[guardian-dev] Complete, reproducible app distribution achieved!

str4d str4d at i2pmail.org
Sat Feb 14 07:29:34 EST 2015


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Hans-Christoph Steiner wrote:
> 
> 
> str4d:
>> Nathan of Guardian wrote:
>> 
>> 
>>> On Wed, Feb 11, 2015, at 02:53 PM, Hans-Christoph Steiner 
>>> wrote:
>>>> 
>>>> new blog post: 
>>>> https://guardianproject.info/2015/02/11/complete-reproducible-app-distribution-achieved/
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>
>>>>
>>>> 
With F-Droid, we have been working towards getting a complete app
>>>> distribution channel that is able to reproducibly build each 
>>>> Android app from source.
>> 
>>> This is really fantastic. I can't wait to get Orbot moved 
>>> over.
>> 
>> +1
>> 
>> I am interested in doing this for I2P Android and Bote, neither 
>> of which require the NDK to build. If you want another 
>> vict^H^H^H^Hperson to test the reproducible build process, let
>> me know.
>> 
>> str4d
> 
> 
> 
> Excellent!  If these apps are already in FDroid, then switching to 
> this build process should be trivial.  Just post the APK releases 
> on a publicly available website,

We recently started operating our own F-Droid repository [0] to enable
F-Droid users to use APKs with our signature that would be
interoperable with our other distribution mechanisms (Google Play and
direct website download), so we will probably use this as the binary
source for the main F-Droid repo.

> then add a `Binaries:` tag to the fdroid build recipe.  The build 
> recipes for f-droid.org are all here:
> 
> https://gitlab.com/fdroid/fdroiddata
> 
> The tricky part there is that the signing key of the APK will then 
> change from the FDroid key to yours.  For any app that saves
> state, like message history, etc. the only way to switch to an APK
> with a new key means deleting all the saved state.

I2P Android is already in mainline F-Droid (although it has missed
several updates because we switched to Gradle and our maintainer is
MIA). I will think about whether we want to make this change or not.
It's not a huge issue if we do, as there are only a few places where
saved state might be an issue (which I expect are only used by
advanced users).

> 
> If these apps are not already in f-droid.org, then the key
> question does not matter, but it means you'll have to create a
> build recipe and submit a merge request on gitlab.  Here's the
> manual:
> 
> https://f-droid.org/manual/fdroid.html

I had decided to hold off adding Bote to the main F-Droid repository;
I am glad that I did :) (it *would* have state issues)

> 
> The people on irc://irc.freenode.net/fdroid are also very helpful 
> (sometimes that even includes me ;).

I will probably be in there at some point trying to get fdroidserver
working with Gradle and our esoteric dependency structure :-P

