[guardian-dev] Complete, reproducible app distribution achieved!

Hans-Christoph Steiner hans at guardianproject.info
Fri Feb 13 05:12:52 EST 2015 


str4d:
> Nathan of Guardian wrote:
> 
> 
>> On Wed, Feb 11, 2015, at 02:53 PM, Hans-Christoph Steiner wrote:
>>>
>>> new blog post: 
>>> https://guardianproject.info/2015/02/11/complete-reproducible-app-distribution-achieved/
>>>
>>>
>>>
>>>
>>>
>>>
> With F-Droid, we have been working towards getting a complete app
>>> distribution channel that is able to reproducibly build each 
>>> Android app from source.
> 
>> This is really fantastic. I can't wait to get Orbot moved over.
> 
> +1
> 
> I am interested in doing this for I2P Android and Bote, neither of
> which require the NDK to build. If you want another vict^H^H^H^Hperson
> to test the reproducible build process, let me know.
> 
> str4d



Excellent!  If these apps are already in FDroid, then switching to this build
process should be trivial.  Just post the APK releases on a publicly available
website, then add a `Binaries:` tag to the fdroid build recipe.  The build
recipes for f-droid.org are all here:

https://gitlab.com/fdroid/fdroiddata

The tricky part there is that the signing key of the APK will then change from
the FDroid key to yours.  For any app that saves state, like message history,
etc. the only way to switch to an APK with a new key means deleting all the
saved state.

If these apps are not already in f-droid.org, then the key question does not
matter, but it means you'll have to create a build recipe and submit a merge
request on gitlab.  Here's the manual:

https://f-droid.org/manual/fdroid.html

The people on irc://irc.freenode.net/fdroid are also very helpful (sometimes
that even includes me ;).

.hc

>>> while this may sound like a mundane detail, it does provide lots 
>>> of tangible benefits. First, it means that anyone can verify that
>>> the app that they are using is 100% built from the source code,
>>> with nothing else added. That verifies that the app is indeed
>>> 100% free, open source software.
>>>
>>> It also verifies that there have not been any malicious bits of 
>>> code added into the app during the build process. As has been 
>>> demonstrated in the 31c3 Reproducible Builds talk, just flipping 
>>> a single bit is enough to create a usable exploit in an app.
>>>
>>> The F-Droid project is leading the way with its system for 
>>> publishing verified builds. We know have our first full example, 
>>> building upon our previous work with making Lil’ Debi build 
>>> reproducibly. We started with our simple little utility app 
>>> Checkey since it has few moving parts (first get one working, 
>>> then the rest).
>>>
>>> When you download Checkey from f-droid.org, you will get an APK 
>>> that was signed using the official Guardian Project offline 
>>> signing key that was built by f-droid.org. No, we did not give 
>>> them a copy of our key, instead, the fdroid publish process now 
>>> looks for the Binaries: tag in the build recipe. If it sees
>>> that, it downloads that APK, then builds the app from source,
>>> then checks to make sure that they match using a simple diff of
>>> the APK contents and by checking that the signature on the
>>> official APK also validates on the APK that f-droid.org built.
>>>
>>> Now that we have our little Checkey working, we can work towards 
>>> getting all of our apps verifying in the same way, eliminating a 
>>> whole field of exploits that we have to worry about. You can 
>>> follow the progress of this work on the F-Droid wiki
>>> Reproducible Builds page, and learn about a future application of
>>> it on the Verification Server page.
>>>
>>> The next two apps that are in the reproducible pipeline are 
>>> LEAP‘s Bitmask and our LocationPrivacy.
>>>
>>> .hc -- PGP fingerprint: 5E61 C878 0F86 295C E17D  8677 9F0F E587 
>>> 374B BE81 
>>> https://pgp.mit.edu/pks/lookup?op=vindex&search=0x9F0FE587374BBE81
>>>
>>>
>>>
>>>
>>>
> _______________________________________________
>>> List info: 
>>> https://lists.mayfirst.org/mailman/listinfo/guardian-dev To 
>>> unsubscribe, email:  guardian-dev-unsubscribe at lists.mayfirst.org
> 
> 
> _______________________________________________
> List info: https://lists.mayfirst.org/mailman/listinfo/guardian-dev
> To unsubscribe, email:  guardian-dev-unsubscribe at lists.mayfirst.org
> 

-- 
PGP fingerprint: 5E61 C878 0F86 295C E17D  8677 9F0F E587 374B BE81
https://pgp.mit.edu/pks/lookup?op=vindex&search=0x9F0FE587374BBE81

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: OpenPGP digital signature
URL: <http://lists.mayfirst.org/pipermail/guardian-dev/attachments/20150213/6f09592d/attachment.sig>

More information about the guardian-dev mailing list