Produce/Sign (FOSS) APK artifact in release workflow #2300
Replies: 3 comments 5 replies
-
It is signed!
It is enough. The fdroid stripping leads to the proprietary artifacts not being synced by gradle, but firebase etc should not be in the runtime dependencies unless
Yes! |
Beta Was this translation helpful? Give feedback.
-
|
I see - Voice/.github/workflows/voice.yml Line 84 in ab06fdf |
Beta Was this translation helpful? Give feedback.
-
|
Also thanks for very fast response - appreciated! |
Beta Was this translation helpful? Give feedback.
-
|
Yeah that's a little complicated ^^ Google Play uses app bundles. These need to be signed with a different signing key and then get resigned by Google. So the final APK's Im publishing need to be signed with the same key that Google uses to re-sign the artifact. |
Beta Was this translation helpful? Give feedback.
-
|
Perhaps we should create an issue to track this - noticed that there is a new release out but unfortunately not a FOSS artifact yet. |
Beta Was this translation helpful? Give feedback.
-
|
Apologies as I don't know much about Android development. Which library in particular is property vs FOSS? I'm wondering if there's any difference to the end user or if it's a open-jdk vs property-jdk sort of thing, where they're basically the same but for the licensing. |
Beta Was this translation helpful? Give feedback.
-
|
The application can be built with or without the "Google Services" library. This library can provide useful features like ChromeCast support (and "Android Auto", I think?), but is not open-source and thereby not desirable by some users. In addition, it looks like "FOSS build" of Voice that is published on F-Droid also disables some "crash analytics" library. Don't know if it's closed-source or if they just deem it a bit to intrusive. |
Beta Was this translation helpful? Give feedback.
-
|
Yep. That Google services stuff is only necessary for crashlytics. |
Beta Was this translation helpful? Give feedback.
-
Greetings!
Let me begin by saying thanks for a great app!
I've noticed that the project is using GitHub actions to automatically build/publish the app to Google Play Store. In addition, it produces an APK that can be downloaded directly from the GitHub "Releases" page which permits installation without relying on third-party services like the Play Store and F-Droid. This is great IMHO, since many project's build process is very opaque.
It does however seem like the CI/CD is configured to build the APK with proprietary libraries included. Would "the project" consider adding an additional build step/release artifact to also produce a purely FOSS APK? Other projects, like the Jellyfin Android app does this by adding the suffix "libre" or "proprietary" to the APK release artifacts. Not sure if setting the "VOICE_USE_PROPRIETARY_LIBRARIES" environment variable is enough to produce a FOSS APK during the Gradle build - the F-Droid build system seems to modify some dependency files as well.
I'm also wondering if there is a reason that the build process doesn't sign the Github releases APK artifact? A "classically signed" APK would provide some value even if installed manually/outside of the Play store, as certificate pinning could be used to protect against some types of malicious updates.
Motivation: Enable trustworthy installation of FOSS Voice through apps like Obtanium in order to remove dependence/trust on F-Droid (which could be considered desirable from a security perspective)
Beta Was this translation helpful? Give feedback.
All reactions