Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

PlayStore app is not verifiable. reproducible/deterministic build for Android #5839

Closed
Giszmo opened this issue Dec 14, 2019 · 9 comments
Closed

PlayStore app is not verifiable. reproducible/deterministic build for Android #5839

Giszmo opened this issue Dec 14, 2019 · 9 comments
Assignees
@SomberNight
Labels
build/packaging 📦 OS-android🤖 pull-request wanted 📣 Help would be much appreciated if you have expertise and time. reproducible/deterministic builds security 🔐 technical issue that affects security of funds
Milestone
4.1.3

Comments

@Giszmo
Copy link

Giszmo commented Dec 14, 2019

At the time of writing this article we were not able to verify the build on GooglePlay to match the published code.

I know there is no claim otherwise but this is a huge security issue and should be given priority as it also means that even the other team members cannot verify what the release manager is doing and he might be in distress ...
@SomberNight SomberNight added OS-android🤖 build/packaging 📦 security 🔐 technical issue that affects security of funds labels Dec 14, 2019
@SomberNight SomberNight changed the title PlayStore app is not verifiable PlayStore app is not verifiable. reproducible/deterministic build for Android Dec 14, 2019
@SomberNight SomberNight added the pull-request wanted 📣 Help would be much appreciated if you have expertise and time. label Dec 14, 2019
@SomberNight
Copy link
Member

Yes, indeed, reproducible builds would be highly desired for all platforms.

Unfortunately, I expect it would be difficult to accomplish with the toolchain we use. (python-for-android / buildozer)
I guess a good first step would be to try to find another project that uses the same toolchain and has succeeded in reproducibility. I don't know of any... :/

Like it says in the relevant README, help would be welcome, as we are already stretched thin as-is.

@Giszmo
Copy link
Author

Giszmo commented Dec 16, 2019

A good start would be to make it build without release key at all. For my project I allow certain diffs. If file timestamps differ, it's ok and probably will stay ok forever. If PNGs remain being PNGs with same size but some bits flipped, that's ok. If I can read the diff to not be an exploit, it's kind of ok for now.

The above criteria are the basic requirements for team members to approve an APK. If the wallet does not comply with those, I have to assume that a gun to the release manager's head might be worth millions of dollars and that is not ok.

@SomberNight SomberNight added this to the backlog milestone Feb 14, 2020
@Giszmo
Copy link
Author

Giszmo commented Mar 29, 2020

How is progress on this? 3.5 months passed ...

@SomberNight
Copy link
Member

Unless someone steps up to work on this, it will not happen in the near term.
The priority now is Lightning.

We know that reproducibility is very important. It is. However, resources are limited, and for keeping the project alive long term, Lightning is even more important.

@Giszmo
Copy link
Author

Giszmo commented Oct 1, 2020

Lightning works now I heard?

@SomberNight
Copy link
Member

promising developments on the kivy side: kivy/python-for-android#2390

@SomberNight SomberNight modified the milestones: backlog, 4.2.0 Mar 27, 2021
@SomberNight SomberNight mentioned this issue Apr 30, 2021
Merged
4 tasks
@SomberNight SomberNight self-assigned this May 1, 2021
@SomberNight SomberNight modified the milestones: 4.2.0, 4.1.3 Jun 10, 2021
@SomberNight
Copy link
Member

SomberNight commented Jun 10, 2021
edited

Now with #7263 merged, the next release (4.1.3) should be reproducible.

EDIT: I'll try to remember to add another comment here when that is released.

@SomberNight
Copy link
Member

4.1.3 is out and ThomasV and I have managed to build "matching" binaries (according to apkdiff.py) :)
Right now, the apks are only on the website; hopefully they are soon available on the Google Play Store too ("under review" there atm).

@Giszmo
Copy link
Author

Giszmo commented Jun 18, 2021

Thanks guys! Can confirm that 4.1.4 is reproducible and updated the listing accordingly. I mentioned some details but overall it's usable as is.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@SomberNight SomberNight

Labels
build/packaging 📦 OS-android🤖 pull-request wanted 📣 Help would be much appreciated if you have expertise and time. reproducible/deterministic builds security 🔐 technical issue that affects security of funds
Projects
None yet
Milestone
4.1.3
Development

No branches or pull requests
2 participants
@Giszmo @SomberNight