Clarify Android/apk situation in docs/embedded-signatures/
While re-reading https://reproducible-builds.org/docs/embedded-signatures/ I stumbled over the parts about comparing builds while ignoring signatures:
Such a tool must be very easy to audit and understand. Otherwise, it’s hard to trust that the script is not ignoring bytes that would make it behave differently.
This is problematic, at least in the Android world. An app, the system or other apps can explicitly query the signer of an application. Using this information apps will act differently depending on the signature they get back. I.e. an app signed by a specific developer might get elevated privileges. Apps signed with the same developer key get might get access to each others private data directories and perhaps the most obvious one:
An app can show a banner "this is an untrusted build" if it's signed with a key the developer didn't hard-code in the source of the app.
So while we can say "These two apk's are identical modulo signature", I'm currently unsure what this actually communicates to a user. It certainly doesn't mean they'll behave identical.