Cannot verify the published app #10425
Comments
|
The article mention that we closed the issue
https://github.com/bitpay/copay/issues/9037
Which is incorrect. The author of the ticket closed the issue.
Are you the author of the article? Would you mind please to correct that?
Im pretty sure Android builds of angular application do not offer
deterministic builds. Do you having problems building the app or do issue
is that the resulting binary does not match the one published?
…On Fri, Dec 13, 2019, 10:02 PM Leo Wandersleb ***@***.***> wrote:
At the time of working on this article
<https://walletscrutiny.com/posts/2019/11/bitpay/> on the verifiability
of your PlayStore app, I failed to verify it. I would much appreciate if
you could provide better build instructions so that developers can verify
the app easily.
—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub
<https://github.com/bitpay/copay/issues/10425?email_source=notifications&email_token=AAAYEHDOMXJLU42W7JIU4N3QYQWEFA5CNFSM4J2X36LKYY3PNVWWK3TUL52HS4DFUVEXG43VMWVGG33NNVSW45C7NFSM4IAO2DPQ>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAAYEHG4XOQ47R4GFG2TYFTQYQWEFANCNFSM4J2X36LA>
.
|
|
Our findings are laid out in the article you read. May I take your comment as confirmation that you do not verify builds? I don't care about bit-wise deterministic builds but about verifiability. If engineer A on his machine that might have a code-swapping virus compiles the app, can engineer B verify the build or not? How high a bounty do you estimate to be for injecting such a virus on the release manager's machine? Would the release manager watch his family remain hostage before injecting malicious code? Those are the extreme fantasies that made me push for verifiability at Mycelium. |
|
thanks for the information Andreas, we will look into it.
…On Mon, Jan 6, 2020 at 12:57 PM AndreasGassmann ***@***.***> wrote:
Just FYI, we use the same stack (ionic + cordova) in our project AirGap
<https://airgap.it>. We use docker and our builds are deterministic, see
the discussion here <airgap-it/airgap-vault#13>.
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
<https://github.com/bitpay/copay/issues/10425?email_source=notifications&email_token=AAAYEHD7CEE5NXJJUBWB2O3Q4NIG7A5CNFSM4J2X36LKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOEIF3ZSY#issuecomment-571194571>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAAYEHHNV4DQ6PTZTT27OATQ4NIG7ANCNFSM4J2X36LA>
.
--
Matías Alejo Garcia
@EMATIU
Roads? Where we're going, we don't need roads!
|
|
Three months later ... guys, your wallet has more than half a million downloads! It's negligence to not verify the release manager's build! He might have a backdoor on his machine or be put under duress to steal all the funds of all the users. How is the status of this issue? |
|
Hi @Giszmo, we are on the process of implement a build process based on docker, similar to the one AirGap (thanks again @AndreasGassmann ) is using. We will update this ticket one it is on production. Thanks for bringing this point to our attention. |
|
It's been a while. How are things going? Time to try rebuilding again?? |
|
Currently building the latest version fails: #11748 (comment) thus instructions on how to build latest version in container is the first step, @matiu is there any progress regarding Docker build stack mentioned in #10425 (comment) ? |
At the time of working on this article on the verifiability of your PlayStore app, I failed to verify it. I would much appreciate if you could provide better build instructions so that developers can verify the app easily.
The text was updated successfully, but these errors were encountered: