Cannot reproduce v3.3.0 from Google Play about airgap-vault HOT 9 CLOSED

No worries. It is unfortunate this happened, but alerting users to hold off with updating in such a case is exactly what your project should be doing.

I agree, there should have an automated way to make sure the APK is verifiable before we submit it to the playstore. Let's have a chat about that in your repository.

from airgap-vault.

it shouldn't add to your stress levels

I agree and I appreciate you see it like that but others don't and with 165 wallet apps out there and none getting shunned over any such issue leaves less committed players attack me on Twitter without problem. Look how Samourai have tons of fan-boys despite them being hostile to any form of scrutiny and openly reject rebuildability.

I want to establish something with patience and therefore the top category is green despite there not being any wallet that has

• an independent and solid bug bounty program
• committed to decelerate their release process so security researchers can do their thing

I don't know how smaller and not-for-profit open source projects could live up to such standards but without scrutiny, nobody should trust any wallet. I have some ideas how to raise the bar further but for now I hope to see more apps to join the ranks of reproducible wallets.

from airgap-vault.

Hi, thanks for reaching out. That shouldn't be the case.

I'll investigate ASAP and get back to you.

from airgap-vault.

It's 2am here. Sorry I probably will not update the site without sleeping a bit first.
Also sorry for publishing such alerts without checking back with you but it's kind of a race if the new release was bad, which I assume it is not but just in principle. I worded the tweet carefully.

I hope we get to a point where new releases can get checked for rebuildability earlier. I'm still figuring out how that could best be done. I guess ideally projects would add the build with or without signature to their repo or another place where a script can easily find it. Then hopefully rebuild issues would get sorted out before Google approves the release.

from airgap-vault.

So I finally had time to look at this and I found 2 issues:

1. We recently changed from using cordova to capacitor. While the main build still happens in the docker and doesn't have to be changed in your script, the replacement of the version number is now in a different place. I fixed that in this PR: https://gitlab.com/walletscrutiny/walletScrutinyCom/-/merge_requests/63

2. Regarding the reproducibility of the latest version: It looks like the reason for this was a simple commit hash mixup. We created the tag for 3.3.0 a week ago when we submitted the APK to the playstore, but we then found an issue with that release and created an updated version, which we released to the play store last friday. I did not remember that we had already released the 3.3.0 tag, so that tag was referencing an old commit hash. I re-created the tag to point to the correct commit.

We'll try to improve the handling of tags/releases in the future, also regarding signing tags: #20

I hope that fixes the issue and you can update our status to reproducible again. :)

from airgap-vault.

Thanks for the MR. It worked. Website is updated.

Please consider commenting on this issue in order to prevent such down-times. I get stressed when I have to warn of rebuild issues as they usually are not actually big issues. And some wallets react less relaxed than you guys, too, adding to the stress. I'd hope to get to a point where each wallet does the necessary changes to the test script before I or any rebuilder might get to deal with the new release and ideally I would get the apk stripped of its signature as soon as it's built. This would be for later when failed rebuilds trigger actual warnings to users that care. Now, nobody cares yet.

from airgap-vault.

Thanks for updating the website and we will comment on your issue.

EDIT: Maybe just to add to your comment. We are planning to integrate some kind of automatic step to make sure the build is reproducible. But I would consider it our responsibility to make sure our builds are verifiable in any case, so if they are not because of a build script change or a tag issue (like it was in our case), it shouldn't add to your stress levels, at least not from our side.

from airgap-vault.

I would definitely like to see how we can raise the bar even further. But you're probably right, first the wallets in the non-reproducible list should be convinced to make the effort to become reproducible.

One last thing, could you maybe send out another tweet saying that 3.3.0 is now reproducible?

from airgap-vault.

One last thing, could you maybe send out another tweet saying that 3.3.0 is now reproducible?

Yes, sorry, wanted to do that anyway. Multitasking ...

from airgap-vault.