search

Blockstream / green_android

Blockstream Green Wallet for Android
GNU General Public License v3.0
198 stars 82 forks source link

Version 4.0.22 from Google Play is not reproducible #189

Closed Giszmo closed 10 months ago

Giszmo commented 10 months ago

Description

I tried to reproduce the latest version on Google Play and got these diffs:

Files /tmp/fromPlay_com.greenaddress.greenbits_android_wallet_22000422/assets/dexopt/baseline.prof and /tmp/fromBuild_com.greenaddress.greenbits_android_wallet_22000422/assets/dexopt/baseline.prof differ
Files /tmp/fromPlay_com.greenaddress.greenbits_android_wallet_22000422/classes3.dex and /tmp/fromBuild_com.greenaddress.greenbits_android_wallet_22000422/classes3.dex differ
Files /tmp/fromPlay_com.greenaddress.greenbits_android_wallet_22000422/classes4.dex and /tmp/fromBuild_com.greenaddress.greenbits_android_wallet_22000422/classes4.dex differ
Files /tmp/fromPlay_com.greenaddress.greenbits_android_wallet_22000422/classes.dex and /tmp/fromBuild_com.greenaddress.greenbits_android_wallet_22000422/classes.dex differ
Only in /tmp/fromPlay_com.greenaddress.greenbits_android_wallet_22000422/META-INF: GREENADD.RSA
Only in /tmp/fromPlay_com.greenaddress.greenbits_android_wallet_22000422/META-INF: GREENADD.SF
Only in /tmp/fromPlay_com.greenaddress.greenbits_android_wallet_22000422/META-INF: MANIFEST.MF

Did something about the way the app is built change? In the dex files I see for example certificates that are not in the built version and that probably scrambles line numbers and results in tens of thousands of lines differing in a diffoscope output.

More details on https://walletscrutiny.com/android/com.greenaddress.greenbits_android_wallet/

What had worked many times before:

  podman run -it --volume $PWD:/mnt --rm $wsContainer bash -x -c "chmod 777 /tmp/;
      cd /mnt;
      apt update;
      DEBIAN_FRONTEND=noninteractive apt install -y curl jq openjdk-17-jdk;
      yes | /opt/android-sdk/tools/bin/sdkmanager \"build-tools;34.0.0\";
      ./gradlew -x test clean assembleProductionGoogleRelease"
angelix commented 10 months ago

@Giszmo Please check latest commit e38570c7621e7e2a2b3d6a3172669ffdb960650a

Giszmo commented 10 months ago

That commit does not help reproduce 4.0.22 but I see better results in 4.0.23 now.

I see all the secrets were moved into one resource file - app_secrets.txt

The resulting /res/Re.txt containing a base64 encoded object with base64 encoded secrets should be documented though. I took the Re.txt and added

echo \"ewogICJicmVlel9hc...pUTT0iCn0=\" > green/src/main/res/raw/app_secrets.txt;

to my build script and that gives me one remaining whitespace diff in Re.txt: My Re.txt has a linefeed that yours doesn't. I really don't know what to do with this in terms of reproducibility attestation. Slippery slope ... Can't you provide this blob somehow nicer in the BUILD.md for reproducibility, only? Anybody maliciously stealing your API keys can already do so and with them in the documentation, nobody would accidentally use them for clones.

angelix commented 10 months ago

@Giszmo Added a gradle task to help with this. Please use ./gradlew useBlockstreamKeys next time before building.