-
Notifications
You must be signed in to change notification settings - Fork 2
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Please provide verifiability of released builds #14
Comments
This would be extremely helpful, especially given that I would be keen to push a few PRs to make this software more useful for the scenario that someone has an existing seed from a hardware wallet and wants to use this as a means to recover access if they are in a hurry. (Rather than just punching the seed straight into a hot software wallet) |
Build instructions for reproducible build testing of latest 1.5.5 version are:
wget https://nodejs.org/download/release/v10.15.1/node-v10.15.1-linux-x64.tar.gz;
echo "ca1dfa9790876409c8d9ecab7b4cdb93e3276cedfc64d56ef1a4ff1778a40214 node-v10.15.1-linux-x64.tar.gz" | sha256sum -c;
tar -xf node-v10.15.1-linux-x64.tar.gz --strip-components=1;
echo -e "export const p2pCommonSecret = 'My(NV2zx2Q6hx{ayB#';\nexport const encryptPrivateSalt = 'g;ECr7q(yJ7%V3uw';\nexport const pinSecret = 'E3gRX*TTJbryQzH%*e98';\nexport const sweepEncryptSecret = 'a3Lc2H4W;R+&,hrQEspxT7EY';\nexport const sweepStoreSecret = ';p%YV6Crj\$D(h43syFQJio9g';" > ./src/config/secrets.js;
rm -rf ./node_modules/graceful-fs/;
git clone --depth 1 https://github.com/isaacs/node-graceful-fs ./node_modules/graceful-fs/ ;
printf "#!/bin/sh\n/bin/true" > ./node_modules/@react-native-community/cli/setup_env.sh;
cd ./android/;
sed -i 's/getPassword("android_keystore")/""/g' ./app/build.gradle;
keytool -genkey -alias coinid_alias -keystore app/coinid.pfx -storetype PKCS12 -keyalg RSA -keysize 4096 -storepass coinid_alias -keypass coinid_alias -validity 10000 -dname CN=IL;
printf "\nCOINID_RELEASE_STORE_FILE=coinid.pfx\nCOINID_RELEASE_STORE_PASSWORD=coinid_alias\nCOINID_RELEASE_KEY_PASSWORD=coinid_alias\nCOINID_RELEASE_KEY_ALIAS=coinid_alias\n\n" >> gradle.properties;
./gradlew assembleRelease |
@emanuelb This might be an acceptable approach for a one-off investigation of an apk but not for an ongoing monitoring of new releases. I still hope for build instructions that can be automated and result in what they distribute via Google Play. |
The concept of vault+wallet is intriguing but not without potential to lose/steal funds. The wallet could use a weak source of entropy or leak information through poor signing algorithms. Therefore it matters that the app is getting audited and a first step for audits to make sense is that the version released matches the version on GitHub. Read more on the subject of reproducible builds at https://reproducible-builds.org/.
I run WalletScrutiny, a project that monitors wallet apps for reproducibility and my analysis of this app can be found here. My current road block is lack of build instructions.
The text was updated successfully, but these errors were encountered: