Reproducible Builds at Threema

Hans-Christoph Steiner hans at guardianproject.info
Wed Dec 30 16:43:17 UTC 2020 

Hey Danilo,

Great to see your work on open-sourcing Threema and reproducible builds 
on Android.  The F-Droid and RB contributors have been working on 
upstreaming fixes to the Android Tools themselves.  Google has been 
somewhat responsive.

Also, F-Droid.org has a publishing process based on reproducible builds 
for those that want it.  Basically you build your release APK, then 
extract the signature from it, and send it to "fdroiddata" with a build 
recipe.  If the F-Droid builders can reproduce it, it then publishes the 
APK with the upstream developer's (e.g. Threema) signature.

These builds are done using an free, open source stack that is 
relatively easy to setup.  So then reproducible builds can be done with 
a shared, audited, reproducible stack.

We also track all known RB issues with Android apps:
https://f-droid.org/docs/Reproducible_Builds/

.hc

Danilo:
> Hello RB Folks
> 
> Since a few days, the Threema messenger is open source and provides reproducible builds for the Android app:
> 
> https://threema.ch/en/open-source/reproducible-builds
> 
> I was involved in that project (I work for Threema) and set up the reproducible builds. So far these builds for the Android app seem to work nicely, after we fixed an initial issue with an NDK Makefile that linked object files in a non-deterministic way depending on the filesystem.
> 
> Providing reproducible builds for the iOS app is still an open issue though, and a tough one. Telegram seem to provide a reproducible setup, but it's really complicated. They write[0]:
> 
>> As things stand now, you'll need a jailbroken device, at least 1,5 hours and approximately 90GB of free space to properly set up a virtual machine for the verification process.
> 
> [0] https://core.telegram.org/reproducible-builds#reproducible-builds-for-ios
> 
> Are there any other examples of iOS apps providing reproducible builds? I feel that an approach with a VM and requiring a jailbroken device results in a process that is hard to reproduce, will break often and is an endless fight against Apple who are trying to lock down their ecosystem. And if a process is not reliable, then I don't think that it's of much value (since any failure to reproduce a build can be attributed to the unreliability of the build process itself).
> 
> I'd be happy to hear about ideas how to make the iOS reproducible. The reproducible-builds.org website doesn't seem to contain any information targeted at mobile apps.
> 
> General feedback regarding the current RB setup for the Android app is welcome too of course!
> 
> Cheers,
> Danilo
> 

-- 
PGP fingerprint: EE66 20C7 136B 0D2C 456C  0A4D E9E2 8DEA 00AA 5556
https://pgp.mit.edu/pks/lookup?op=vindex&search=0xE9E28DEA00AA5556

More information about the rb-general mailing list