Here's a little thing that may not be obvious to many people....

When you install an open-source app from Google Play or the Apple app store, there is no guarantee that what you install actually matches the public code.

@fdroidorg are doing a great service. They independently build the public source code for apps from scratch, review for common issues, and publish their builds. Thanks to "reproducible builds" it's possible to verify they do not tamper with the code.


@snikket_im uhm doesn't reproducible build not guarantee anything since checksum will change after signing the app anyway?

@charlag @snikket_im Verifying #ReproducibleBuilds on #Android is a bit more complicated than just hashing files. We actually use those signatures you mentioned for verification. The trick we came up with is to transplant APK signatures. So when a dev builds an apk they can send us their signature for that specific build. We transplant it into an APK we've built. If it still works: voila, reproducible apps built by #FDroid signed by their original authors.

@charlag @snikket_im ...can't you just checksum the before-signing stuff?

@IceWolf @snikket_im yeah but when you download the app you download the signed app

Sign in to participate in the conversation
birb site

This is a tiny, friendly fedi server!