How Should Apps be Signed?

Swiftness4904

Advice for app developers: how should they sign & build their apps to support GOS & the larger FOSS mOS movement?

There are plenty of honorable, competent, well-intentioned developers out there. Ive been speaking to one recently, who had historically been building & publishing apks themself, as well as through FDroid & Play. Recently, they've begun to consider abandoning the self-signed version in lieu of Play signed apps, believing Play's combination of convenience & security would be a better value than their home-brewed build server

This argument may have merit, but we also know that Play builds are not reproducible, as they inject some amount of proprietary play blobbage in.

We also know that (without once again revisiting the merits & opposition to this argument, do not rehash here) some amount of folks take issue with the security of FDroid's build servers, and would prefer an app built elsewhere

So, what is the official guidance for devs? Is FDroid the best game in town? Can Play-signed apps be distributed without compromising privacy? Is there a better alternative for reliable, secure, reproducible builds that doesnt place a tremendous burden on the developer?

schklom

F-Droid is nice, especially when distributed with reproducible builds because the releases are very quick and don't need to be built and signed by F-Droid.

GOS lets users easily install Accrescent, so you can distribute it there (https://accrescent.app/)

Also, Obtainium (https://github.com/ImranR98/Obtainium/) lets users download APKs directly from pretty much any website where they are available (often Github releases, but not only).

For GOS folk, Accrescent is best I guess. For the general community, setting up pipelines to distribute your app over all major channels is best: F-Droid + Accrescent + raw APKs + Play Store.

subwoofer

Accresent is the most secure distribution channel but they are currently not taking on more apps.

So my first choice is for the developer to publish the apk on github (or similar) and/or their website and publish the signature hash such that the apk and hash can be aquired from separate sources. If they want to go a step further they could provide the .json config for obtaining.

I don't use fdroid due to the security concerns.