str4d

[0] https://geti2p.net/en/blog/post/2014/12/01/Android-app-releases

> 
> .hc
> 
>>>> while this may sound like a mundane detail, it does provide 
>>>> lots of tangible benefits. First, it means that anyone can 
>>>> verify that the app that they are using is 100% built from 
>>>> the source code, with nothing else added. That verifies that 
>>>> the app is indeed 100% free, open source software.
>>>> 
>>>> It also verifies that there have not been any malicious bits 
>>>> of code added into the app during the build process. As has 
>>>> been demonstrated in the 31c3 Reproducible Builds talk, just 
>>>> flipping a single bit is enough to create a usable exploit
>>>> in an app.
>>>> 
>>>> The F-Droid project is leading the way with its system for 
>>>> publishing verified builds. We know have our first full 
>>>> example, building upon our previous work with making Lil’ 
>>>> Debi build reproducibly. We started with our simple little 
>>>> utility app Checkey since it has few moving parts (first get 
>>>> one working, then the rest).
>>>> 
>>>> When you download Checkey from f-droid.org, you will get an 
>>>> APK that was signed using the official Guardian Project 
>>>> offline signing key that was built by f-droid.org. No, we
>>>> did not give them a copy of our key, instead, the fdroid
>>>> publish process now looks for the Binaries: tag in the build
>>>> recipe. If it sees that, it downloads that APK, then builds
>>>> the app from source, then checks to make sure that they match
>>>> using a simple diff of the APK contents and by checking that
>>>> the signature on the official APK also validates on the APK
>>>> that f-droid.org built.
>>>> 
>>>> Now that we have our little Checkey working, we can work 
>>>> towards getting all of our apps verifying in the same way, 
>>>> eliminating a whole field of exploits that we have to worry 
>>>> about. You can follow the progress of this work on the 
>>>> F-Droid wiki Reproducible Builds page, and learn about a 
>>>> future application of it on the Verification Server page.
>>>> 
>>>> The next two apps that are in the reproducible pipeline are 
>>>> LEAP‘s Bitmask and our LocationPrivacy.
>>>> 
>>>> .hc -- PGP fingerprint: 5E61 C878 0F86 295C E17D  8677 9F0F 
>>>> E587 374B BE81 
>>>> https://pgp.mit.edu/pks/lookup?op=vindex&search=0x9F0FE587374BBE81
>>>>
>>>>
>>>>
>>>>
>>>>
>>
>>>>
>>>> 
_______________________________________________
>>>> List info: 
>>>> https://lists.mayfirst.org/mailman/listinfo/guardian-dev To 
>>>> unsubscribe, email: 
>>>> guardian-dev-unsubscribe at lists.mayfirst.org
>> 
>> 
>> _______________________________________________ List info: 
>> https://lists.mayfirst.org/mailman/listinfo/guardian-dev To 
>> unsubscribe, email:  guardian-dev-unsubscribe at lists.mayfirst.org
>> 
> 
> 
> 
> _______________________________________________ List info: 
> https://lists.mayfirst.org/mailman/listinfo/guardian-dev To 
> unsubscribe, email:  guardian-dev-unsubscribe at lists.mayfirst.org
> 
-----BEGIN PGP SIGNATURE-----

iQIcBAEBCgAGBQJU3z+eAAoJEIA97kkaNHPnaoMP/R71xIa7sv3ajInzz0Aliz8o
hhi73BCv9pjPDig++ASkiXNBcoVZmJBcUyCgkLomZxhHVogrQEKiyQfOXfarNPNZ
COgGUk1DXXr2OCS88TRjuJXKCRKRfl2V+cowKqvFGvLlPSfFI68nf2sJEhnelezy
0taTghZhDp8RdwLMoouoD5gJEQO/Oe8dpQ+d7+3NNrAmzcwcy2KAYqSFlOKVc1fC
/HO0iKbFPchJ6AmFRcWOT3svGaedxzFjd9T4i8le/jrVvW4KT3oVAGrNT4OFnGDu
wCc0iqv22CPWMPi1uwI/1KClcvdpQsb3avhQ1HszVqBOgstYXVZHWV0qz8v6ymTN
aYYXd4eE6JPB1/71V65gN67wV5i6nXfGMjDGxX7RNTCQ4eTcdGRiy2Ftz9ez8/na
qy6tt5TikSx4fFOEVp3y6EAxXoclN30O0TBS/phSoZ7RD2ZeeTBIB/lWef7UzwOg
h5oFvSubRr1TeKH7OSFk+85CHyj2H45LdKzTStgQWdVZpo9pbG2Titxh+REbzDal
IPRtacHFVu8h7AzfYRYO7Nd7yRw4/7q82kj5mGfb3+bhob+bFLL2x99lkUmG7vtu
a5KxM8Xv7OTS6uaviM29XPQhePvSkVwC8wlvY/45HOH1+UdtDguvI0i0aoie6eE9
nLIzOgII43iGUbs0aGji
=RJHv
-----END PGP SIGNATURE-----


More information about the guardian-dev mailing list