I heard about that you can check via a hash code if the Signal Open Source Code the same code like the App Store Code is this true, have some one more informatons about this ?

  • riccardo
    link
    7
    edit-2
    2 years ago

    The Android app allows reproducible builds since 2016:

    As of our latest Android release, Signal builds are reproducible. Reproducible builds help to verify that the source code in our GitHub repository is the exact source code used to build the compiled Signal APK being distributed through Google Play.

    Anyway:

    Remaining Work

    Reproducible builds for Java are simple, but the Signal Android codebase includes some native shared libraries that we employ for voice calls (WebRTC, etc). At the time this native code was added, there was no Gradle NDK support yet, so the shared libraries aren’t compiled with the project build.

    Getting the Gradle NDK support set up and making its output reproducible will likely be more difficult.

    No idea if progress has been made about native shared libraries, but there are probably more info about this in their reproducible builds readme

    I don’t think this is available for the iOS app (there is an open issue on GitHub about this)

      • VostronixOP
        link
        12 years ago

        Telegram is a reproducible build, just on Android or also in iOS

      • @xarvos
        link
        12 years ago

        I mean, the code is on the server, you can’t know if they’re really using the same source code anyway

        • VostronixOP
          link
          12 years ago

          but is E2E so should be fine

    • VostronixOP
      link
      12 years ago

      ohh nice to see there have something like this. thx for the info :)

  • @TheAnonymouseJokerM
    link
    -22 years ago

    Long hashes like SHA-256 or SHA-512 are quite good for binary verification. Reproducible builds as noted by top commenter are also helpful, if possible.