this post was submitted on 27 Sep 2024
13 points (100.0% liked)

F-Droid

8133 readers
1 users here now

F-Droid is an installable catalogue of FOSS (Free and Open Source Software) applications for the Android platform. The client makes it easy to browse, install, and keep track of updates on your device.

Website | GitLab | Mastodon

Matrix space | forum | IRC

founded 3 years ago
MODERATORS
 

F-Droid Build Status was updated to 5.6.4 and no one will get this update. Why? Well, the app is now built reproducibly so if you have it installed you need to uninstall it and then reinstall it. (Yes, we wish this switch to be easier to perform, but the UI is not there yet)

you are viewing a single comment's thread
view the rest of the comments
[–] monnier@lemmy.ca 2 points 1 month ago (1 children)

I don't understand why "the app is now built reproducibly" implies "you need to uninstall it and then reinstall". What am I missing?

[–] WhyJiffie@sh.itjust.works 2 points 1 month ago (1 children)

android uses digital signatures as kind of a security measure. a digital signature is basically supposed to confirm that the apk was actually built by the developer, and most of the files in it were not tampered with.
besides being able to make permissions depend on it, you cannot install an app update that was signed with a different key to what you have already installed, because that basically means you are replacing it with a version that was built by someone else.

all apps are digitally signed. when an app becomes reproducibly built, from that point the app will be built by f-droid with their own digital signature.

also note that since google play has forced all developers to hand over their signing keys, when making app bundle based publishing mandatory, the security of this signature has been.. less useful

[–] kosmoz@lemm.ee 4 points 1 month ago (1 children)

[…], from that point the app will be built by f-droid with their own digital signature.

This part of your comment is not quite true. One of the advantages of reproducible builds is that the app can be signed by the developer but fdroid can still verify that it has been built from the correct source code. You can check out the documentation here: https://f-droid.org/docs/Reproducible_Builds/

[–] WhyJiffie@sh.itjust.works 2 points 1 month ago (2 children)

you're right, thanks for letting me know

This means that F-Droid can verify that an app is 100% free software while still using the original developer’s APK signatures.

then I don't understand it either why it can't be updated directly

[–] kosmoz@lemm.ee 2 points 1 month ago

If an app doesn't support reproducible builds, the version you can download from F-Droid was built and signed by F-Droid, not by the dev

[–] mp3@lemmy.ca 2 points 1 month ago

Because there will be a signature mismatch. Apps built by F-Droid will use the F-Droid signature, reproducible apps will use the dev signature.