edge-react-gui icon indicating copy to clipboard operation
edge-react-gui copied to clipboard
verified publisher icon EdgeApp

Edge Wallet v4.30.0 Not Reproducible from Tag v4.30.0 - WalletScrutiny.com

Open xrviv opened this issue 5 months ago • 1 comments

Hi Edge team 👋,

We’ve recently attempted to verify the reproducibility of the APK for Edge Wallet v4.30.0 (co.edgesecure.app) using your published source code at tag v4.30.0, and while the version metadata matched, the resulting APKs showed significant binary-level differences.

🔍 Summary Official APK versionCode/versionName: 25062409 / 4.30.0

Tag used: v4.30.0

Commit checked out: cc0bb81000e4d2ff06482d82eb0ff15e18a2e341

Build environment: Dockerized build using Android SDK, Node, and Gradle

Comparison tools: apktool, aapt, diffoscope

❌ Key Differences Although both the Play Store APK and the local build used the same tag and version code:

Sentry dependencies in the Play APK are at version 7.22.5, while the tag currently pulls in 8.12.0.

Kotlin version has also changed (1.8.22 → 1.9.24).

All .dex files and native .so libraries differ.

index.android.bundle and resources.arsc files are not byte-for-byte identical.

We suspect the tag v4.30.0 may have been force-pushed or updated since the Play APK was built, resulting in this drift.

📎 Full Report The full reproducibility report and recursive diff are available for reference: walletscrutiny.com verification

We’d be happy to collaborate further if needed. Thank you for maintaining open-source transparency, and please let us know if there’s a fixed tag or SHA we should be using for a fully verifiable build.

Best regards, Daniel Andrei R. Garcia WalletScrutiny.com Verifier GPG: AFA5A2208F9DE1CF

xrviv avatar Jun 30 '25 07:06 xrviv

Thanks for putting effort into this! I verified that our build servers used commit cc0bb81 to create the Play Store APK for release 4.30.0, so you are on the right tag. However, we haven't put any effort into making the build reproducible.

Even if we document the exact build tools we use, fix our linker flags, set up additional lockfiles, and so forth, the store app would still contain API keys that we can't really share. The best we could do is minimize the diffs, or perhaps localize them to the javascript bundle. Would this be worth doing?

Also, we do have a direct APK download at https://apk.edge.app, which serves the latest version uploaded to the Play store, before Google messes with it. I'm not sure if this makes much difference - the reproducibility issues run deeper than just some metadata.

swansontec avatar Jul 14 '25 19:07 swansontec