Open AmirGamilDev opened 9 months ago
alexbakker
commented
9 months ago The section in the README you're referring to explains how you can verify that Aegis APK's were signed by us. Reproducible builds are something completely different and we don't support that currently.
AmirGamilDev
commented
9 months ago That's what I had understood. Is there a plan to include it on the roadmap? This would greatly increase the trust in the product.
alexbakker
commented
8 months ago Not currently. I'd first like to see a more detailed proposal and perhaps a proof of concept for this. Maintaining reproducible builds can be painful and it'd be good to have a general impression of what the impact on Aegis' build process would be.
AmirGamilDev
commented
8 months ago An excellent example is here: https://github.com/signalapp/Signal-Android/tree/main/reproducible-builds
From the looks of things, I think it could be done with minimal impact to the build process once the work is carried out.
I believe this is truly important to be able to implement a TNO (Trust No One) solution.
Hello.
Excellent initiative.
Is there a way to verify that the build on the play store is produced from the code in this repo (a la Signal private messenger)? The verification in the readme suggests that the certificate used for signing is the same but is this the same thing as the build being the same? Perhaps I'm missing something?