[guardian-dev] deterministic, repeatable build of LilDebi
Michael Rogers
michael at briarproject.org
Sat Apr 12 10:31:52 EDT 2014
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
On 12/04/14 09:02, Abel Luck wrote:
>> This makes a build that is the same in terms of the jar/APK
>> signature (i.e. the files in the APK that are in META-INF/). So
>> it should now be possible to build your own APK, then take the
>> APK that I built and swap in my META-INF files. Then the APK
>> that you built will have my signature on it.
>>
>> This process does not yet produce APKs with the exact same hash.
>> There are differences in sort order of the files in the manifest,
>> timestamps on files, etc. that change the hash.
>>
>
> Great news Hans!
Seconded, this is really cool!
> Are those differences you mentioned important, or could we write a
> script to "normalize" an APK. It would use a defined sort order,
> some made up timestamp we all agree on, etc. Would that be
> feasible?
An APK is a jar is a zip - I don't think the command line jar tool
allows you to specify the timestamps or the order of the manifest, but
we should be able to knock something together using java.util.zip...
Cheers,
Michael
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iQEcBAEBCAAGBQJTSU5XAAoJEBEET9GfxSfMWIwIAMJAnWCJKCuINMXWMHz6fiGg
HgnLBIZwxakhhsR6VsHsDPwh1lhttyBkyfp6B/NjuFYT/PsYQ3Nc2FTGQKE3BY+L
8hG0OSAk4LKQ0CjT4hQB1yGRo0hHu+fTumHFmEiwkFiXohaebcKVJdCfVEjc9pyX
9mSvyN5YaVpUF7M4toPm/PHR9lzCl/e9cRtweCMLFGeDHYmQaiCqaed2BuPLstsp
p42Q97mHEwXciP7cAhMe5wVlvf2nUlcx2VMRYPZfWE20sW1agM1Vq0OgmiGZgzJq
GJl8jxW5roevW3cACT2jRtciGm1imYVbnb+x8a9jA0LFC8YUs0FkfELiYqK0K1w=
=aV5V
-----END PGP SIGNATURE-----
More information about the Guardian-dev
mailing list