Makes sense! If you’re installing the GitHub APK via Obtainium, verifying that binary is valid for your use case.
WalletScrutiny focuses on trustless verification of Play Store builds — since that’s what most users receive, often without knowing if it matches source. Different threat models, same goal: auditability.
I'm just asking about the process bc I'm trying to implement this for zapstore via dvms
👀👀
Keep us updated!
For the methodology, we have several pre-built scripts - that you are free to modify and adapt for your own use.
I'm thinking of whether to give you the new method which includes nostr attestations - which we are still working on, or the minute step-by-step procedure for specific wallets with specific versions.
IF the latter, we can try out a test case.
Say app id: de.schildbach aka (Schildbach Bitcoin Wallet)
OLD METHOD:
1. Extract the APK from your phone.
2. Fork, clone locally walletscrutiny. Instructions here: https://gitlab.com/walletscrutiny/walletScrutinyCom
3. Once you've set up your environment and have the apk ready.
4. In the nostr:nprofile1qywhwumn8ghj7mn0wd68ytnzd96xxmmfdejhytnnda3kjctv9uqsuamnwvaz7tmwdaejumr0dshsz9thwden5te0dehhxarj9ehhsarj9ejx2a30qyghwumn8ghj7mn0wd68ytnhd9hx2tcpremhxue69uhkummnw3ez6ur4vgh8wetvd3hhyer9wghxuet59uqzpytvkhls05a4rnhh76mt0a28nvgqrdqpcr5z2k8wrg39qnra2p7fp72lx8 root directory, run:
`$ ./test.sh -a /path/to/apk/file.apk
5. The script runs and there's a verdict.
This case is the easiest - for a huge majority of the apps we test, more often than not, the scripts break. So that's the part that takes research and colloboration.
Many projects should have instructions how to build their app - unfortunately they don't. We file an issue in their repo. If they respond, cool! If not, then we try trial and error until we manage to build it.
Do tell, if you've reached this point.
For the new method...I'll tell you when you finish this.
Thoughts.
Have you uses act? Basically let's you run github actions locally.
My opinion is essentially that no app should actually have to tell you how to build their app (if they care about reproducible builds). nostr:nprofile1qqsyvrp9u6p0mfur9dfdru3d853tx9mdjuhkphxuxgfwmryja7zsvhqpzamhxue69uhhv6t5daezumn0wd68yvfwvdhk6tcpz9mhxue69uhkummnw3ezuamfdejj7qgwwaehxw309ahx7uewd3hkctcscpyug I plan to use amethyst as my initial test, do you think I'll have any issues?
Here's my plan:
Hit zapstore for apk or just the hash since it's blossom
Then locally run the pipeline via act and upload to blossom and confirm the hashes are identical.
Once that is confirmed working, do the same thing but via the CICD DVM.
Then lastly do the nostr attestation which I've been discussing with folks on the github (so there might be some decent work to do there to make sure it has all the information I want).
That's basically the POC. If I can get through this, I'd want to work with zapstore to add either:
Badges for apps/versions with reproducible builds
Or
Figure out how to add custom collections that are paywalled with a small zap to be able to pay the DVM bill (example if I have 10 apps that I'm attesting to, it could cost me like 100,000 SATs to do the Reproducible build for each version). Probably ends up requiring a paid relay. Initially I'd probably just fund it myself and see how much zaps I can collect from just running the pipeline 1x/ month.
If this ends up proving valuable. Then my plan is to implement the fdroid dark pattern stuff (which I recently discovered is actually just manual) as scripts for the DVM stuff. I think this is a way to get the non-bitcoin security focused folks onto nostr, by having MORE features in our app store.
End user ux:
Go to zapstore to download app.
See the following badges/filters:
Reproducible builds (clicking this should take you to the DVM results of that versions reproducible build)
Does(not) use location services
Does(not) depend on non-free services
Does(not) depend on centralizes server (? Ex proton VPN vs something like amethyst that let's you run your own server/relay)
Does (not) employ tracking
Etc
Sorry for the long note, but I took my meds today and I'm really fucking stoked about this idea but I'm pretty sure only like 5 people would care.
No worries - I had chatGPT summarize it. :P
Wow, this seems pretty complicated, and I don't consider myself a full-fledged developer just yet. I haven't tried ACT, but I'd be interested in giving it a go; it sounds like it could be helpful. Just to clarify, we mainly use tools like diff and diffoscope instead of SHA256sum, because it's very rare for the SHA-256 checksums of APKs from Google Play to match those of the ones built from source. Also, I'm not very familiar with Zapstore, and I don't know much about DVM either. I'm currently trying to verify the reproducibility of bitcoin core for desktop using GUIX. I'm sure that the devs have done this themsleves, but I'm giving it a go.
