WIP: Add verification script for Muun Wallet (Play Store) (!81) · Merge requests · WalletScrutiny / walletScrutiny

Juan Pablo Civile requested to merge champo/walletScrutinyCom:muun_verification into master Apr 02, 2021

Adds support for verifying builds of Muun Wallet for Android. As is the script outputs the following differences:

Only in /tmp/fromPlay_io.muun.apollo_502/original/META-INF: APOLLORE.RSA
Only in /tmp/fromPlay_io.muun.apollo_502/original/META-INF: APOLLORE.SF
Files /tmp/fromPlay_io.muun.apollo_502/original/META-INF/MANIFEST.MF and /tmp/fromBuild_io.muun.apollo_502/original/META-INF/MANIFEST.MF differ
Files /tmp/fromPlay_io.muun.apollo_502/res/values/strings.xml and /tmp/fromBuild_io.muun.apollo_502/res/values/strings.xml differ

I believe the first three are to be expected since the built APK has no signature information. The last one however is different:

$ diff /tmp/fromPlay_io.muun.apollo_502/res/values/strings.xml /tmp/fromBuild_io.muun.apollo_502/res/values/strings.xml
76c76
<     <string name="com.crashlytics.android.build_id">79a4d6b75ce84bd6ae254b900862f3a4</string>
---
>     <string name="com.crashlytics.android.build_id">b8c86404219046eda8f32c66a3f45467</string>

I haven't found a way to have Crashlytics generate a deterministic build_id. I haven't even found documentation around the value 😞

With that said, I'm not sure whether this is considered enough to qualify as reproducible. I'll keep trying to have Crashlytics cooperate 😬

WIP: Add verification script for Muun Wallet (Play Store)

Merge request reports