Skip to content

Extract signatures from Binaries metadata field

Reading through https://f-droid.org/en/docs/Reproducible_Builds/, it seems like there are 2 ways to opt into reproducible builds.

The easiest one is a Binaries: field in the metadata, and publishing APK files online. The main issue seems to be that this only publishes the upstream APK, which would mean you can't update from existing F-Droid builds as the signature would differ (right?).

There seems to be a way to publish 2 APKs (one with upstream and one with F-Droid signature), which is putting signatures files for each version in fdroiddata. According to the documentation, these can be extracted from an APK file using fdroid signatures.

This made me wonder though: can't we just always extract signatures if the Binaries: field exist, so devs don't have to manually upload signatures for each version?

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information