Will new versions be posted on F-Droid?

ajypz7p5y · August 4, 2025, 6:38pm

Will new versions be posted on F-Droid?
Somehow I don’t trust APK from GitHub

9er · August 4, 2025, 10:53pm

You should not trust not GitHub nor F-Droid.
Shortest and most trustfull trust path is reproduceable releases from devloper (team), signed by (their) key.
Pity it’s still not there.

adbenitez · August 5, 2025, 12:10pm

ArcaneChat offers this btw, if you need that level of security

r10s · August 5, 2025, 12:20pm

yes, 2.x is detected at and waiting to be build - this may take several days, if not weeks. we do not have that under our control

9er · August 5, 2025, 12:50pm

Release signing by devs is actually pretty standart these days.
You are building wonderful private messenger ecosystem - but your distribution is like not protected at all.
Now I must trust governments, ISPs and Microsoft to get your desktop app. And I normally don’t trust them all.

I can understand when dev teams not dealing with cryptography at all have some troubles with release signing - but you, guys… I can’t get it.

Here is discussion on SimpleX messenger release signing.

github.com/simplex-chat/simplex-chat

[Q]: do you not sign your releases?

opened 08:43AM - 02 Oct 23 UTC

closed 07:38PM - 09 Jun 25 UTC

sblitzken

enhancement question build

### Question Having a hell of a time finding SimpleX release signing key. I can… see signatures on commits (which I am also not sure where to import from), but can't find a release signing key anywhere. This should be very public and in many disparate obvious locations like the subreddit, the twitter, your website, etc. Please advise.

adbenitez · August 5, 2025, 1:31pm

I think you didn’t understood what I said, the apks are ofc signed, it is not normally possible at all to install an app without signing in android, if you already have the app installed and download an update from github it will not be possible to update at all if Microsoft manipulated it, also we publish the file hash in our site so you can verify the apk is the correct one

for f-droid, it was not possible in the past to publish ourselves and is signed by them but you can always just install our signed apk instead if you don’t trust f-droid

reproducible builds are another topic and it is when you don’t trust the developers, in that case even if the code matches nothing prevent the developers to still put some malware deep in the code, are you reading carefully the Rust source code every delta chat core release??? so some trust have to exist, you can always fork the app and review carefully the code you merge and compile it yourself tho

but please notice that this is a bit offtopic here, creator of the post was just asking about why/when there will be releases on f-droid

9er · August 5, 2025, 1:41pm

I’m talking about desktop situation.

ofc?

Noted, sorry

9er · August 5, 2025, 1:52pm

Actually it seems all binaries on Index of /desktop/ are signed starting from 1.60.0.
I didn’t find it, because I still can’t update from 1.58.2 which was the last without signatures.
Shame on me.
My thanks to developers team!

adbenitez · August 5, 2025, 1:57pm

ah you were talking about desktop all this time? “apk” is the apps for android, this thread is about f-droid, I was not talking about desktop at all, you were too deep in the offtopic rabbit whole, buddy! but good you figured it out!

peppa · August 6, 2025, 4:43pm

I assume you don’t trust Google either, so another advantage of the F-Droid version is that it doesn’t contain the proprietary code blobs from Google.

But I think your right to distrust GitHub. Even if Microsoft doesn’t put malware in it they’ve been known to censor projects on GitHub in the past, it restricts access and blocks accounts based on nationality and geolocation, and especially in the present climate we can expect to see more of this or worse. Codeberg seems to be a more open, trustworthy, and reliable alternative.

Or when the build system of the developers is compromised.