Allow for Reproducible Builds

[ghost]

Hello,

it would be great if you could allow Android users to run reproducible builds to verify that the version downloaded from Google Play is 100% equivalent to the source code here on Github.

Here is an example how the Signal App does this via docker: https://github.com/signalapp/Signal-Android/blob/master/ReproducibleBuilds.md

Thanks, Marc

---

Internal Tracking ID: EXPOSUREAPP-2891

[tkowark]

Thank you very much for your suggestion! We'll let the development team know and move this issue to the android app repository as soon as it is published.

[BilalReffas]

Thanks for open this up @hirschnase and thanks SAP&Telekom for making this OpenSource 👍

I'm pretty sure the iOS community is embracing reproducible builds as well. This link might be worth looking, to check how Telegram is doing it for Android&iOS.

So maybe you can add the app iOS label as well @tkowark

[harmathy]

Have a look at the documentation, how F-Droid handles reproducible builds: https://f-droid.org/en/docs/Reproducible_Builds/

There is also a translation into German: https://f-droid.org/de/docs/Reproducible_Builds/

[allo-]

Reproducible builds will probably be an essential feature for an open source app.

When having open source community builds (see corona-warn-app/cwa-documentation#5), the app usually is signed by the maintainer's key, as the maintainer does not have (and should not have) the developer's key.

Google announced to only allow one app per country. This will probably boil down to allowing access based on the developer's signature and prevent any community builds.

But when the app can be built reproducible, the community can build the app and get an identitic binary. For this binary the signature will still match and the community is sure that the official binary (that is the same as the community binary) is built from the same source code and be able to trust the official binaries more.

This does of course not solve issues like community builds that want to remove trackers (like crashlytics, firebase analytics, etc.), but that's nothing you can solve, but a problem with Google's rule only to allow one app.

[jellelicht]

Because of "Reflections on Trusting Trust", you also need to have a reproducible compiler, and that compiler should have been compiled reproducibly as well. Downloading some binary compiler from the Internet only gives you the same bytes, not any certainty that nothing shady is going on.

Nix/Guix might be tools that help deal with these issues

[allo-]

@jellelicht I think this is out of scope here. I would not suspect that the person who uploads some app has manipulated my compiler.

Reflections on trusting trust is about trusting a compiler itself when you distrust the person who built the initial compiler binary. That scenario would only matter, when the author of the app was the author of the compiler that you're using as well.

And we're here not talking about a secret agency infiltrating your whole OS, but about people wanting to verify the binary before including it into an app catalog for apps that were built from source.

[jellelicht]

@allo I'm fairly certain that's a bit handwavy, especially if there is no proper risk model.

I agree that going that far seems out of scope for now though.

[jellelicht]

And to clarify: The author of the app would only need to meddle with any of the compilers leading to the compiler you currently use. That is the core argument of the paper, and makes me look ever so slightly less paranoid for bringing it up in the first place

[cfritzsche]

Thank you very much for your suggestion! We'll let the development team know and move this issue to the android app repository as soon as it is published.

Hi @tkowark, you mentioned above this issue will be moved. As it was discussed a lot in other issues here or on social media, I wanted to clarify the status.

I also found one example how to do it with Maven, although I am not an app developer at all. https://t.co/YLJusFoqIO

[tkowark]

As this issue was initially only targeted at reproducible builds for Android, I initially wanted to move it to that repo.

In the meantime, we also got similar requests for iOS and therefore, we decided to keep the issue centrally in the documentation repository since it applies to both apps and reproducibility in general. We'll let you know here, centrally, once we have any updates on that matter.

[h01ger]

On Mon, Jun 15, 2020 at 11:14:55AM -0700, Christoph Fritzsche wrote:

I also found one example how to do it with Maven, although I am not an app developer at all. https://t.co/YLJusFoqIO

if https://zlika.github.io/reproducible-build-maven-plugin/ doesn't give you sufficient information, feel free to come around either at rb-general@lists.reproducible-builds.org or also on irc on #reproducible-builds on irc.oftc.net.

I'm very much looking forward to personally verify the corona app shipped is the one built from the sources it's being said to be built from! ;)

I'm also willing to help if+where I can.

-- cheers, Holger

---

           holger@(debian|reproducible-builds|layer-acht).org
   PGP fingerprint: B8BF 5413 7B09 D35C F026 FE9D 091A B856 069A AA1C

[dlogicman]

Another approach that may be helpful in this context is Gitian (https://gitian.org/). It was developed for Bitcoin to produce deterministic builds. I do not know if this is applicable for Android and iOS builds though.

[Giszmo]

I'm working on monitoring wallet apps for Android in an automated fashion and would like to extend it to corona apps as there appears to be more demand than for Bitcoin wallets for reasons I don't fully understand.

Anyway, what I have so far:

• An Android app that monitors updates and gets triggered by reproducible apps (hand selected 6 Bitcoin wallets out of 155 analyzed apps which almost all were not open source or reproducible).
• App update gets hashed.
• Hash gets sent to the server.
• If server doesn't know that hash, app update gets sent to server.

