search

Kunzisoft / KeePassDX

Lightweight vault and password manager for Android, KeePassDX allows editing encrypted data in a single file in KeePass format and fill in the forms in a secure way.
https://www.keepassdx.com/
GNU General Public License v3.0
4.57k stars 270 forks source link

Verify rebuild is reproducible #1901

Open freedom-foundation opened 2 weeks ago

freedom-foundation commented 2 weeks ago

Reproducible rebuild needed. I noticed an array of checksumming is done for release assets. Where were these assets built? and can you verify the builds can be reproduced having the same checksum for the rebuild?

The last version veifiably rebuilt by f-droid was 4.0.5 with the next release failing rebuild verification. The 4.0.5 asset here has a different checksum then f-droid if the sourcecode here is the same as the f-droid zip this may be because of a differing build system. Verifying that your project can build the same output twice (as f-droid has) should be a step forward.

J-Jamet commented 2 hours ago

Where were these assets built? and can you verify the builds can be reproduced having the same checksum for the rebuild?

Locally with my signature keys, which proves that I'm the one who built them and yes.

The last version veifiably rebuilt by f-droid was 4.0.5 with the next release failing rebuild verification.

I've just checked the F-Droid build, the latest one is version 4.0.8 and works without a hitch. If you don't trust me and trust F-Droid more, just get the F-Droid version and if you don't trust anyone, compile the application from source with your keys. https://f-droid.org/repo/com.kunzisoft.keepass.libre_131.log.gz

freedom-foundation commented 1 hour ago

Sure. However, I welcome you to co-operate: Could make it easier to produce DDC verity builds because you already have a build system in place.

freedom-foundation commented 1 hour ago

The last version veifiably rebuilt by f-droid was 4.0.5 with the next release failing rebuild verification.

I've just checked the F-Droid build, the latest one is version 4.0.8 and works without a hitch.

Again I say 4.0.5 is the last to verify. You may see for yourself on verification.f-droid.org. The following releases did not verify you will see a diffoscope there. Have you been able to verify those sources which did not verify for f-droid? Seems you do not yet grasp the verity to source process.

J-Jamet commented 33 minutes ago

Okay, I understand better what you mean. I don't double-check the hash of the first built with another automatic server built.

Have you been able to verify those sources which did not verify for f-droid?

Which source are you referring to exactly? From what I can see of the 129 diffoscope, it seems that lambda references are changing and method call numbers are being inverted. Maybe the two servers don't have exactly the same compiler versions.