Secrets in metadata com.example.app.yaml file in the build process

My app (Flutter based) that I’m willing to publish in F-Droid uses secrets that are used at Runtime of the app

The secrets get generated at the build time (using secrets.json locally & environmental vars in Github Action) & used in runtime. So I need a way to pass these secrets as ENV variables or any other way at build time in F-Droid server

How do I pass these secrets at the build step?

APP Repo: GitHub - KRTirtho/spotube: A lightweight free Spotify 🎧 crossplatform-client 🖥📱 which handles playback manually, streams music using Youtube & no Spotify premium account is needed 😱
F-Droid Data: KR. Tirtho / Data · GitLab

You need to put them in the build metadata.

I’m very new at both f-droid & gitlab. Can you provide me with an example, please?

Something like metadata/org.tasks.yml · master · F-Droid / Data · GitLab?

What linsui meant actually: you can’t have secrets on F-Droid, everything needs to be in the open, in the source repo. Once there, they’re not secrets anymore… just “keys” or whatever you call them.

F-Droid does not sign up for any API keys. Even if provided by a third party, we include them in both, binary and sourcecode releases.

From Inclusion Policy | F-Droid - Free and Open Source Android App Repository

1 Like

ClientId or API Keys are fine to include as they’re intented to be seen by everyone. But my application also have to have ClientSecret too for its functionality & that is not something I can push to upstream. It can be a security risk for my users

Is there any way to store this kind of secret & pass it only in the build without letting know everyone?

If it’s in Client where does it come from? Not from “the client”? It’s not “generated by the app after install”?

Link to the app source code so we know what is this about pls

Sorry for the delay
Here’s the App Source Repo: GitHub - KRTirtho/spotube: A lightweight free Spotify 🎧 crossplatform-client 🖥📱 which handles playback manually, streams music using Youtube & no Spotify premium account is needed 😱

An you need a secret thing for what exactly? Who needs that, you the dev or the user using it? Eg. Can the user ask from Spotify for such a secret and insert it in your app in Settings?

Yeah my app has the ability to save user provided client id & secret but that’s only needed when the user is willing to login with his/her account
But by default my app would use some pre-generated client id & secret to provide an anonymous experience without needing an actual Spotify Account

As with any secret in an APK they can be extracted later, so no reason to hide something anyway.

This means that we might need to disable such “anonymous” access feature, imho.

1 Like

Sounds similar to what Aurora OSS / AuroraStore · GitLab does, maybe you can find some inspiration there?

1 Like

@Licaon_Kter I know it can be done. But its difficult. Not everyone can do that. At least, it is better than keeping it completely open to everyone because now everyone can see it

@KRTirtho
unzip and strings are not very difficult.
Otherwise you can run enjarify and jad if necessary.

If your service crumbles because someone has an API key, something is fundamentally broken with your service.

If you need to share accounts across multiple users, then look at the cookiejar made by Yalp that is currently used by Aurora as already mentioned above.