Hacker News new | ask | show | jobs
by oh_sigh 3692 days ago
The problem is that, at that point, Moxie couldn't confirm that the uploaded binary was the same one as packaged by their official release. Secure communication protocols are irrelevant if the client which you are communicating on is compromised.
2 comments
aexaey 3692 days ago
What you have described is pretty much an opposite of how F-droid works. One can't just take binary (whether official or compromised) and upload it there. [1]

Instead, to publish an app there, you need to provide source code repository [2], and their build farm would build it, sort-of [3] providing guarantee that source code you can inspect is the same one you got running on your phone.

[1] There are exceptions, i.e. apps uploaded as binary-only (for example Firefox), but those come with big red warning that user sees before installing them.

[2] https://f-droid.org/wiki/page/FAQ_-_App_Developers#Will_my_a...

[3] Sort-of because reproducible builds for Android not here yet, so you can't just rebuilt it yourself and compare sha256, unfortunately.

link
lorenzhs 3692 days ago
Signal has reproducible builds for Android: https://whispersystems.org/blog/reproducible-android/ ...that just doesn't work with F-Droid. And building on their farm means that you have to trust them, and their build farm becomes a prime target if you want to infect lots of apps at once. In the play store, you sign your build, and Android will only let you install builds signed with that same key as updates. By moving the signing to F-Droid, you have to completely trust them.
link
j_s 3692 days ago
I assume the Docker image provided by Signal does reproduce the Android build, but since the Docker image is a giant non-reproducible binary blob it is (as stated in the blog post) a "weekend hack" rather than a useful reproducible build system.

https://news.ycombinator.com/item?id=11403867

link
kuschku 3692 days ago
F-Droid also has reproducible builds – and not just ones where you have to download a binary from a questionable source and use it to compile things.

You can sign with your own key on F-Droid, too – if you use their way of dealing with reproducible builds.

link
yarou 3692 days ago
> By moving the signing to F-Droid, you have to completely trust them.

Which you do anyway if you use Google Play Services.

...

link
maxerickson 3692 days ago
A user that is prepared to access the apk can verify the signature of the app they have on their device.

(So the compromise of F-Droid that results in a signed, compromised binary can't happen on Google Play, the apk is signed before it is sent to the store)

link
neerdowell 3692 days ago
What does Play Services have to do with anything? APKs downloaded from the Play Store are signed by a key the developer holds and validated by Android's PackageManagerService which is open source.
link
oh_sigh 3691 days ago
The problem is that there is no insight into what is going on in the f-droid build farm. Without reproducible builds, all bets are off.
link
AstralStorm 3692 days ago
So actually, the only thing he could do is to publish a validated binary into F-droid.
link