Accrescent Supposed to Distribute Developer Signed Apk NOT F-Droid?

M3b4

By all means would someone correct me if l am wrong here. Thanks in advance.

The app Easy Notes from the Accrescent App Store. The app once downloaded, the SHA-256 can't be verified from the developer on Github.com as the SHA-256 on the developers github repository is for the developers F-Droid version of this app. I can't verify the app using app verifier or github repository. I have reached out to the developer to no avail. I thought that the accrecent app store only allowed SHA-256 signed directly from the developers own repository for all apps in this app store? If so why is the developers github repository SHA-256 equal to the F-Droid version of this app and NOT the SHA-256 from the accrescent app store?

The F-Droid version is com.kin.easynotes
Accrescent version is me.easyapps.easynotes

Both install as separate apps and install as system apps and NOT your regular third party app install.

Security & Privacy
Privacy controls
Permission manager
Toggle 3 dots top right corner
Show system

Only when you do the above will the app appear as a listed app. This is the same for Transcriber app from accrescent app store.
Both these apps show battery usage under
Battery, Battery Usage but are greyed out like system apps. You can't tap on these apps like other third party apps to open, disable, force stop.

Is this normal for a simple notes app & transcribe voice to text app?

DohnJoe

I wanted to reply that no app installed by you should figure as a system app, ever.
Then I realized that I didn't check this feature since Titanium Backup was a thing.

I don't know if this changed or not, but I feel like it should still be the case, I would say that a user installed app shouldn't figure as a system app...

M3b4 Battery, Battery Usage but are greyed out like system apps.

Just to be sure, you are not in the work profile, is this correct?
I am asking because in the work profile the apps running is a little bit different than usual.

de0u

M3b4 Both install as separate apps and install as system apps and NOT your regular third party app install. [...] Both install as separate apps and install as system apps and NOT your regular third party app install. [...] Is this normal for a simple notes app & transcribe voice to text app?

This seems potentially relevant: https://discuss.grapheneos.org/d/34558-third-party-app-molly-messager-app-installed-as-a-system-app/8

GrapheneOS

M3b4 The developer listing the hash for the key used for their F-Droid releases doesn't mean what you're claiming. You have no actual basis for what you're claiming and it's misleading people.

GrapheneOS

M3b4 It's not possible to add any additional system apps. You seem to be doing something specific which causes them to be shown that way but they're not system apps.

subwoofer

This is baffling for me, I thought all acrescent apps were verified by them so I don't need to. Maybe someone from acrescent can clarify?

Dumdum

subwoofer thought all acrescent apps were verified by them so I don't need to.

Correct
https://accrescent.app/features#key-pinning

Johnnyloans

My understanding is:

App is first submitted:

Manual and automatic checks.

App updates:

App is available to download immediately unless the following the app requests a new permission that it hadn't previously.
They then do a manual check again if so.

They probably(?) still do automatic checks for things like debug mode enabled--a search for several key phrases.

Finally, devs sign and package the app themselves then put it onto the app store.

In practice, I think it's possible an app dev could request network or location permission at first and it all checks out then, on a later date, they slip in devious code that utilizes the network or transmitting location data.

Disclaimer:
This isn't FUD. People talk all the time about what's possible and not concerning security or say: what if fdroid turns evil or is physically compromised, don't use them because it is possible. I have nothing against the honest, hard-working folks at accrescent.

subwoofer

Johnnyloans is that the process for acrescent or F-Droid? If it's the former (my understanding) why is F-Droid featuring in the conversation?

Johnnyloans

Accrescent

Fdroid is mentioned because I was thinking there's a non-zero chance my comment would be deleted for spreading lies or something especially since I'm talking about accrescent.

I remind the reader that people have this same conversation concerning lots of software whether or not it's a project closely related to GOS like accrescent is.

Fdroid is part of the OP comment and title.

schweizer

GrapheneOS It is just a question. The OP is asking why the devs only publish the F-Droid hashes on their github repository and not the hashes of their own key.

Most developers do not publish their code signing kay hashes. Some because they don't care others use PGP and say this is better.

So no need to worry.

harp

The developer of Easy Notes seems to be no longer interested in providing his app on Accrescent. The latest available version on Accrescent (and also on F-Droid) is 1.4, which is about 1,5 years old. The recent stable version 1.7.1 - which was published at January 24th - is only available via Play Store or at it's Github side.

Kamika242

harp is only available via Play Store or at it's Github side.

I get everything what's possible from GitHub via Obtainium. New app versions often need weeks to be checked by F-Droid, what's really bad when you have a bug, on GitHub new F-Droid versions are available instantly.
In Obtainium you can filter the version of any app via an expression thats contained in the apps name, that makes sure that you will always get the F-Droid (or another degoogled) version.

subwoofer

harp this surely means acrescent is being missold to gos users as the preferred source for apps? As someone who uses easy notes from the acrescent store I am somewhat peeved.

GrapheneOS

harp They may have forgotten to deal with it or may not realize there are many people using GrapheneOS who prefer getting apps via Accrescent. Has anyone asked them about it? You shouldn't assume they're not interested in providing it if they haven't said that. What likely happened is they tried it out but aren't aware many people are using it so they neglected to keep supporting it after setting it up.

GrapheneOS

subwoofer Accrescent is the preferred source of apps. A single developer neglecting to properly maintain their app there doesn't at all mean what you're claiming.

harp

subwoofer I totally agree with @GrapheneOS. Only because a developer stopped/paused/delayed publishing their app - for what reason ever - doesn't compromise the concept or integrity of Accrescent itself. Personally, I still prefer getting apps from Accrescent over any other source (as long as they are not outdated). Fortunately all apps in Accrescent I use are up to date.

harp

GrapheneOS I guess I didn't phrase that very well. Writing "not interested" should include (among others) all the possible assumptions you mentioned.

phospmph

GrapheneOS harp
The Easy Notes developer lost their signing key for Accrescent release...
https://www.reddit.com/r/fossdroid/comments/1qlr3c8/comment/o1s1yid/

It is the responsibility of the app developers to keep their signing key safe. Accrescent serves developer signed build so the store cannot do anything to fix it.

harp

phospmph That's bad news. In their post in that reddit thread you linked, they wrote, it's "possible" they lost the keys. No further information.

But there should be a way to solve this. I think at least the Accrescent maintainer should be able to delete the old version or make it unavailable and the Easy Notes dev could run through the registration process with new signing keys again. Or something like that. But of course, that would have to be communicated.

They also wrote in that thread, the updated version should be available on F-Droid within 2-4 days. That was 3 months ago. As I understood updates on F-Droid (the main part of the store, not additional repositories) would be done quite automatically by scanning release tags on Github, catching the sources and producing the builds. So also unclear, why this did not happen within the last months.

Looking at the Github repos of Easy Notes and the developer's other project Athena shows, that there seemingly doesn't happen anything since January. Not in development and no comment or action in opened issues since then. (Except one short question by the dev in one issue by February.) There may be some unknown reasons preventing them from working on it.