wallet
wallet copied to clipboard
bitpay
Cannot verify the published app
At the time of working on this article on the verifiability of your PlayStore app, I failed to verify it. I would much appreciate if you could provide better build instructions so that developers can verify the app easily.
The article mention that we closed the issue https://github.com/bitpay/copay/issues/9037
Which is incorrect. The author of the ticket closed the issue.
Are you the author of the article? Would you mind please to correct that?
Im pretty sure Android builds of angular application do not offer deterministic builds. Do you having problems building the app or do issue is that the resulting binary does not match the one published?
On Fri, Dec 13, 2019, 10:02 PM Leo Wandersleb [email protected] wrote:
At the time of working on this article https://walletscrutiny.com/posts/2019/11/bitpay/ on the verifiability of your PlayStore app, I failed to verify it. I would much appreciate if you could provide better build instructions so that developers can verify the app easily.
— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/bitpay/copay/issues/10425?email_source=notifications&email_token=AAAYEHDOMXJLU42W7JIU4N3QYQWEFA5CNFSM4J2X36LKYY3PNVWWK3TUL52HS4DFUVEXG43VMWVGG33NNVSW45C7NFSM4IAO2DPQ, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAAYEHG4XOQ47R4GFG2TYFTQYQWEFANCNFSM4J2X36LA .
Our findings are laid out in the article you read.
May I take your comment as confirmation that you do not verify builds? I don't care about bit-wise deterministic builds but about verifiability. If engineer A on his machine that might have a code-swapping virus compiles the app, can engineer B verify the build or not?
How high a bounty do you estimate to be for injecting such a virus on the release manager's machine? Would the release manager watch his family remain hostage before injecting malicious code? Those are the extreme fantasies that made me push for verifiability at Mycelium.
Just FYI, we use the same stack (ionic + cordova) in our project AirGap. We use docker and our builds are deterministic, see the discussion here.
thanks for the information Andreas, we will look into it.
On Mon, Jan 6, 2020 at 12:57 PM AndreasGassmann [email protected] wrote:
Just FYI, we use the same stack (ionic + cordova) in our project AirGap https://airgap.it. We use docker and our builds are deterministic, see the discussion here https://github.com/airgap-it/airgap-vault/issues/13.
— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/bitpay/copay/issues/10425?email_source=notifications&email_token=AAAYEHD7CEE5NXJJUBWB2O3Q4NIG7A5CNFSM4J2X36LKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOEIF3ZSY#issuecomment-571194571, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAAYEHHNV4DQ6PTZTT27OATQ4NIG7ANCNFSM4J2X36LA .
-- Matías Alejo Garcia @ematiu Roads? Where we're going, we don't need roads!
Three months later ... guys, your wallet has more than half a million downloads! It's negligence to not verify the release manager's build! He might have a backdoor on his machine or be put under duress to steal all the funds of all the users. How is the status of this issue?
Hi @Giszmo,
we are on the process of implement a build process based on docker, similar to the one AirGap (thanks again @AndreasGassmann ) is using. We will update this ticket one it is on production.
Thanks for bringing this point to our attention.
Currently building the latest version fails: https://github.com/bitpay/wallet/issues/11748#issuecomment-1064483131 thus instructions on how to build latest version in container is the first step, @matiu is there any progress regarding Docker build stack mentioned in https://github.com/bitpay/wallet/issues/10425#issuecomment-605975286 ?
