To say, APKs can never be reproducible because of the signature is disingenuous. Reproducible builds are about binary transparency and while technically you could argue if an app is reproducible when the provider packed a signature into the file and you managed to reproduce all but these 64B, it's a moot point as the important part is the binary transparency of the executable code.
Now you could say that the signature might contain evil code, right? Then the rest of the app would still need to invoke that code. So yes, maybe there is a backdoor in the signature but as long as the signature is exclusively uses as signature, it won't work as a backdoor. And if some part of the app uses its signature in some creative non-signature way, auditors should scream foul regardless of what the signature is.
The other problem with relaxing the definition of reproducibility is the package format. In Android, APK files are basically zip files but not quite. APK uses zip compression but also has extra data like the signature itself. But absent a flaw in the operating system, that extra data is not available to the app during runtime, so binary transparency is possible under some assumptions.
Leo Wandersleb
npub1gm…78rf6
2024-09-22 18:57:42
in reply to nevent1q…ll0u
Author Public Key
npub1gm7tuvr9atc6u7q3gevjfeyfyvmrlul4y67k7u7hcxztz67ceexs078rf6Published at
2024-09-22 18:57:42Event JSON
{
"id": "e0b164957080af2c268193458c6c790fd6ed54d517c97d75b5def838c4759657",
"pubkey": "46fcbe3065eaf1ae7811465924e48923363ff3f526bd6f73d7c184b16bd8ce4d",
"created_at": 1727031462,
"kind": 1,
"tags": [
[
"e",
"526dadcc2079b95df7b31239c17db4a5802086c1c4755969d0ee679604672e41",
"",
"root"
],
[
"e",
"023631e0848b6db56a3e9021729558b1275425dbf526215794c17800ec47e46e",
"",
"reply"
],
[
"p",
"aac07d95089ce6adf08b9156d43c1a4ab594c6130b7dcb12ec199008c5819a2f",
"",
"mention"
],
[
"p",
"3ba9b8cf58082bd37eec18455b26bb04a47f4a8e835ac18c7ea4348673ee1623",
"",
"mention"
],
[
"client",
"noStrudel",
"31990:266815e0c9210dfa324c6cba3573b14bee49da4209a9456f9484e5106cd408a5:1686066542546"
]
],
"content": "To say, APKs can never be reproducible because of the signature is disingenuous. Reproducible builds are about binary transparency and while technically you could argue if an app is reproducible when the provider packed a signature into the file and you managed to reproduce all but these 64B, it's a moot point as the important part is the binary transparency of the executable code.\n\nNow you could say that the signature might contain evil code, right? Then the rest of the app would still need to invoke that code. So yes, maybe there is a backdoor in the signature but as long as the signature is exclusively uses as signature, it won't work as a backdoor. And if some part of the app uses its signature in some creative non-signature way, auditors should scream foul regardless of what the signature is.\n\nThe other problem with relaxing the definition of reproducibility is the package format. In Android, APK files are basically zip files but not quite. APK uses zip compression but also has extra data like the signature itself. But absent a flaw in the operating system, that extra data is not available to the app during runtime, so binary transparency is possible under some assumptions.",
"sig": "b413c4d139ea396c36326ba775bdca8ed603498258910b395e0b780beffd46125ae65d1ff822deeff6b548166084809135ac306758bf8584fc48b4abf621cbbe"
}