It would be cool if #FDroid took the opposite approach to Google Play App Signing, by using their build system to create a code transparency key that developers could then bundle with their app, and then developers could in turn sign that bundle with their own signing key.
That way F-Droid could distribute apps that they’ve verified reproducible builds for (and check the CT signature in the F-Droid app), without having to sign the app with their own key—a common complaint about the default F-Droid repo.
"The public key component of the code transparency signing key in the app matches the public key of the developer"
So this is basically sound like it was intended to just verify that APKs uploaded to PlayStore where actually not tampered with before Google signs them nowadays. Does not sound like it would fit the F-Droid usecase.
But F-Droid does allow to distribute the versions signed by the developer, if it's reproducible, so your claim about the repo is false!
@jr it fits the F-Droid use-case when done as I described, because it would verify that the developer did not tamper with the app F-Droid built before signing it themselves. (I see this as a way to solve non-reproducible app builds is what I'm saying, but I don't know all the reasons an app might not be reproducible).
I think reproducible builds also does solve this problem, I didn't catch this January blog post saying you had more than 6 lol - It will be cooler when the app indicates whether an APK was reproducible or not, and if the official F-Droid repo could eventually make reproducibility a requirement 👍
@jonah and we encourage new app inclusions nowadays, to use reproducible builds, but we do not require it, as it's quite an additional burden for the upstream too and also there are some upstreams that do not even want to do their own signing stuff...
Add comment