top | item 26034821

(no title)

vaduz | 5 years ago

Reproducible builds do not help to determine if the version you download via the Play Store (or, for those on enterprise devices, any pre-installed corporate stores) is the same as you build - Play Store presents no real means to verify that. This includes any auto-updates if they are enabled.

It's an issue with Play Store as a delivery channel, the individual app in question can't do much about that.

Reproducible builds help if you: - download the APK separately (includng from the Signal website, or some of the other sources) - install the file locally via sideload - disable updates (!)

discuss

tprynn|5 years ago

The instructions posted by the dev directly include instructions for pulling the APK from your phone which was installed through the Play Store.

https://github.com/signalapp/Signal-Android/tree/master/repr...