Closed marqusat closed 2 years ago
champo
commented
2 years ago Hi @marqusat, thanks for reporting this! I'll try to reproduce your results and get back to you on this ASAP.
In the meantime, I have a few questions just to make sure we're on the same page.
marqusat
commented
2 years ago Thanks for the quick reply! Answers:
db pull $(adb shell pm path io.muun.apollo | grep "/base.apk" | sed 's/^package://') apollo-play.apk (BUILD.md instructions) verify-apollo.shDocker version 19.03.15, build 99e3ed8919Not sure if I understand the second question in point 1. Do you mean my Android device? How that could be relevant considering you're not letting google to assemble and sign the apk but upload apk signed with your private key?
champo
commented
2 years ago That question is a bit of a strech 🤷 The changed files are quite odd. We haven't touched most of those files in some time. So I'm trying to understand if there's a possbility the device "optimized" the installed APK after verifying the signature.
I was just able to reproduce the build locally, with a newer version of docker. Can you trying running the build again with https://github.com/muun/apollo/commit/135ddc6a07a47c02959ec280271cd5e7985de9b0 ? It adds a flag when building that has fixed some issues in the past with some versions of docker.
marqusat
commented
2 years ago That output maybe perhaps more useful if you asking to check if the apk is matching what you uploaded to Play Store. Is the public key SHA-356 digest matching your private app signing key?
$apksigner verify --verbose --print-certs apollo-play.apk
Verifies
Verified using v1 scheme (JAR signing): true
Verified using v2 scheme (APK Signature Scheme v2): true
Verified using v3 scheme (APK Signature Scheme v3): true
Verified using v4 scheme (APK Signature Scheme v4): false
Verified for SourceStamp: false
Number of signers: 1
Signer #1 certificate DN: CN=Patricio, OU=muun, O=muun, L=Buenos Aires, ST=Unknown, C=AR
Signer #1 certificate SHA-256 digest: 026ae0ac859cc32adf2d4e7aa909daf902f40db0b4fe6138358026fd62836ad1
Signer #1 certificate SHA-1 digest: 67f100fe596b4b0e4f40312e41e1e74e4274e615
Signer #1 certificate MD5 digest: a1ba5818239b79235741597e8dbd59ee
Signer #1 key algorithm: RSA
Signer #1 key size (bits): 2048
Signer #1 public key SHA-256 digest: 5c90f8c82d9cb371cc3e1d55fcf1ebafd2661b9e394c6dc6b0882accd98a1dca
Signer #1 public key SHA-1 digest: 089fce8ee59791b7986d80d72b58d1a443714075
Signer #1 public key MD5 digest: 686362c9baafe0eaa4d9f07e71d352f8Actually sha256 will serve the same purpose to check if it's the right apk and will be quicker to check:
$ sha256sum apollo-play.apk
e7504467c314b576f5f0c45eeb135396f4d771f976e886bc9b0e1111f1172ff8 apollo-play.apkif there's a possbility the device "optimized" the installed APK after verifying the signature
I don't think that's done on the level of apk. If the above key/hash match (?) then we will be able to confidently assume that I've got the right apk.
Running with DOCKER_BUILDKIT=1 added.
marqusat
commented
2 years ago Another person here: https://github.com/muun/apollo/issues/30 got the same sha256 of your app signing key.
marqusat
commented
2 years ago Verification success! thanks! I guess that issue should be closed when the buildkit change is merged so keeping it open.
champo
commented
2 years ago Glad that worked!
Thanks for keeping an eye open and helping us be safer for everyone!
I have successfully verified 46.7 running reproducible build on my machine. 46.10 has unfortunatelly badly failed verification. I have double checked I'm verifying against the correct source code commit (e4220f8462183bf2bfdda92356888b28cb29d431) and that downloaded apk is 46.10 (610 versionCode). Many files are not matching what's on Play Store, including library .so and compiled code .dex files: