Please fix build reproducibility
See original GitHub issueYour verification script claims
# Remove the signature since OSS users won't have Muuns private signing key
but then goes to remove all the content of META-INF
and resources.arsc
.
While the former is probably benign as META-INF content won’t be executed or displayed in the app, removing resources.arsc
from the diff is not ok.
As my review shows, the diff boils down to just one line in the strings.xml:
$ apktool d -o apkGoogle Muun\ 46.10\ \(io.muun.apollo\).apk
$ apktool d -o apkBuild apolloui-prod-release-unsigned.apk
$ diff --brief --recursive apkBuild apkGoogle
Files apkBuild/apktool.yml and apkGoogle/apktool.yml differ
Only in apkGoogle/original/META-INF: APOLLORE.RSA
Only in apkGoogle/original/META-INF: APOLLORE.SF
Files apkBuild/original/META-INF/MANIFEST.MF and apkGoogle/original/META-INF/MANIFEST.MF differ
Files apkBuild/res/values/strings.xml and apkGoogle/res/values/strings.xml differ
$ diff apkBuild/res/values/strings.xml apkGoogle/res/values/strings.xml
77c77
< <string name="com.crashlytics.android.build_id">e0c37a103082460fbf95f3c097222e61</string>
---
> <string name="com.crashlytics.android.build_id">95a3152a98594e8ca1324bdefd26a5b9</string>
Crashlytics is a convenient library but also an increased attack surface and if their tools are not compatible with reproducible builds, then that’s another reason for not using them.
Please fix reproducibility. I would really love to add Muun to the “reproducible” section at https://walletscrutiny.com/
Issue Analytics
- State:
- Created 2 years ago
- Reactions:4
- Comments:11 (4 by maintainers)
Top Results From Across the Web
Give guidance on reproducible builds · Issue #1865 - GitHub
The purpose of this criterion is to counter malicious builds, as happened in SolarWinds' Orion, by enabling verifiable reproducible builds.
Read more >Guide to Configuring for Reproducible Builds - Apache Maven
How to fix my Maven build reproducibility? · Use diffoscope to find the unstable output between builds. The artifact:buildinfo goal proposes a command...
Read more >What Makes a Build Reproducible, Part 1 - Open Source Blog
Repeatable builds are a good first step toward true reproducibility. They give you confidence when you need to reliably perform the build again ......
Read more >ReproducibleBuilds - Debian Wiki
Most packages built in sid today are reproducible under a fixed build-path and environment. We have a new control file *.buildinfo that ...
Read more >Fixing dependency errors for Python build reproducibility
While enhancing code reuse, the use of open-source dependency packages hosted on centralized repositories such as PyPI can have adverse effects ...
Read more >Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start FreeTop Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
Top GitHub Comments
Hi there! We’re finally rolling out v49.10. We’ve fixed the issue with the SQLDelight Gradle Plugin generating non-reproducible code, as well as the issue @emanuelb reported, in which go 1.18 started embedding version control information in binaries, which made Go Mobile generate non-reproducible code depending on whether the local git repository where you build the apk had modified files or not.
Thank you for your reports and your patience!
There are about 10 reproducible Bitcoin wallets on the Play Store. Not having a reproducible build is a competitive disadvantage, especially when people use https://walletscrutiny.com/?verdict=reproducible&platform=android for their starting point.
Without a reproducible build, one might consider the wallet to be effectively closed-source, since it’s difficult or impossible to ascertain what sources were used for any particular APK.