bbedward
commented
3 years ago The app is not built manually, the build and app store upload is automated via github actions:
The latest release (build 74) is this run: https://github.com/appditto/natrium_wallet_flutter/actions/runs/366455268
The previous one (build 73) is this run: https://github.com/appditto/natrium_wallet_flutter/actions/runs/245328185
This goes back for several months, although we used to use Gitlab instead of Github actions - but the concept was the same.
The build number specified in pubspec.yaml can only be uploaded to each store once (74 for the last build). When you get the app on your device, there are ways to verify that you have build 74 (although fairly complex for the average user, at least on android).
So for the last DEPLOY_RELEASE you can verify the build number was 74 in the source code, and once the app is available on the play store and app store you can verify that it is the same build once it's on your device, 74. Neither apple nor google will allow us to upload a different build with 74 (next upload has to be 75 or higher)
As far as the APK on the releases page, there's not much we can do about that - they're provided for convenience for users who don't have access to the play store.
As far as I can see, the apps are built manually and then uploaded to Google Play and App Store. It shouldn't be necessary to trust a single party when using crypto wallets.
Some of the releases seem to have APKs included. But there is no easy (if any) way to check if these APKs have been compiled using the actual sources.
Suggestion: Add more transparency for example by using automated building tools and allow users to download the builds directly from their original source.