-
Notifications
You must be signed in to change notification settings - Fork 173
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Please update your build instruction and make sure the app on Google Play can be reproduced #69
Comments
The build instructions are wrong in: Building the app works with gradle 4.10.3. build with: Containerfile.alpine: FROM frolvlad/alpine-glibc
RUN set -ex; \
apk update; \
apk add --no-cache \
git \
openjdk8; \
adduser -D appuser;
USER appuser
ENV ANDROID_HOME="/home/appuser/app/sdk/" \
ANDROID_SDK_ROOT="/home/appuser/app/sdk"
RUN set -ex; \
mkdir -p "/home/appuser/app/sdk/licenses" "/home/appuser/app/bither" "/home/appuser/app/gradle"; \
printf "\n24333f8a63b6825ea9c5514f83c2829b004d1fee" > "/home/appuser/app/sdk/licenses/android-sdk-license"; \
cd /home/appuser/app/bither; \
git clone --depth 1 https://github.com/bither/bither-android/; \
cd /home/appuser/app/bither/bither-android/; \
sed -i 's/[email protected]:/https:\/\/github.com\//g' /home/appuser/app/bither/bither-android/.gitmodules; \
git submodule init; \
git submodule update; \
cd /home/appuser/app/gradle/; \
wget https://services.gradle.org/distributions/gradle-4.10.3-bin.zip; \
unzip gradle-4.10.3-bin.zip; \
rm gradle-4.10.3-bin.zip;
RUN set -ex; \
cd /home/appuser/app/bither/bither-android/; \
/home/appuser/app/gradle/gradle-4.10.3/bin/gradle assembleRelease The result is almost/kinda reproducible, there small diff in classes.dex file. rebuild on debian resulted in the same result as alpine above. FROM debian:stretch-slim
RUN set -ex; \
mkdir -p /usr/share/man/man1/; \
apt-get update; \
apt-get install --yes --no-install-recommends openjdk-8-jdk git wget unzip; \
rm -rf /var/lib/apt/lists/*; \
useradd -ms /bin/bash appuser;
USER appuser
ENV ANDROID_HOME="/home/appuser/app/sdk/" \
ANDROID_SDK_ROOT="/home/appuser/app/sdk"
RUN set -ex; \
mkdir -p "/home/appuser/app/sdk/licenses" "/home/appuser/app/bither" "/home/appuser/app/gradle"; \
printf "\n24333f8a63b6825ea9c5514f83c2829b004d1fee" > "/home/appuser/app/sdk/licenses/android-sdk-license"; \
cd /home/appuser/app/bither; \
git clone --depth 1 https://github.com/bither/bither-android/; \
cd /home/appuser/app/bither/bither-android/; \
sed -i 's/[email protected]:/https:\/\/github.com\//g' /home/appuser/app/bither/bither-android/.gitmodules; \
git submodule init; \
git submodule update; \
cd /home/appuser/app/gradle/; \
wget https://services.gradle.org/distributions/gradle-4.10.3-bin.zip; \
unzip gradle-4.10.3-bin.zip; \
rm gradle-4.10.3-bin.zip;
RUN set -ex; \
cd /home/appuser/app/bither/bither-android/; \
/home/appuser/app/gradle/gradle-4.10.3/bin/gradle assembleRelease |
@zhenHH can you tell what the environment used to build the app on google-play? on what OS? using script? or Android-Studio, etc.. |
Hey. i built your wallet. the build was successful, and we were able to generate the apk. but comparing the apk with the official version resulted in a huge diff. You can see the full review here woud love to hear your thoughts on how we can fix this! |
I also checked this product and compiled it with a slightly modified (checkout v2.1.5, gradle assembleRelease) dockerfile compared to what @keraliss used. The diff was substantial and minified or in other words obfuscated. I would ask to either provide build instructions that allow for binary transparency or to at least not use minification. |
I just reviewed your app and failed to build it. The following review can also be found on WalletScrutiny.
This app is an open source Bitcoin wallet with most of its information to be
found not on their website but in the App description and on GitHub.
There they clearly claim:
and with an offline wallet, the private key clearly has to live exclusively on
that Cold Wallet phone, making the product a non-custodial wallet.
But can we reproduce the build?
There are build instructions. Let's see how that goes. Those instructions are from 2015 ...
...
... that's scary.
v1.10
is from 2013. So as wewon't install gradle system-wide on version
1.10
, we hop into docker now:Poking around we see:
and this gradle plugin
requires gradle 3.3+,
not 1.10. The build instructions are clearly lacking and this is where we give
up. This wallet is not verifiable.
To make matters worse, the app also uses proguard obfuscation:
The text was updated successfully, but these errors were encountered: