search

COINiD / COINiDVault

Cryptocurrency Signer and Vault
MIT License
7 stars 2 forks source link

Please provide verifiability of released builds #14

Open Giszmo opened 4 years ago

Giszmo commented 4 years ago

The concept of vault+wallet is intriguing but not without potential to lose/steal funds. The wallet could use a weak source of entropy or leak information through poor signing algorithms. Therefore it matters that the app is getting audited and a first step for audits to make sense is that the version released matches the version on GitHub. Read more on the subject of reproducible builds at https://reproducible-builds.org/.

I run WalletScrutiny, a project that monitors wallet apps for reproducibility and my analysis of this app can be found here. My current road block is lack of build instructions.

3rdIteration commented 4 years ago

This would be extremely helpful, especially given that I would be keen to push a few PRs to make this software more useful for the scenario that someone has an existing seed from a hardware wallet and wants to use this as a means to recover access if they are in a hurry. (Rather than just punching the seed straight into a hot software wallet)

emanuelb commented 3 years ago

Build instructions for reproducible build testing of latest 1.5.5 version are:

  1. clone the repo and checkout tag v1.5.5
  2. install node (the version leak in result which is version 10.15.1) so exact version can be installed via nvm or like: 
    wget https://nodejs.org/download/release/v10.15.1/node-v10.15.1-linux-x64.tar.gz;
echo "ca1dfa9790876409c8d9ecab7b4cdb93e3276cedfc64d56ef1a4ff1778a40214  node-v10.15.1-linux-x64.tar.gz" | sha256sum -c;
tar -xf node-v10.15.1-linux-x64.tar.gz --strip-components=1;
  3. create the correct secret values (take them from apk of the version in index.android.bundle file) for example with: 
    echo -e "export const p2pCommonSecret = 'My(NV2zx2Q6hx{ayB#';\nexport const encryptPrivateSalt = 'g;ECr7q(yJ7%V3uw';\nexport const pinSecret = 'E3gRX*TTJbryQzH%*e98';\nexport const sweepEncryptSecret = 'a3Lc2H4W;R+&,hrQEspxT7EY';\nexport const sweepStoreSecret = ';p%YV6Crj\$D(h43syFQJio9g';" > ./src/config/secrets.js;
  4. install packages via: yarn install --frozen-lockfile
  5. fix graceful error by downloading it from git: 
    rm -rf ./node_modules/graceful-fs/;
git clone --depth 1 https://github.com/isaacs/node-graceful-fs ./node_modules/graceful-fs/ ;
  6. if no bash installed, install it or run: 
    printf "#!/bin/sh\n/bin/true" > ./node_modules/@react-native-community/cli/setup_env.sh;
  7. Run to compile the app: 
    cd ./android/;
sed -i 's/getPassword("android_keystore")/""/g' ./app/build.gradle;
keytool -genkey -alias coinid_alias -keystore app/coinid.pfx -storetype PKCS12 -keyalg RSA -keysize 4096 -storepass coinid_alias -keypass coinid_alias -validity 10000 -dname CN=IL;
printf "\nCOINID_RELEASE_STORE_FILE=coinid.pfx\nCOINID_RELEASE_STORE_PASSWORD=coinid_alias\nCOINID_RELEASE_KEY_PASSWORD=coinid_alias\nCOINID_RELEASE_KEY_ALIAS=coinid_alias\n\n" >> gradle.properties;
./gradlew assembleRelease
Giszmo commented 3 years ago

@emanuelb This might be an acceptable approach for a one-off investigation of an apk but not for an ongoing monitoring of new releases. I still hope for build instructions that can be automated and result in what they distribute via Google Play.