Towards a reproducible F-Droid

A common criticism directed at F-Droid is that F-Droid signs published APKs with its own keys. Using our own keys doesn’t mean insecure — we have a good track record (and keep the keys on a dedicated, air-gapped, offline machine) whilst others may not — but this does mean that our users need to trust a third party other than the upstream developers.

Having a different signature can also inconvenience users by making it impossible to install updates from other channels; this can be especially inconvenient when we have difficulty providing an update for an app. Developers also sometimes need to tweak their setup for F-Droid, e.g. disabling an in-app updater or adding the F-Droid signature for verification.

F-Droid is not the only app store publishing APKs signed with its own key — Google Play does the same now. With “code transparency for app bundles”, Google provides a means to verify that the DEX files and native libraries in an APK are identical to those the developer provided. This does address some of these concerns, but code transparency does not protect many other important files in the APK, like interpreted code or assets. And unlike APK signatures, it is entirely optional (and an extra burden for developers) and verification must be performed manually. It also does not solve the inconvenience of being unable to install an APK with a different signature.

F-Droid has had a better solution for these problems for quite a while: reproducible builds. However, it was never widely used. One of the reasons is that it sounds difficult to achieve. We had few reproducible apps (to be precise: only 6) and some of them suffered from problems because of the use of reproducible builds. Basically, we didn’t bother to mention reproducible builds unless the upstream developers showed an interest. As a result, many developers never even heard of reproducible builds, let alone that F-Droid supports them, or attempted to use them for their own apps.

In response to some of those criticisms, we started encouraging new apps to enable reproducible builds. It turns out that reproducible builds are not so difficult to achieve for many apps. In the past few months we’ve gotten many more reproducible apps in F-Droid than before. Currently we can’t highlight which apps are reproducible in the client, so maybe you haven’t noticed that there are many new apps signed with upstream developers’ keys. If you have some third-party repositories enabled, e.g. the IzzySoft one, you may find that sometimes you can update the app from the main repository even if you installed it from another one.

Meanwhile, now that we’ve encountered many more test cases than before, we also found many new problems that affect reproducibility. Fortunately we also found workarounds for most of them and developed some tools to make APKs reproducible, mainly thanks to @obfusk’s contributions. There are still some open issues and we are still working hard to solve them. If you are interested in reproducible builds, contributions are always welcome.