top | item 25764746

(no title)

dante_dev | 5 years ago

Right! the keyword here is "Reproducible Builds". Basically once there is documentation about how to produce the release build, you can do it yourself and compare the resulting hash with the build distributed in the Store. Generally speaking it does no come for free, but once you find a way (e.g. for iOS compiling with a specific Xcode version in a specific OS with some adjusted config) is kind of doable (except that Apple encrypts your build server side for DRM purposes, so you'll need a jailbroken phone to do something about it)

For Signal there is an open issue here for iOS [1] and some documentation for Android [2]

Some nice work about it has already be done by telegram https://core.telegram.org/reproducible-builds

[1] https://github.com/signalapp/Signal-iOS/issues/641

[2] https://github.com/signalapp/Signal-Android/blob/fab24bcd1e5...

discuss

saurik|5 years ago

This has nothing to do with the comment you replied to, as you have no idea what software is running on their server, so what would it even mean to reproduce it in the first place? The correct answer is merely "the server never received much in the first place so it doesn't matter as much if they stored all of it".

dante_dev|5 years ago

right, I think I messed up with the reply while I was reading other comments.