenced automatically with AutoUpdate.