jonah, It would be cool if #FDroid took the opposite approach to Google Play App Signing, by using their build system to create a code transparency key that developers could then bundle with their app, and then developers could in turn sign that bundle with their own signing key.
That way F-Droid could distribute apps that they’ve verified reproducible builds for (and check the CT signature in the F-Droid app), without having to sign the app with their own key—a common complaint about the default F-Droid repo.
Add comment