2020-08-17: [VWS/Covid19NotificationApp] Reproducible Builds #14
Comments
This #9 would have been a nice way to do that, however it has some show stoppers. Would have a check effect as F-Droid also has its own reproducible builds. |
The steps you describe are mostly correct, you'd also have to set Getting the app from the store is tricky, there's no official way to retrieve it from the Play Store AFAIK. As for coming up with the steps, we'd appreciate help from the community here. Our primary proof of what is shipped is currently through the auditing process and in that process the process from source to build to deployment has also be vetted. |
You can list the path to the apk of an installed package with The build process should also produce an apk at some point. The apks can then be compared with |
It's probably better to diff base.apk only, since the produced APK will be a universal APK, while the Play Store will serve only the base apk + the splits that are needed for the device. Here's a starting point to try:
Running this there are still some resource differences (Play Store can optimise these) and only one diff in a decompiled source file, which might be due to some compilation differences on my local machine or R8, but I'm not sure. Pretty close though! The other APKs on the device are for languages and resources, again those might be optimised by the Play Store and therefore differ from what Would be great if folks can try, comment and further document it. |
Not sure if this mitigates the problem, but if one cannot pull a clean APK from the store, a decent alternative might be to have reproducible builds for an APK outside of the app store. The users who want that extra bit of proof can then manually install the app, and the vast majority who just wants convenience can of course still use the store. |
Describe the bug, issue or concern
As discussed previously in general at minvws/nl-covid19-notification-app-coordination#6, while it is great that the provenance chain has been audited (https://github.com/minvws/nl-covid19-notification-app-provenance), an even stronger verification that no-where in the (technical) process a step was compromised would be to use Reproducible Builds to allow all citizens to independently verify that the published binaries in the play store are actually consistent with the tagged source code.
To Reproduce
Personally I'm not an Android developer, so I hope to learn from others in this thread.
The steps to check reproducibility are generally:
I can build the code with
./gradlew bundleRelease
(after generating a keystore and correctly settingKEYSTORE_KEY_ALIAS
,KEYSTORE_KEY_PASSWORD
andKEYSTORE_PASSWORD
environment variables). This produces a app/build/outputs/bundle/prodRelease/covid-notificatie-v1.0.0-1-prod-release.aab , but I'm not sure yet if that's the right starting point and how to compare that to the packages from the play store.I can understand if this is not the main focus of the VWS team right now, but I hope this issue might at least be a good place for contributors to share their knowledge and findings.
Expected behavior
It would be great if we could come up with the steps needed to independently validate the published packages correspond to the published source code. Of course it's only one link in the chain, but an important one!
Governance
The text was updated successfully, but these errors were encountered: