[Commotion-dev] Verifying an apk has been built from this source

Jeremy Lakeman Jeremy.Lakeman at gmail.com
Fri Feb 8 03:57:22 UTC 2013 

Which raises another interesting topic; in the general case, how would
you verify that an apk has been built from a particular source
archive.

Serval would like to create a distributed group of reviewers who would
be tasks with signing our apk. And if a quorum of them agree that the
software is valid (for some measure of validity eg it functions
properly and has no backdoors or built in shutoff code), then the apk
would be offered to install. Hopefully this would prevent a Limewire
style death by court order.

The basic problem as I see it, is that the contents of the apk is not
quite deterministic. I have wondered about forking a tool like
ApkAnalyser, to perform an automated comparison of two compiled apk's
to highlight any important differences. So you can build the
application from source and compare to the version that I built. Then
when you are satisfied you would add a signature to my binary.

Any other suggestions about how we might go about it?

On Fri, Feb 8, 2013 at 1:50 PM, Nathan of Guardian
<nathan at guardianproject.info> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 01/08/2013 11:37 PM, Nat Meysenburg wrote:
>> I did this once to get Orweb into F-Droid, and would be happy to do
>> it again for Commotion, or walk others through the process.
>
> Ah ha! You are the one that created multiple versions of Orweb in the
> wild, signed by keys that aren't ours! :)
>
> Seriously though, this is my main issue with using the F-Droid
> shared/public repo for software related to activism or that could
> potentially have malicious versions out there. If someone installs
> from F-Droid, then they can't override that install with the version
> of the APK distributed by Commotion/OTI directly.
>
> I suppose if someone was using F-Droid then they should just keep
> using that version, but we take a lot of care at Guardian with
> building/signing our apps in a relatively safe and secure environment,
> and promoting a version of our app that is built in some other unknown
> shared environment always gives me cause for pause.
>
> +n
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.11 (GNU/Linux)
> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>
> iQIcBAEBAgAGBQJRFG74AAoJEKgBGD5ps3qp4oIP/0IXparwScyBvxGz97BSuVtU
> 14WyIMUE4/+Bo5A9qu0YyAq+Vfki818EDf7eBsoiLQ3cZcJeRY8GzRLaHf30x8q2
> AtzO5Mq+X1NWkyw/5tqwnAMNJpABDN4T25TfHDGiQ+ZKnc6EEhqW2RATlSuD69Uh
> CqLfoEmNUWEljwPGazzWndsI85gsvgiddEs5j6/J18p9YbUi72yppE7huPLvX0fW
> ZmglV9Qx6WpPaF9vkU+tXx+lxLKDSd1eymPSil5IRHSHAeXyCDi05JNOocYaT60T
> ulpcqYI/KFU/XXHm/kbkywDW5J/Vs0HBQVCRqJ18hvR6c03RjqV/EbTRIP/QU09Z
> VYKFxIirmBKF2bF9ZAcCqnYyaylC8rZOBpKm72sk3BP7c5ERzETKYQrApDn35r0e
> +QMVK8X2kBAZTgVRQGCsp88RPSepVxGMR/ssJrVmqDRRWJbz1AoJOhUW8kM4XtSL
> X6ZFMeTY2uA/Ruqu1S3lEL8FRjtqkPwcnf12idzp/puoqJhQT7IRVVHccODGw5Rk
> Tb5tpjLmEsX6/3k07ghWhkOSleIp5Y+oncHJhHoHHOYRxtaTDgSTfo7YB1cnrc8Y
> QBZ2lUV3DVa2HsfeZKX+JRmO7HYHAob3fEewnvvtBHRBvtYfWx8SoB1WPI5e2sj4
> SVIUDLSSDEAzTsr0UvEs
> =kKpi
> -----END PGP SIGNATURE-----
>
> _______________________________________________
> Commotion-dev mailing list
> Commotion-dev at lists.chambana.net
> https://lists.chambana.net/mailman/listinfo/commotion-dev
>

More information about the Commotion-dev mailing list