A way to tie given app version to its code

[D0han]

Users need simple way to check from what source exactly was built given app.
It have to be transparent that no modified with non-disclosed code version of app is suddenly pushed to production env. This regards all elements of the ProteGO system.

[jakublipinski]

We tag each release with appropriate version name.

I added description about this process: https://github.com/ProteGO-app/specs/pull/61

Close or comment pls.

[D0han]

Just tagging the source is not addressing this issue. How can i check and be confident that released app in front of me was created on exactly the code i saw in repo?

[jakublipinski]

@D0han You will have to download the binary file from the App Store / Google Play and compare with what you built locally. That's the only way I believe.

[D0han]

Can we have fully transparent and automated process of build and release? Such that all interested people can see when, where and how it was built and exactly this build artifact is then pushed to apple/google.

[potiuk]

Great idea with transparent build/submission process @D0han. I added also comment that the tags should be "annotated" rather than "lightweight" tags and best if they are GPG signed: https://github.com/ProteGO-app/specs/pull/61#issuecomment-609389069

[KoderFPV]

this issue has been inactive for a longer time and will be automatically closed

[D0han]

I strongly disagree. This is not resolved in any way.

[potiuk]

Yep. Fully agree with @D0han . It's not yet published. I know the intention was CI + automated publishing - but it's not yet public/verified/audited. It should be re-opened in my opinion.

[KoderFPV]

Sorry my mistake. I am reopening this issue.

[qLb]

Users will have to wait to get a simple way of doing this for iOS. It's not feasible for android either from security stand point as there is no way to download the binary format from a verified source which for this case would be official Play Store.

For aforementioned reasons i close this issue.