Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Please provide verifiability of released builds #14

Open
Giszmo opened this issue Apr 7, 2020 · 3 comments
Open

Please provide verifiability of released builds #14

Giszmo opened this issue Apr 7, 2020 · 3 comments

Comments

@Giszmo
Copy link

Giszmo commented Apr 7, 2020

The concept of vault+wallet is intriguing but not without potential to lose/steal funds. The wallet could use a weak source of entropy or leak information through poor signing algorithms. Therefore it matters that the app is getting audited and a first step for audits to make sense is that the version released matches the version on GitHub. Read more on the subject of reproducible builds at https://reproducible-builds.org/.

I run WalletScrutiny, a project that monitors wallet apps for reproducibility and my analysis of this app can be found here. My current road block is lack of build instructions.

@3rdIteration
Copy link

This would be extremely helpful, especially given that I would be keen to push a few PRs to make this software more useful for the scenario that someone has an existing seed from a hardware wallet and wants to use this as a means to recover access if they are in a hurry. (Rather than just punching the seed straight into a hot software wallet)

@emanuelb
Copy link

Build instructions for reproducible build testing of latest 1.5.5 version are:

  1. clone the repo and checkout tag v1.5.5
  2. install node (the version leak in result which is version 10.15.1) so exact version can be installed via nvm or like:
wget https://nodejs.org/download/release/v10.15.1/node-v10.15.1-linux-x64.tar.gz;
echo "ca1dfa9790876409c8d9ecab7b4cdb93e3276cedfc64d56ef1a4ff1778a40214  node-v10.15.1-linux-x64.tar.gz" | sha256sum -c;
tar -xf node-v10.15.1-linux-x64.tar.gz --strip-components=1;
  1. create the correct secret values (take them from apk of the version in index.android.bundle file) for example with:
echo -e "export const p2pCommonSecret = 'My(NV2zx2Q6hx{ayB#';\nexport const encryptPrivateSalt = 'g;ECr7q(yJ7%V3uw';\nexport const pinSecret = 'E3gRX*TTJbryQzH%*e98';\nexport const sweepEncryptSecret = 'a3Lc2H4W;R+&,hrQEspxT7EY';\nexport const sweepStoreSecret = ';p%YV6Crj\$D(h43syFQJio9g';" > ./src/config/secrets.js;
  1. install packages via: yarn install --frozen-lockfile
  2. fix graceful error by downloading it from git:
    rm -rf ./node_modules/graceful-fs/;
    git clone --depth 1 https://github.com/isaacs/node-graceful-fs ./node_modules/graceful-fs/ ;
  1. if no bash installed, install it or run:
    printf "#!/bin/sh\n/bin/true" > ./node_modules/@react-native-community/cli/setup_env.sh;
  1. Run to compile the app:
cd ./android/;
sed -i 's/getPassword("android_keystore")/""/g' ./app/build.gradle;
keytool -genkey -alias coinid_alias -keystore app/coinid.pfx -storetype PKCS12 -keyalg RSA -keysize 4096 -storepass coinid_alias -keypass coinid_alias -validity 10000 -dname CN=IL;
printf "\nCOINID_RELEASE_STORE_FILE=coinid.pfx\nCOINID_RELEASE_STORE_PASSWORD=coinid_alias\nCOINID_RELEASE_KEY_PASSWORD=coinid_alias\nCOINID_RELEASE_KEY_ALIAS=coinid_alias\n\n" >> gradle.properties;
./gradlew assembleRelease

@Giszmo
Copy link
Author

Giszmo commented May 16, 2021

@emanuelb This might be an acceptable approach for a one-off investigation of an apk but not for an ongoing monitoring of new releases. I still hope for build instructions that can be automated and result in what they distribute via Google Play.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants