[guardian-dev] Complete, reproducible app distribution achieved!

Hans-Christoph Steiner hans at guardianproject.info
Thu Feb 12 05:19:38 EST 2015 

It makes a lot of sense to make Orbot use this process.  It'll be a much more
elaborate process though, unfortunately, because of all the native bits.  We
need to figure out a common way to log the build setup, things like NDK
version, versions of SDK platform-tools, build-tools, etc.  Then there needs
to be a way to easily reproduce that setup.  I think that will be something
like what gitian does: builds up a VM instance with all the same versions used
for the original build.

Right now, getting an app into FDroid with this process relies on timing: the
APK submitted in the Binaries: field needs to be built with all the same
versions that the f-droid.org build server is running.  So it means syncing up
versions with f-droid.org (they are usually quite quick to update all things
except the NDK).

.hc

Nathan of Guardian:
>  
> This is really fantastic. I can't wait to get Orbot moved over.
> 
> 
> On Wed, Feb 11, 2015, at 02:53 PM, Hans-Christoph Steiner wrote:
>>
>> new blog post:
>> https://guardianproject.info/2015/02/11/complete-reproducible-app-distribution-achieved/
>>
>> With F-Droid, we have been working towards getting a complete app
>> distribution
>> channel that is able to reproducibly build each Android app from source.
>> while
>> this may sound like a mundane detail, it does provide lots of tangible
>> benefits. First, it means that anyone can verify that the app that they
>> are
>> using is 100% built from the source code, with nothing else added. That
>> verifies that the app is indeed 100% free, open source software.
>>
>> It also verifies that there have not been any malicious bits of code
>> added
>> into the app during the build process. As has been demonstrated in the
>> 31c3
>> Reproducible Builds talk, just flipping a single bit is enough to create
>> a
>> usable exploit in an app.
>>
>> The F-Droid project is leading the way with its system for publishing
>> verified
>> builds. We know have our first full example, building upon our previous
>> work
>> with making Lil’ Debi build reproducibly. We started with our simple
>> little
>> utility app Checkey since it has few moving parts (first get one working,
>> then
>> the rest).
>>
>> When you download Checkey from f-droid.org, you will get an APK that was
>> signed using the official Guardian Project offline signing key that was
>> built
>> by f-droid.org. No, we did not give them a copy of our key, instead, the
>> fdroid publish process now looks for the Binaries: tag in the build
>> recipe. If
>> it sees that, it downloads that APK, then builds the app from source,
>> then
>> checks to make sure that they match using a simple diff of the APK
>> contents
>> and by checking that the signature on the official APK also validates on
>> the
>> APK that f-droid.org built.
>>
>> Now that we have our little Checkey working, we can work towards getting
>> all
>> of our apps verifying in the same way, eliminating a whole field of
>> exploits
>> that we have to worry about. You can follow the progress of this work on
>> the
>> F-Droid wiki Reproducible Builds page, and learn about a future
>> application of
>> it on the Verification Server page.
>>
>> The next two apps that are in the reproducible pipeline are LEAP‘s
>> Bitmask and
>> our LocationPrivacy.
>>
>> .hc
>> -- 
>> PGP fingerprint: 5E61 C878 0F86 295C E17D  8677 9F0F E587 374B BE81
>> https://pgp.mit.edu/pks/lookup?op=vindex&search=0x9F0FE587374BBE81
>> _______________________________________________
>> List info: https://lists.mayfirst.org/mailman/listinfo/guardian-dev
>> To unsubscribe, email:  guardian-dev-unsubscribe at lists.mayfirst.org
> 
> 

-- 
PGP fingerprint: 5E61 C878 0F86 295C E17D  8677 9F0F E587 374B BE81
https://pgp.mit.edu/pks/lookup?op=vindex&search=0x9F0FE587374BBE81

More information about the guardian-dev mailing list