@charlag @snikket_im Verifying #ReproducibleBuilds on #Android is a bit more complicated than just hashing files. We actually use those signatures you mentioned for verification. The trick we came up with is to transplant APK signatures. So when a dev builds an apk they can send us their signature for that specific build. We transplant it into an APK we've built. If it still works: voila, reproducible apps built by #FDroid signed by their original authors.
This is a tiny, friendly fedi server!