The funny part is that Signal and F-Droid both have their own reproducible build system, but they’re incompatible (part of that is that Signal requires proprietary code in its binary)
Theoretically, but when you throw in things like build systems often not being deterministic, minor versions of dependencies changing, different OS or slightly different OS version with different libraries; there's a multitude of places to throw the final binary off by a few bytes or more and end up with a different checksum.
Signal wants to distribute a binary with a checksum. Once the checksum is different all bets are off, that's why it's not in F-Droid
As if reproducible builds hadn't been done before. If Debian can get to building 80% of their packages reproducibly[1], the
communities around Android can get there too. Luckily, it's being worked on.[2]
Now the question is: (when) will this be supported by F-Droid?
Yeah, figured. They seem very inconsistent in applying their trust. At times they'll do strange things like build app on Chrome Apps platform / mandatory phone ID and on other times they'll make user-hostile decisions like hijacking SMS messages and refusing to publish to F-Droid due to "security".
The end result is an app that keeps shooting itself in the foot and being beaten by Messenger and WhatsApp.
