This is an automated log of the Android SDK binaries and their checksums, as posted in the sdkmanager repositories hosted on https://dl.google.com/android/repository
This serves as a basic binary transparency append-only log for anyone to use. One of the key properties of any good binary repository is that the binaries never change once they have been published. Maven has been promising this since 2009 at least. F-Droid has for most of its history. Occasionally, Google forgets this, and changes packages that have already been published:
This can also be used as a basic JSON API by getting the JSON files via the raw links:
If there is an F-Droid buildserver instance setup on a machine, it
will cache the Android SDK components in
~/.cache/fdroidserver. There is a script here to log all of the
Android SDK binaries found in that folder:
./index-cache-fdroidserver.py. Run that script on the machine and
user account that runs the buildserver instance, and it will add any
unknown packages it finds to the local checksums.json. If there are
no changes to checksums.json after that script successfully
completes, that means no unknown packages were found.
There are locally verified, GPG-signed, versions of checksums.json available in the signed/ sub-directory: