Add reproducible builds to the iOS app

gautamkrishnar · 2021-01-10T18:32:23.501Z

Telegram Android and iOS apps have reproducible builds. Anyone can independently verify whether the version of the app published on the play store and app store matches the release available on GitHub, any plans to add this to the signal apps?

More info: Reproducible Builds for iOS and Android

SIgnal Android issue: Add Reproducible Builds support · Issue #10457 · signalapp/Signal-Android · GitHub

ippefre · 2021-01-10T18:37:00.018Z

github.com

signalapp/Signal-Android/blob/main/reproducible-builds/README.md

# Reproducible Builds


## TL;DR

```bash
# Clone the Signal Android source repository
git clone https://github.com/signalapp/Signal-Android.git && cd Signal-Android

# Check out the release tag for the version you'd like to compare
git checkout v[the version number]

# Build the Docker image
cd reproducible-builds
docker build -t signal-android .

# Go back up to the root of the project
cd ..

# Build using the Docker environment

This file has been truncated. show original

gautamkrishnar · 2021-01-10T18:38:08.105Z

@ippefre thanks a lot, really happy to know that it’s there

ParaSym · 2021-01-10T18:38:26.335Z

regarding iOS:

reproducible builds for iOS do not make much sense,
as you need a jailbroken iPhone to get the official app, which you want to compare to your built

Cerberus · 2022-07-14T12:20:11.342Z

What would be so bad about requiring a jailbroken iPhone? Wouldn’t it just mean that fewer people might be inclined to try reproducing the official iOS app?

For the record, this feature request has a long history and plenty of interest within the user community, as demonstrated by this (now misplaced) discussion on the Signal iOS bug tracker:

github.com/signalapp/Signal-iOS

Reproducible builds

opened 09:16AM - 03 Mar 15 UTC

closed 02:50PM - 12 Oct 22 UTC

massar

https://github.com/WhisperSystems/Signal-iOS/releases/tag/2.0 mentions "Git tag… was signed with @FredericJacobs's GPG key" Which is great, but the IPA that people will download (who will bother compiling themselves, and then one will get a different edition due to signing) will either get it from the Apple App Store or maybe that release page. Neither version can be verified as to matching to the source code though. And they are VERY different. Signal.ipa (Github) = 10.287.224 bytes, uncompressed 25 MiB, SHA512 = b8663105def290c866c38f95016ae45c17fed1a5fd8de1dd8f632457b03727dc2c9f8bd50ba15d256bed519da30ab9e6d869beaa86a741403c5376cd59e2bda9 Signal.ipa (AppStore) = 15.541.382 bytes, uncompressed 15 MiB, SHA512 = 7f5152b41a81e7fe4625e89a80e28cca1285779083880af608ee8fb1f42e6502a54aa34a19da121cb75bb2b91820235e718d15e9ec6b0af180a811dd22899982 That does not even remotely match. And the compression is extremely funny there that the Github edition with Symbols compresses smaller than the AppStore without... In the AppStore version there is a "iTunesArtwork" file of 33k + iTunesMetadata.plist, while the Github edition has Symbols included (great for debugging, not really a 'release' thing). Inside the payload: Binary files ./Signal and /Users/jeroen/Downloads/sa/Payload/Signal.app/Signal differ and various other files, that are diffable are also different. The size difference "apparently" comes primarily from different compression technique All that said: - even if there are minor differences between the published edition and the Github edition, please document these differences and why they exist - Please publish the SHA512 hashes, PGP-signed by your keys, so that people can see that what they get from AppStore/Github is really what they should be having Open Source means nothing when the source does not match the binary. (Next to actually having an audit of the system and hoping that IOS is not working against the whole security model ;)

janedoe · 2022-07-15T06:58:19.959Z

Cerberus:

What would be so bad about requiring a jailbroken iPhone?

Afaik, it’s currently not possible to jailbreak the latest iOS and staying outdated is the worst thing you can do security wise.

seague · 2022-07-15T10:47:03.154Z

So we should blindly trust Signal and the App Store instead of being able to verify the application?

Your stance on this is the enemy of security.

kpcyrd · 2022-10-13T13:10:55.632Z

It’s very complicated, the 2nd jailbroken device is necessary because there’s no other way to download the .ipa, but even if you manage to do that and bit-for-bit reproduce the .ipa you downloaded from source, there’s no way to know if the App Store is sending every user the same .ipa or if your other, non-jailbroken iPhone downloaded a backdoored one.

I’d be interested in working on this but I lack the jailbroken device and the development environment, and even then I can’t solve the problem of the App Store not having binary transparency.

cdpb1 · 2024-05-17T22:13:24.090Z

This is still important! Telegrams CEO Pavel Durov recently (2024-05-08) posted on his Channel that signal “refused to add reproducible builds for iOS”.
By today, 2024-05-17, the post was read by 1.3M users.

Durov quoted the GitHub signal iOS issue #641, which leads to this post.

If there is a more recent discussion or blog post about this topic, please link it here to show some progress.

beacon · 2024-05-17T23:27:02.520Z

I don’t think anyone cares what the Telegram CEO says. Let me know when Telegram is e2e encrypted by default for all chats.

cdpb1 · 2024-05-18T06:49:50.995Z

That’s not how politics work.
Your average interested Bob reads Pavels blog post and wants to verify the links and all he gets is a more than two year old discussion here and a more recent “no one cares what the telegram CEO says…”. Doesn’t that underline Pavels statement? It can raise doubt.

Yes signal is better, no question, I am on your side.

Maybe a blog post from signals engineering team would be helpful to falsify or clarify this matter. Again, 1.3M people read this post by now.

beacon · 2024-05-22T05:44:02.728Z

cdpb1:

That’s not how politics work.

What politics? This garbage below?

the Guardian – 18 May 24

How a smear campaign against NPR led Elon Musk to feud with Signal

Rightwing media personalities on X transmuted a screed against NPR’s CEO into a fight over encryption via the Transitive Property of Bad People

Might be a good idea to ignore the sophomoric noise in today’s politics.

Whatnoww · 2024-07-15T10:29:28.054Z

On Telegram apparently you can only verify parts of the app, not the whole. So this isn’t entirely useful.