verifying reproducible APKs: apksigcopier

Holger Levsen holger at
Mon Mar 29 12:25:46 UTC 2021

Hi Felix,

On Mon, Mar 29, 2021 at 03:02:33AM +0200, Felix C. Stegerman wrote:
> The F-Droid reproducible builds & verification effort recently led [1]
> to the development of apksigcopier [2], a tool to copy APK signatures
> from a signed APK to an unsigned one.

nice, that seems very useful! :) & thank you for bringing this up here!
> ( I've started packaging it for Debian [3] and intend to file an ITP
>   soon, but since I'm not a Debian developer -- yet, though I'd like
>   to become one -- I could use some help with that. )

I'd be glad to mentor a bit and sponsor your uploads.

> [3]

on a very quick look seems like a pretty good start!

debhelper-compat could be 13 and standards-version 4.5.1, and I'm pretty
sure d/copyright needs parts of the actual licence text and not only a
pointer. did you run lintian on the binary .changes file?

Please ping me / this list once the ITP bug is there and once you consider
the packaging to be ready!


 ⣾⠁⢠⠒⠀⣿⡁       holger@(debian|reproducible-builds|layer-acht).org
 ⢿⡄⠘⠷⠚⠋⠀ PGP fingerprint: B8BF 5413 7B09 D35C F026 FE9D 091A B856 069A AA1C

"There's no glory in prevention." (Christian Drosten)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <>

More information about the rb-general mailing list