F-Droid Build Status was updated to 5.6.4 and no one will get this update. Why? Well, the app is now built reproducibly so if you have it installed you need to uninstall it and then reinstall it. (Yes, we wish this switch to be easier to perform, but the UI is not there yet)

  • monnier@lemmy.ca
    link
    fedilink
    arrow-up
    9
    ·
    3 months ago

    I don’t understand why “the app is now built reproducibly” implies “you need to uninstall it and then reinstall”. What am I missing?

    • WhyJiffie@sh.itjust.works
      link
      fedilink
      English
      arrow-up
      2
      ·
      3 months ago

      android uses digital signatures as kind of a security measure. a digital signature is basically supposed to confirm that the apk was actually built by the developer, and most of the files in it were not tampered with.
      besides being able to make permissions depend on it, you cannot install an app update that was signed with a different key to what you have already installed, because that basically means you are replacing it with a version that was built by someone else.

      all apps are digitally signed. when an app becomes reproducibly built, from that point the app will be built by f-droid with their own digital signature.

      also note that since google play has forced all developers to hand over their signing keys, when making app bundle based publishing mandatory, the security of this signature has been… less useful

      • kosmoz@lemm.ee
        link
        fedilink
        arrow-up
        3
        ·
        3 months ago

        […], from that point the app will be built by f-droid with their own digital signature.

        This part of your comment is not quite true. One of the advantages of reproducible builds is that the app can be signed by the developer but fdroid can still verify that it has been built from the correct source code. You can check out the documentation here: https://f-droid.org/docs/Reproducible_Builds/

        • WhyJiffie@sh.itjust.works
          link
          fedilink
          English
          arrow-up
          2
          ·
          3 months ago

          you’re right, thanks for letting me know

          This means that F-Droid can verify that an app is 100% free software while still using the original developer’s APK signatures.

          then I don’t understand it either why it can’t be updated directly

          • m-p{3}@lemmy.ca
            link
            fedilink
            arrow-up
            3
            ·
            3 months ago

            Because there will be a signature mismatch. Apps built by F-Droid will use the F-Droid signature, reproducible apps will use the dev signature.

          • kosmoz@lemm.ee
            link
            fedilink
            arrow-up
            2
            ·
            3 months ago

            If an app doesn’t support reproducible builds, the version you can download from F-Droid was built and signed by F-Droid, not by the dev