BouncyCastle

BouncyCastle (on github: bcgit/bc-java) is the Java library that implements most of the PGP logic. APG basically wraps around it and provides the user interface and key management on Android.

There is a BC version on Android, but it is crippled for whatever reasons, so it cannot be used for PGP. And even if it were available completely on Android, it'd be worth noting that it is hard to know whether it was changed in anyway in any particular Android installation (by Google, a third party brand, a ROM customizer, etc.).

So we need to put our own BC libs into the app and also change the package name (org.bouncycastle), so it doesn't conflict with the BC already on the phone.

OpenPGP-Keychain uses a raw copy of rtyley/spongycastle, a fork of BouncyCastle specifically for Android, changing the package name to org.spongycastle.

I think there are two problems with this:

• Using the copy of the files inside the OpenPGP-Keychain projects makes it hard to update them and push potential fixes in BC into the project.
• Unfortunately, spongycastle deleted the files and recreated them in the directory, rather than using "git mv", making it almost impossible to see, whether the code itself was changed at the same time, which results in the same theoretical concern as mentioned above. (Perhaps the commit history could be fixed, @rtyley?)

I tried to address both issues by creating bc-java-for-apg, which includes github:bcgit/bc-java as a submodule and has a gradle build script, which uses the latest bc-java code directly to repackage it with a new name (in this case org.bouncycastle2).

bc-java-for-apg itself is a submodule for APG and automatically built and included by APG, without the need for changed BC code or duplication inside another project. It even could work for other projects, as long as they place the submodule at /libs/bc inside their gradle root project directory.

Build instructions are given in the README, and I think they show that this is a very clean and safe alternative.