Use your own signatures for F-Droid packages

[cobratbq]

Hi, great project.

One thing that would be nice, is if you could use your own (public key and) signatures for the F-Droid packages. I think they allow it when the builds are reproducible. That would mean you are able to offer the byte-exact same packages on Github and F-Droid. (That would probably produce a problem for current F-Droid users due to public key changing. I am aware that what I ask may not be a effortless transition.)

[Gedsh]

Hi,

great project

Thank you!

builds are reproducible

This will require extra actions when I need to update the app dependencies such as Tor, DNSCrypt, etc. It may not be that obvious, but there are quite a few of them. I'm developing the app alone, so this will take a significant amount of time that I can spend on development.

While reproducible builds could be implemented, I have no such plans at this time. It would be a bit overkill for one person.

[cobratbq]

I understand. I may have a look at this myself. It may not be too hard, because I think projects like tor may already be set up to be reproducible.

It would be a bit overkill for one person.

There are other benefits. In making them reproducible, you will also validate your own environment against the build produced by e.g. F-Droid. Granted, that's the ideal case when you know everything works as expected. And you are able to offer multiple upgrade paths. (E.g. primarily F-Droid, but one could use Obtainium to acquire packages directly from Github.) And there are fewer different variations.

Anyways, you get my point. I totally understand that as a single individual it takes a significant amount of time.