How'd you do that?
Discussion
Hi! To verify the reproducibility of your apk, first ensure that your app is source-available (Open Source). You need to extract your apk from the phone. There are third party apps that do that, but if you want to be sure, you could use WalletScrutiny.com's in-house script which just runs adb:
https://gitlab.com/walletscrutiny/walletScrutinyCom/-/blob/master/apkextractor_sync.sh
You may clone the entire walletscrutiny.com repository if you plan on pushing through with doing the entire process.
Now, most Android apps, can either be distributed as a single apk or a bundle of apks (split apks).
Before you run that script though, ensure that your phone is connected to the PC, with Developer Mode and USB debugging both on.
If you run apkextractor_sync.sh, run it like so: (example for illustrative purposes, you need to find the appID of your app)
$ ./apkextractor_sync.sh io.nunchuk.android
The script will tell you if your app if it's a single apk or a split bundle.
If you're using obtanium, couldn't you just use the apk on the github?
I guess I'm more curious how you ran their build pipeline and then compares the apk produced from that with the other apk
We donβt verify against GitHub releases β we verify against what users actually receive from the Play Store.
At WalletScrutiny.com, we extract the APK installed on a real device (or downloaded directly from the Play Store via an API), then build the app from source following the developer's instructions. We compare the two using tools like `diffoscope` or `apktool` to check for byte-for-byte reproducibility. If they match (excluding signing differences), the app is reproducible.
Using the GitHub APK assumes trust β weβre focused on trustlessness.
Using the github apk doesn't assume trust, that's what I install on my phone via obtainium, that's why I said that.
Makes sense! If youβre installing the GitHub APK via Obtainium, verifying that binary is valid for your use case.
WalletScrutiny focuses on trustless verification of Play Store builds β since thatβs what most users receive, often without knowing if it matches source. Different threat models, same goal: auditability.
I'm just asking about the process bc I'm trying to implement this for zapstore via dvms
ππ
Keep us updated!
For the methodology, we have several pre-built scripts - that you are free to modify and adapt for your own use.
I'm thinking of whether to give you the new method which includes nostr attestations - which we are still working on, or the minute step-by-step procedure for specific wallets with specific versions.
IF the latter, we can try out a test case.
Say app id: de.schildbach aka (Schildbach Bitcoin Wallet)
OLD METHOD:
1. Extract the APK from your phone.
2. Fork, clone locally walletscrutiny. Instructions here: https://gitlab.com/walletscrutiny/walletScrutinyCom
3. Once you've set up your environment and have the apk ready.
4. In the nostr:nprofile1qywhwumn8ghj7mn0wd68ytnzd96xxmmfdejhytnnda3kjctv9uqsuamnwvaz7tmwdaejumr0dshsz9thwden5te0dehhxarj9ehhsarj9ejx2a30qyghwumn8ghj7mn0wd68ytnhd9hx2tcpremhxue69uhkummnw3ez6ur4vgh8wetvd3hhyer9wghxuet59uqzpytvkhls05a4rnhh76mt0a28nvgqrdqpcr5z2k8wrg39qnra2p7fp72lx8 root directory, run:
`$ ./test.sh -a /path/to/apk/file.apk
5. The script runs and there's a verdict.
This case is the easiest - for a huge majority of the apps we test, more often than not, the scripts break. So that's the part that takes research and colloboration.
Many projects should have instructions how to build their app - unfortunately they don't. We file an issue in their repo. If they respond, cool! If not, then we try trial and error until we manage to build it.
Do tell, if you've reached this point.
For the new method...I'll tell you when you finish this.
Thoughts.
Have you uses act? Basically let's you run github actions locally.
My opinion is essentially that no app should actually have to tell you how to build their app (if they care about reproducible builds). nostr:nprofile1qqsyvrp9u6p0mfur9dfdru3d853tx9mdjuhkphxuxgfwmryja7zsvhqpzamhxue69uhhv6t5daezumn0wd68yvfwvdhk6tcpz9mhxue69uhkummnw3ezuamfdejj7qgwwaehxw309ahx7uewd3hkctcscpyug I plan to use amethyst as my initial test, do you think I'll have any issues?
Here's my plan:
Hit zapstore for apk or just the hash since it's blossom
Then locally run the pipeline via act and upload to blossom and confirm the hashes are identical.
Once that is confirmed working, do the same thing but via the CICD DVM.
Then lastly do the nostr attestation which I've been discussing with folks on the github (so there might be some decent work to do there to make sure it has all the information I want).
That's basically the POC. If I can get through this, I'd want to work with zapstore to add either:
Badges for apps/versions with reproducible builds
Or
Figure out how to add custom collections that are paywalled with a small zap to be able to pay the DVM bill (example if I have 10 apps that I'm attesting to, it could cost me like 100,000 SATs to do the Reproducible build for each version). Probably ends up requiring a paid relay. Initially I'd probably just fund it myself and see how much zaps I can collect from just running the pipeline 1x/ month.
If this ends up proving valuable. Then my plan is to implement the fdroid dark pattern stuff (which I recently discovered is actually just manual) as scripts for the DVM stuff. I think this is a way to get the non-bitcoin security focused folks onto nostr, by having MORE features in our app store.
End user ux:
Go to zapstore to download app.
See the following badges/filters:
Reproducible builds (clicking this should take you to the DVM results of that versions reproducible build)
Does(not) use location services
Does(not) depend on non-free services
Does(not) depend on centralizes server (? Ex proton VPN vs something like amethyst that let's you run your own server/relay)
Does (not) employ tracking
Etc
Sorry for the long note, but I took my meds today and I'm really fucking stoked about this idea but I'm pretty sure only like 5 people would care.
No worries - I had chatGPT summarize it. :P
Wow, this seems pretty complicated, and I don't consider myself a full-fledged developer just yet. I haven't tried ACT, but I'd be interested in giving it a go; it sounds like it could be helpful. Just to clarify, we mainly use tools like diff and diffoscope instead of SHA256sum, because it's very rare for the SHA-256 checksums of APKs from Google Play to match those of the ones built from source. Also, I'm not very familiar with Zapstore, and I don't know much about DVM either. I'm currently trying to verify the reproducibility of bitcoin core for desktop using GUIX. I'm sure that the devs have done this themsleves, but I'm giving it a go.