Blockstream / green_android

Blockstream Green Wallet for Android
GNU General Public License v3.0
198 stars 82 forks source link

Reproducibility of 4.0.35 #226

Closed xrviv closed 6 days ago

xrviv commented 1 month ago

Description

===== Begin Results ===== appId: com.greenaddress.greenbits_android_wallet signer: 32f9cc00b13fbeace51e2fb51df482044e42ad34a9bd912f179fedb16a42970e apkVersionName: 4.0.35 apkVersionCode: 22000435 verdict:
appHash: 08ab955932047f871c1ad8bae33db6a497c3b93f86a5f99cb77d6cf83f7e61f9 commit: 9d73b71e660ad67c5f29cba10a6775cb89faedb2

Diff: Files /tmp/fromPlay_com.greenaddress.greenbits_android_wallet_22000435/assets/dexopt/baseline.prof and /tmp/fromBuild_com.greenaddress.greenbits_android_wallet_22000435/assets/dexopt/baseline.prof differ Files /tmp/fromPlay_com.greenaddress.greenbits_android_wallet_22000435/classes.dex and /tmp/fromBuild_com.greenaddress.greenbits_android_wallet_22000435/classes.dex differ Only in /tmp/fromPlay_com.greenaddress.greenbits_android_wallet_22000435/META-INF: GREENADD.RSA Only in /tmp/fromPlay_com.greenaddress.greenbits_android_wallet_22000435/META-INF: GREENADD.SF Only in /tmp/fromPlay_com.greenaddress.greenbits_android_wallet_22000435/META-INF: MANIFEST.MF

Revision, tag (and its signature): object 9d73b71e660ad67c5f29cba10a6775cb89faedb2 type commit tag release_4.0.35 tagger Angelos Veglektsis angelos@aveworks.com 1727701772 +0300 ===== End Results =====

Version

4.0.35

Steps to reproduce

Run WalletScrutiny.com's test.sh script on the Blockstream Green apk, we extracted from the phone.

Expected behaviour

The results should come out as reproducible, with only signing related diffs.

Actual behaviour

There are diffs on 2 files apart from the signing differences:

Screenshots

None.

Device or machine

WalletScrutiny Build Server: Debian GNU/Linux 12 (bookworm)

Additional info

nosbin.com paste of diffoscope result

angelix commented 1 month ago

Did you try running ./gradlew uBK before building? Please try again with that.

xrviv commented 1 month ago

Hi, thank you for the response!

I will now try to do this!

Update

I assume uBK stands for "useBlockstreamKeys", so I first try without removing the line:

./gradlew useBlockstreamKeys

#!/bin/bash

repo=https://github.com/Blockstream/green_android/
tag=release_$versionName
builtApk="$workDir/app/green/build/outputs/apk/productionGoogle/release/BlockstreamGreen-v${versionName}-productionGoogle-release-unsigned.apk"

test() {
  podman run -it --volume $PWD:/mnt --rm $wsContainer bash -x -c "chmod 777 /tmp/;
      cd /mnt;
      apt update;
      DEBIAN_FRONTEND=noninteractive apt install -y curl jq openjdk-17-jdk;
      yes | /opt/android-sdk/tools/bin/sdkmanager \"build-tools;34.0.0\";
      ./gradlew useBlockstreamKeys;
      ./gradlew uBK;
      ./gradlew -x test clean assembleProductionGoogleRelease;
      $takeUserActionCommand"
}

This was the result:

https://asciinema.org/a/679300

===== Begin Results =====
appId:          com.greenaddress.greenbits_android_wallet
signer:         32f9cc00b13fbeace51e2fb51df482044e42ad34a9bd912f179fedb16a42970e
apkVersionName: 4.0.35
apkVersionCode: 22000435
verdict:        
appHash:        08ab955932047f871c1ad8bae33db6a497c3b93f86a5f99cb77d6cf83f7e61f9
commit:         9d73b71e660ad67c5f29cba10a6775cb89faedb2

Diff:
Files /tmp/fromPlay_com.greenaddress.greenbits_android_wallet_22000435/assets/dexopt/baseline.prof and /tmp/fromBuild_com.greenaddress.greenbits_android_wallet_22000435/assets/dexopt/baseline.prof differ
Files /tmp/fromPlay_com.greenaddress.greenbits_android_wallet_22000435/classes.dex and /tmp/fromBuild_com.greenaddress.greenbits_android_wallet_22000435/classes.dex differ
Only in /tmp/fromPlay_com.greenaddress.greenbits_android_wallet_22000435/META-INF: GREENADD.RSA
Only in /tmp/fromPlay_com.greenaddress.greenbits_android_wallet_22000435/META-INF: GREENADD.SF
Only in /tmp/fromPlay_com.greenaddress.greenbits_android_wallet_22000435/META-INF: MANIFEST.MF

Revision, tag (and its signature):
object 9d73b71e660ad67c5f29cba10a6775cb89faedb2
type commit
tag release_4.0.35
tagger Angelos Veglektsis <angelos@aveworks.com> 1727701772 +0300
===== End Results =====

The full results: nosbin.com

UPDATE: 2024-10-07 18:06 PHT

Note I also tried removing ./gradlew useBlockstreamKeys

#!/bin/bash

repo=https://github.com/Blockstream/green_android/
tag=release_$versionName
builtApk="$workDir/app/green/build/outputs/apk/productionGoogle/release/BlockstreamGreen-v${versionName}-productionGoogle-release-unsigned.apk"

test() {
  podman run -it --volume $PWD:/mnt --rm $wsContainer bash -x -c "chmod 777 /tmp/;
      cd /mnt;
      apt update;
      DEBIAN_FRONTEND=noninteractive apt install -y curl jq openjdk-17-jdk;
      yes | /opt/android-sdk/tools/bin/sdkmanager \"build-tools;34.0.0\";
      ./gradlew uBK;
      ./gradlew -x test clean assembleProductionGoogleRelease;
      $takeUserActionCommand"
}

And also building semi-manually, the results are the same.

