Why are Dash-electrum binaries in f-droid different from github source?

Why are dash-electrum (Source 1 Source 2) binaries in f-droid different from github (Source)?

Sorted manifests don't match, META-INF/DASH-ELE.RSA vs META-INF/339F8D6C.RSA

The two files you mention are different signing keys.

This makes sense because:

  1. F-Droid builds APKs directly from the upstream source code
  2. F-Droid does not have access to the private signing key of the developer

If the app builds reproducibly (that is, every build is the exact same so we can be 100% sure their published APKs really match the source code) the app could opt in for the reproducible builds program, where we use the APK of the developer (and thus, their signing key) if F-Droid’s build from source code would generate the same binary.

Looking at the metadata file for Dash Electrum, it does not seem the app is part of the reproducible builds program.

If these two files are really the only differences you found, it does sound like the app may already build reproducibly and could be included in this program if the developer would want to. The program is not without risks, though, as it increases the risk of delays in F-Droid publishing updates if anything goes wrong.

1 Like