While fdroid is great for discovery or if you’re running without Play Services, I’m using the Play Store anyway so I’ll use that if they’re on there or if not then Obtanium to get them from the source repo.
Isn’t there some weirdness with signing apps on fdroid? A bit beyond my security knowledge when I last saw it discussed.
F-Droid compiles apps from source by itself, without blindly trusting that the APK provided by the developer actually came from the source code. After independent compilation, one of two things happen:
If the app uses reproducible builds, then F-Droid verifies that its own compiled APK matches byte-for-byte with the APK provided by the developer. If they match, F-Droid distributes the APK signed with the developer’s signing key, same as Play Store does (except Play Store doesn’t verify anything).
Otherwise, F-Droid distributes its own compiled APK signed with F-Droid’s signing key.
In either case, F-Droid guarantees that you get an app that matches the source code exactly.
None of this process should matter to you as a user, and it’s all fairly transparent from a user’s perspective. F-Droid gives you certain guarantees and internally enforces these guarantees, while Play Store does not.
If you set URLCheck as a default browser and you can automate the process of making people think you love them
Even better https://f-droid.org/packages/com.trianguloy.urlchecker/
While fdroid is great for discovery or if you’re running without Play Services, I’m using the Play Store anyway so I’ll use that if they’re on there or if not then Obtanium to get them from the source repo.
Isn’t there some weirdness with signing apps on fdroid? A bit beyond my security knowledge when I last saw it discussed.
F-Droid compiles apps from source by itself, without blindly trusting that the APK provided by the developer actually came from the source code. After independent compilation, one of two things happen:
If the app uses reproducible builds, then F-Droid verifies that its own compiled APK matches byte-for-byte with the APK provided by the developer. If they match, F-Droid distributes the APK signed with the developer’s signing key, same as Play Store does (except Play Store doesn’t verify anything).
Otherwise, F-Droid distributes its own compiled APK signed with F-Droid’s signing key.
In either case, F-Droid guarantees that you get an app that matches the source code exactly.
None of this process should matter to you as a user, and it’s all fairly transparent from a user’s perspective. F-Droid gives you certain guarantees and internally enforces these guarantees, while Play Store does not.