Giszmo commented 1 month ago

Hi. I also gave it a try with our test script and got the same result.

We use uBK since January:

      ./gradlew useBlockstreamKeys;
      ./gradlew -x test clean assembleProductionGoogleRelease;

The culprit must be something else. The diffoscope looks benign except for the baseline profile being a huge binary blob diff which I don't feel qualified to call benign. The other diffs look like a mere ordering issue:

│ ├── classes.jar
│ │ ├── zipinfo -v {}
│ │ │ @@ -225608,15 +225608,15 @@
│ │ │    version of encoding software:                   2.0
│ │ │    minimum file system compatibility required:     MS-DOS, OS/2 or NT FAT
│ │ │    minimum software version required to extract:   2.0
│ │ │    compression method:                             none (stored)
│ │ │    file security status:                           not encrypted
│ │ │    extended local header:                          no
│ │ │    file last modified on (DOS date/time):          1980 Jan 1 00:00:00
│ │ │ -  32-bit CRC value (hex):                         e1bfb899
│ │ │ +  32-bit CRC value (hex):                         3218f218
│ │ │    compressed size:                                2551 bytes
│ │ │    uncompressed size:                              2551 bytes
│ │ │    length of filename:                             77 characters
│ │ │    length of extra field:                          0 bytes
│ │ │    length of file comment:                         0 characters
│ │ │    disk number on which file begins:               disk 1
│ │ │    apparent file type:                             binary
│ │ ├── blockstream_green/common/generated/resources/ActualResourceCollectorsKt.class
│ │ │ ├── procyon -ec {}
│ │ │ │ @@ -45,18 +45,18 @@
│ │ │ │          final LinkedHashMap linkedHashMap = new LinkedHashMap();
│ │ │ │          Array0_commonMainKt._collectCommonMainArray0Resources((Map)linkedHashMap);
│ │ │ │          return linkedHashMap;
│ │ │ │      }
│ │ │ │      
│ │ │ │      private static final Map allStringResources_delegate$lambda$1() {
│ │ │ │          final LinkedHashMap linkedHashMap = new LinkedHashMap();
│ │ │ │ -        String3_commonMainKt._collectCommonMainString3Resources((Map)linkedHashMap);
│ │ │ │ +        String0_commonMainKt._collectCommonMainString0Resources((Map)linkedHashMap);
│ │ │ │          String1_commonMainKt._collectCommonMainString1Resources((Map)linkedHashMap);
│ │ │ │          String2_commonMainKt._collectCommonMainString2Resources((Map)linkedHashMap);
│ │ │ │ -        String0_commonMainKt._collectCommonMainString0Resources((Map)linkedHashMap);
│ │ │ │ +        String3_commonMainKt._collectCommonMainString3Resources((Map)linkedHashMap);
│ │ │ │          return linkedHashMap;
│ │ │ │      }
│ │ │ │      
│ │ │ │      public static final Map getAllStringResources(final Res res) {
│ │ │ │          Intrinsics.checkNotNullParameter((Object)res, "<this>");
│ │ │ │          return (Map)ActualResourceCollectorsKt.allStringResources$delegate.getValue();
│ │ │ │      }

and

├── smali/blockstream_green/common/generated/resources/ActualResourceCollectorsKt.smali
│┄ Ordering differences only
│ @@ -348,30 +348,30 @@
│      .line 2
│      .line 3
│      invoke-direct {v0}, Ljava/util/LinkedHashMap;-><init>()V
│  
│      .line 4
│      .line 5
│      .line 6
│ -    invoke-static {v0}, Lblockstream_green/common/generated/resources/String3_commonMainKt;->_collectCommonMainString3Resources(Ljava/util/Map;)V
│ +    invoke-static {v0}, Lblockstream_green/common/generated/resources/String0_commonMainKt;->_collectCommonMainString0Resources(Ljava/util/Map;)V
│  
│      .line 7
│      .line 8
│      .line 9
│      invoke-static {v0}, Lblockstream_green/common/generated/resources/String1_commonMainKt;->_collectCommonMainString1Resources(Ljava/util/Map;)V
│  
│      .line 10
│      .line 11
│      .line 12
│      invoke-static {v0}, Lblockstream_green/common/generated/resources/String2_commonMainKt;->_collectCommonMainString2Resources(Ljava/util/Map;)V
│  
│      .line 13
│      .line 14
│      .line 15
│ -    invoke-static {v0}, Lblockstream_green/common/generated/resources/String0_commonMainKt;->_collectCommonMainString0Resources(Ljava/util/Map;)V
│ +    invoke-static {v0}, Lblockstream_green/common/generated/resources/String3_commonMainKt;->_collectCommonMainString3Resources(Ljava/util/Map;)V
│  
│      .line 16
│      .line 17
│      .line 18
│      return-object v0
│      .line 19
│      .line 20
xrviv commented 6 days ago

Closing this as new version 4.0.37 is now reproducible.