I have to manually run this test script on the files and as no app provider committed to not break my scripts so far, it often requires changes in the test script to get to a result like:

Results for 
appId:          de.schildbach.wallet
apkVersionName: 8.02
apkVersionCode: 802
apkHash:        f01e4028778bc2036902af2253522b7de0eb40ca3bff50f51a8c0918737fd6b4

Diff:
Files /tmp/fromPlay_de.schildbach.wallet_802/apktool.yml and /tmp/fromBuild_de.schildbach.wallet_802/apktool.yml differ
Only in /tmp/fromPlay_de.schildbach.wallet_802/original/META-INF: BITCOIN-.RSA
Only in /tmp/fromPlay_de.schildbach.wallet_802/original/META-INF: BITCOIN-.SF
Files /tmp/fromPlay_de.schildbach.wallet_802/original/META-INF/MANIFEST.MF and /tmp/fromBuild_de.schildbach.wallet_802/original/META-INF/MANIFEST.MF differ

which I then publish on this website.

Now my focus are Bitcoin Wallets but I released almost all as open source, so if the findings are interesting but somebody else wants to step up and run a coronascrutiny service, that would also be an option. I just hope there are synergies. I would also be very interested in adding it to the same site.

Currently the biggest hurdle is probably to get the binary updates for iPhone in a comparable way as I hope to soon collect the Android updates: On user devices as they happen. The problem is that those marketplaces can release different apps to people depending on device, language, country, ... and basically could even release a modified version to named individuals (not that Google would need a Corona app to spy on you).

On using the test script, read the readme. It's easy.

[ligi]

The swiss covid app allows for reproducible builds now: https://github.com/DP-3T/dp3t-app-android-ch/blob/master/REPRODUCIBLE_BUILDS.md

[h01ger]

The swiss covid app allows for reproducible builds now: https://github.com/DP-3T/dp3t-app-android-ch/blob/master/REPRODUCIBLE_BUILDS.md

wow, very neat. the instructions are also pretty clear and short and feature downloading the apk with adb from the phone and comparing that with the rebuild. really very cool! hoping we'll get that for the german corona app as well!

[treysis]

Any news on this?

[daniel-nth]

Is there any ETA for this? It's the one thing preventing me from installing the app.

[akuckartz]

If the Swiss App supports reproducible builds, why doesn't this one?

[corneliusroemer]

Because government doesn't care/pay for it? Didn't know that people would care and doesn't change mind if they have realised?

The maintainers of this repo aren't typical open source maintainers. They are only really accountable to their gov client not the users/dev community. Hence, if it doesn't matter to gov it won't happen. Unfortunately, the end client, i.e. gov, doesn't take part in discussions here.

And gov will never authorise anyone to issue opinionated statements on here. So it's a dead end. Maintainers say out of scope, talk to gov and gov doesn't respond (too busy fighting pandemic!). Just look at country app stores. Turkey, US, India, Russia, Israel etc are still not included despite significant pressure on GitHub, Twitter and media.

On Thu, 9 Jul 2020, 22:28 Andreas Kuckartz, notifications@github.com wrote:

If the Swiss App supports reproducible builds, why doesn't this one?

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/corona-warn-app/cwa-documentation/issues/14#issuecomment-656335022, or unsubscribe https://github.com/notifications/unsubscribe-auth/AF77AQOOA34KXQRA6I7OBS3R2YR6JANCNFSM4M7XMWJA .

[cfritzsche]

While what your saying is not wrong, @corneliusroemer, there is a trivial additional/alternative explanation: Priorities. If you check the backlog repo, interoperability, time-to-warning and UX improvements are being worked on. Doing that before the reproducible build is understandable to me.

Also from the RKI perspective, getting some more information on symptom onset or opportunistic scanning in crowds would be more important.

Furthermore, in the release press conference, the top SAP executive indicated this reproducible build topic is important for him. So don’t discount it as dead yet either.

[rugk]

(Cross-link) Reproducible builds would also be very useful for a release on F-Droid, which now technically makes sense. For more information, see the issue https://github.com/corona-warn-app/cwa-app-android/issues/1483.

[hrehfeld]

So I hope I'm not missing anything, but:

How is this not a high-priority item and hasn't been touched for months? If you don't see the benefits, here's an introductory talk: Reproducible Builds - Moving Beyond Single Points of Failure for Software Distribution

https://github.com/corona-warn-app/cwa-app-android/issues/1483 has the in-progress tag, but last comment hinting on any progress is already almost a month old and sounds like basic library implementation more related to f-droid builds (which are important as well!).

I don't know how to interpret the reluctance to implement this. This is a serious issue. Please address it as soon as possible.

[dsarkar]

Hi @hirschnase, @hrehfeld, @rugk, community, please see https://github.com/corona-warn-app/cwa-app-android/issues/1483#issuecomment-734155537. Thanks.

Best wishes, DS

---

Corona-Warn-App Open Source Team

[rugk]

Here we have a FOI request (freedom of information; IFG – Informationsfreiheitsanfrage) on FragDenStaat about this issue: https://fragdenstaat.de/anfrage/sap-cwa-jira-tickets-zu-den-themen-f-droid-vollkommen-quelloffener-software-und-reproduzierbare-builds-corona-warn-app/ Feel free to follow, it asks for some internal Jira tickets about this topic (this issue here)/reproducible builds/F-Droid etc.

[fynngodau]

Cross-posting from https://github.com/corona-warn-app/cwa-app-android/issues/1483#issuecomment-841271723:

• CCTG has been built reproducibly since the very beginning. This can be verified by following https://codeberg.org/corona-contact-tracing-germany/cwa-android/src/branch/main/docs/rebuilding.md.
• https://github.com/corona-warn-app/cwa-app-android/pull/2800 was merged into the Android app, which should make it reproducible as-is.
• Due to the proprietary closed-source components from Google that this app bundles, this is only of limited use.