Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
Please fix build reproducibility
See original GitHub issueYour verification script claims
# Remove the signature since OSS users won't have Muuns private signing key
but then goes to remove all the content of META-INF and resources.arsc.
While the former is probably benign as META-INF content won’t be executed or displayed in the app, removing resources.arsc from the diff is not ok.
As my review shows, the diff boils down to just one line in the strings.xml:
$ apktool d -o apkGoogle Muun\ 46.10\ \(io.muun.apollo\).apk
$ apktool d -o apkBuild apolloui-prod-release-unsigned.apk
$ diff --brief --recursive apkBuild apkGoogle
Files apkBuild/apktool.yml and apkGoogle/apktool.yml differ
Only in apkGoogle/original/META-INF: APOLLORE.RSA
Only in apkGoogle/original/META-INF: APOLLORE.SF
Files apkBuild/original/META-INF/MANIFEST.MF and apkGoogle/original/META-INF/MANIFEST.MF differ
Files apkBuild/res/values/strings.xml and apkGoogle/res/values/strings.xml differ
$ diff apkBuild/res/values/strings.xml apkGoogle/res/values/strings.xml
77c77
< <string name="com.crashlytics.android.build_id">e0c37a103082460fbf95f3c097222e61</string>
---
> <string name="com.crashlytics.android.build_id">95a3152a98594e8ca1324bdefd26a5b9</string>
Crashlytics is a convenient library but also an increased attack surface and if their tools are not compatible with reproducible builds, then that’s another reason for not using them.
Please fix reproducibility. I would really love to add Muun to the “reproducible” section at https://walletscrutiny.com/
Issue Analytics
- State:
- Created 2 years ago
- Reactions:4
- Comments:11 (4 by maintainers)
Top Results From Across the Web
Top Related Medium Post
Top Related StackOverflow Question
Troubleshoot Live Code
Top Related Reddit Thread
Top Related Hackernoon Post
Top Related Tweet
Top Related Dev.to Post
Top Related Hashnode Post
Hi there! We’re finally rolling out v49.10. We’ve fixed the issue with the SQLDelight Gradle Plugin generating non-reproducible code, as well as the issue @emanuelb reported, in which go 1.18 started embedding version control information in binaries, which made Go Mobile generate non-reproducible code depending on whether the local git repository where you build the apk had modified files or not.
Thank you for your reports and your patience!
There are about 10 reproducible Bitcoin wallets on the Play Store. Not having a reproducible build is a competitive disadvantage, especially when people use https://walletscrutiny.com/?verdict=reproducible&platform=android for their starting point.
Without a reproducible build, one might consider the wallet to be effectively closed-source, since it’s difficult or impossible to ascertain what sources were used for any particular APK.