reproducible builds and developers losing access to their signing keys
There was some discussion on matrix about developers losing their signing keys:
This is starting to become an "on fire" issue. F-Droid supplying updates is pretty important. Maybe we need better education during inclusion to tell people they need to keep their signing keys and keep backups because otherwise people can't update and some client change
yeah I think we need to communicate this better. right now we're pretty much just asking for signed APKs, regardless of whether devs intended to provide those themselves (in which case I hope they are aware of key management). it's obvious to us that means they need to keep the key safe and backed up. but devs may not realise that a key change would break updates. and lost keys are definitely bad for our users.
we didn't get a chance te discuss it in the meeting, but maybe we need a UI dialogue to switch signatures, be it nonrepro to repro or lost keys :(
We need to send notification from the repo, per version or per app.
yeah we need a way to inform users about key changes and make it easy to switch if needed. but also to try to avoid having it happen in the first place if we can. so making sure devs are on 100% board with RB (and won't refuse to provide APKs later) and know to handle their keys responsibly. key changes are bad for users, regardless of why it happened or what the dev thought would happen. so we should do our best to avoid it happening.
we also haven't really figured out how to deal with apps that are RB now becoming unreproducible later due to something changing. even if it's fixable it might take more work than devs are able/willing to spend. I really hope that never becomes a serious issue. but I don't think we have a plan for that now.
Maybe RB brings more workload?
I think it does, instead of just building you now also have to debug weird failures
Apps that changed their signing keys
- Achie (key lost)
- mLauncher (key lost)
- pincredible (key replaced)
- Tasky (key lost)
-
com.bnyro.*
: Translate You, Clock You, Wall You, Record You, Connect You (key lost) - safespace (key lost)
- knigopis (no response from upstream, disabled)
Apps that decided they no longer want RB
Apps that switched to RB
- WebCall
- WireGuard
- Contacts Import
- STARGW FX
- FFUpdater (signatures in metadata)
Apps that have been unreproducible at some point
- NewPipe (RB again)