Add information about who built the source code and signatures and reproducibility

Anna:

then why is there no information about new versions on the page sing-box Reproducibility Status

because the verification server did not get to that version yet

also, that is not used to publish builds, that is to check AGAIN, specially for apps that are NOT setup as reproducible

why are applications that did NOT pass the verification in the repository?

I’ve already answered that, that is never the case

eg. for version 1.3.22 you can look at the build log: sing-box | F-Droid - Free and Open Source Android App Repository → Version 1.13.8 (654) → Build Log

...
2026-04-15 22:33:58,947 DEBUG: Checking build/io.nekohasekai.sfa/clients/android/app/build/outputs/apk/other/release/SFA-1.13.8-unsigned.apk
2026-04-15 22:33:58,950 INFO: Successfully built io.nekohasekai.sfa:654 from d5adb54bc6c6b2c21ab6f748276c4ec62d9bb650
2026-04-15 22:33:58,975 INFO: Created directory for storing developer supplied reference binaries: 'unsigned/binaries'
2026-04-15 22:33:58,975 INFO: ...retrieving https://github.com/SagerNet/sing-box/releases/download/v1.13.8/SFA-1.13.8-universal.apk
2026-04-15 22:33:58,976 DEBUG: Starting new HTTPS connection (1): github.com:443
2026-04-15 22:33:59,251 DEBUG: https://github.com:443 "GET /SagerNet/sing-box/releases/download/v1.13.8/SFA-1.13.8-universal.apk HTTP/1.1" 302 0
2026-04-15 22:33:59,252 DEBUG: Starting new HTTPS connection (1): release-assets.githubusercontent.com:443
2026-04-15 22:33:59,343 DEBUG: https://release-assets.githubusercontent.com:443 "GET /github-production-release-asset/509091576/8af438ac-505e-4b5b-a550-cb4b4d027c06?sp=r&sv=2018-11-09&sr=b&spr=https&se=2026-04-15T23%3A13%3A42Z&rscd=attachment%3B+filename%3DSFA-1.13.8-universal.apk&rsct=application%2Fvnd.android.package-archive&skoid=96c2d410-5711-43a1-aedd-ab1947aa7ab0&sktid=398a6654-997b-47e9-b12b-9515b896b4de&skt=2026-04-15T22%3A13%3A15Z&ske=2026-04-15T23%3A13%3A42Z&sks=b&skv=2018-11-09&sig=1Xc7asQDruKJclAr8zeV6Arw84E3OFg8PLAnpcFlGYM%3D&jwt=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmVsZWFzZS1hc3NldHMuZ2l0aHVidXNlcmNvbnRlbnQuY29tIiwia2V5Ijoia2V5MSIsImV4cCI6MTc3NjI5NDIzOSwibmJmIjoxNzc2MjkyNDM5LCJwYXRoIjoicmVsZWFzZWFzc2V0cHJvZHVjdGlvbi5ibG9iLmNvcmUud2luZG93cy5uZXQifQ.ZVCoXfsZlhWjgPTLHiE8aJbHrTo7ZWYv0dLx-yOkvDY&response-content-disposition=attachment%3B%20filename%3DSFA-1.13.8-universal.apk&response-content-type=application%2Fvnd.android.package-archive HTTP/1.1" 200 96268999
2026-04-15 22:34:01,497 DEBUG: unsigned/binaries/io.nekohasekai.sfa_654.binary.apk: Verifies
Verified using v1 scheme (JAR signing): true
Verified using v2 scheme (APK Signature Scheme v2): true
Verified using v3 scheme (APK Signature Scheme v3): false
Verified using v3.1 scheme (APK Signature Scheme v3.1): false
Verified using v4 scheme (APK Signature Scheme v4): false
Verified for SourceStamp: false
Number of signers: 1

skip useless warnings

2026-04-15 22:34:02,408 DEBUG: /tmp/tmp6wdu9nh0/sigcp_io.nekohasekai.sfa_654.apk: Verifies
Verified using v1 scheme (JAR signing): true
Verified using v2 scheme (APK Signature Scheme v2): true
Verified using v3 scheme (APK Signature Scheme v3): false
Verified using v3.1 scheme (APK Signature Scheme v3.1): false
Verified using v4 scheme (APK Signature Scheme v4): false
Verified for SourceStamp: false
Number of signers: 1

skip useless warnings

2026-04-15 22:34:02,408 INFO: ...successfully verified
2026-04-15 22:34:02,408 INFO: compared built binary to supplied reference binary successfully
2026-04-15 22:34:02,552 DEBUG: Using APK Signature v2
2026-04-15 22:34:02,555 INFO: supplied reference binary has allowed signer 32250a4b5f3a6733df57a3b9ec16c38d2c7fc5f2f693a9636f8f7b3be3549641
2026-04-15 22:34:02,558 INFO: success: io.nekohasekai.sfa
2026-04-15 22:34:02,558 INFO: Finished
2026-04-15 22:34:02,558 INFO: 1 build succeeded