this post was submitted on 27 Sep 2024
45 points (100.0% liked)
F-Droid
8100 readers
19 users here now
F-Droid is an installable catalogue of FOSS (Free and Open Source Software) applications for the Android platform. The client makes it easy to browse, install, and keep track of updates on your device.
Matrix space | forum | IRC
founded 3 years ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
android uses digital signatures as kind of a security measure. a digital signature is basically supposed to confirm that the apk was actually built by the developer, and most of the files in it were not tampered with.
besides being able to make permissions depend on it, you cannot install an app update that was signed with a different key to what you have already installed, because that basically means you are replacing it with a version that was built by someone else.
all apps are digitally signed. when an app becomes reproducibly built, from that point the app will be built by f-droid with their own digital signature.
also note that since google play has forced all developers to hand over their signing keys, when making app bundle based publishing mandatory, the security of this signature has been.. less useful
This part of your comment is not quite true. One of the advantages of reproducible builds is that the app can be signed by the developer but fdroid can still verify that it has been built from the correct source code. You can check out the documentation here: https://f-droid.org/docs/Reproducible_Builds/
you're right, thanks for letting me know
then I don't understand it either why it can't be updated directly
Because there will be a signature mismatch. Apps built by F-Droid will use the F-Droid signature, reproducible apps will use the dev signature.
If an app doesn't support reproducible builds, the version you can download from F-Droid was built and signed by F-Droid, not by the dev