[lorenzhs]

Signal has reproducible builds for Android: https://whispersystems.org/blog/reproducible-android/ ...that just doesn't work with F-Droid. And building on their farm means that you have to trust them, and their build farm becomes a prime target if you want to infect lots of apps at once. In the play store, you sign your build, and Android will only let you install builds signed with that same key as updates. By moving the signing to F-Droid, you have to completely trust them.

[j_s]

I assume the Docker image provided by Signal does reproduce the Android build, but since the Docker image is a giant non-reproducible binary blob it is (as stated in the blog post) a "weekend hack" rather than a useful reproducible build system.

https://news.ycombinator.com/item?id=11403867

[kuschku]

F-Droid also has reproducible builds – and not just ones where you have to download a binary from a questionable source and use it to compile things.

You can sign with your own key on F-Droid, too – if you use their way of dealing with reproducible builds.

[yarou]

> By moving the signing to F-Droid, you have to completely trust them.

Which you do anyway if you use Google Play Services.

...

[maxerickson]

A user that is prepared to access the apk can verify the signature of the app they have on their device.

(So the compromise of F-Droid that results in a signed, compromised binary can't happen on Google Play, the apk is signed before it is sent to the store)

[neerdowell]

What does Play Services have to do with anything? APKs downloaded from the Play Store are signed by a key the developer holds and validated by Android's PackageManagerService which is open source.