WalletScrutiny.com - Reproducibility Report for version 5.0.6

[xrviv]

Hello team Blockstream,

Danny here from WalletScrutiny.com

Attached herewith is my report on the reproducible build for Blockstream Green

Reproducibility Issues with Blockstream Green Android v5.0.6

Overview

We've conducted a reproducibility verification of Blockstream Green Android wallet v5.0.6 and found that the build process does not produce a binary that matches the one distributed through the Google Play Store. We'd like to share our findings and work together to improve the reproducibility of the app.

Build Environment

• Repository: https://github.com/Blockstream/green_android/
• Tag: release_5.0.6
• Commit: c616caa32109601c0b3b629ed879a5d538cdc045
• Build Method: Using WalletScrutiny's test script with Docker container

Findings

When comparing the built APK with the official APK from Google Play, we found the following differences:

1. Dex Files: Differences in classes3.dex which affect the reproducibility of the build
2. Profile Files: Differences in /assets/dexopt/baseline.prof (Android's Ahead-of-Time compilation optimization profiles)
3. Signature Files: Expected differences in /META-INF/ (GREENADD.RSA, GREENADD.SF, MANIFEST.MF)

While signature differences are expected between a signed release APK and an unsigned build APK, the differences in the dex files and baseline profiles are significant and indicate that the build process does not produce the same functional code as the official release.

Build Process

The app was built using the following commands:

./gradlew useBlockstreamKeys
./gradlew -x test clean assembleProductionGoogleRelease

Questions and Suggestions

1. Are there specific build parameters or environment variables that need to be set to ensure reproducibility?
2. Could there be non-deterministic elements in the build process that are causing these differences?
3. Would it be possible to provide a more detailed build documentation or a Dockerfile that ensures reproducible builds?
4. Have you considered implementing a reproducible build verification process as part of your CI/CD pipeline?

We'd be happy to collaborate on improving the reproducibility of the build process. Reproducible builds are crucial for security and transparency, allowing users to verify that the code they're running matches the published source code.

Thank you for your attention to this matter. We look forward to your response.

Additional Information

• Full build logs and detailed comparison results are available upon request
• [WalletScrutiny verification report](actual link auto-removed by Blockstream for security reasons

2025-07-07.1304.blockstream.green_v5.0.6.log