2 new releases have now been cut with built apk’s and archives now without signatures. Who knows if the released APK’s are built from the repo’s visible source code now.
I was using Obtainium to install this which watches for new updates from GitHub URLs. Normally it would have installed these since Github is silently redirecting to this new GitHub account with no other history.
The only reason it did not install these because Obtainium left a couple 404 error notifications while the forwarding was not in effect that I did not swipe away.
I have set it to ‘track-only’ and not install updates. The speed of this ‘take over’ has allowed this to directly install into my device if I was less diligent.
I ran the two patches through gpt-5.1-codex and the findings are below. The notable part being that apk and release signing has been removed. This is not malicious in itself, but it is certainly questionable that a new github account is silently taking over and releasing apk’s of it within hours of semi-publicly speaking in their fresh new locked down repo (only to collaborators).
Across the two handover releases, every visible reference to the old “Catfriend1” stewardship was switched to the new “researchxxl” GitHub account. That includes README badges, issue links, privacy policy, FDroid metadata, Android resource strings, localized Play Store descriptions, build scripts, helper scripts, and wiki pages. Gradle and Android project files now read signing values from local.properties if environment variables are absent, and the version code/name moved to 2.0.11.3. GitHub workflows were also retuned—debug builds are tied to an environment, and releases are now created through a manual workflow_dispatch job instead of automatic tag pushes.
The more significant change in terms of supply-chain confidence is that all of the GPG-based verification tooling was removed. The wiki section that hosted Catfriend1’s public key, the instructions for checking signed checksums, and the dedicated release notes about GPG validation were deleted. Matching that documentation change, the CI release workflow no longer generates SHA256 checksum files nor signs them with the project’s GPG key; completed releases are simply uploaded as unsigned APKs. That means users no longer have a built-in way to verify that an official build matches the source code in the repository, increasing reliance on the new maintainer’s goodwill even though the application’s source itself hasn’t been modified beyond the rebranding.