Blockstream Green Android v3.7.1 reproducible build

blockstream-green-android-v3.7.1-repro.md

General instructions

• https://github.com/Blockstream/green_android
• https://github.com/Blockstream/green_android/blob/master/BUILD.md
• https://gitlab.com/walletscrutiny/walletScrutinyCom/blob/master/test.sh

Reproducible build

• Digital Ocean Debian 10 x64

Preparations

apt update && apt install -y git wget curl default-jdk android-sdk
export ANDROID_SDK_ROOT=/usr/lib/android-sdk
echo -e "\n24333f8a63b6825ea9c5514f83c2829b004d1fee" > "$ANDROID_SDK_ROOT/licenses/android-sdk-license"

export GIT_TAG=release_3.7.1
git clone -b $GIT_TAG --depth 1 https://github.com/Blockstream/green_android.git
java -version

Build!

pushd green_android
./gradlew build
popd

Verify released signed binary

wget https://github.com/Blockstream/green_android/releases/download/$GIT_TAG/SHA256SUMS.asc
wget https://github.com/Blockstream/green_android/releases/download/$GIT_TAG/BlockstreamGreen-v3.7.1-production-release.apk

mdkir signed
unzip BlockstreamGreen-v3.7.1-production-release.apk -d signed
keytool -printcert -file signed/META-INF/GREENADD.RSA

gpg --keyserver hkps://keyserver.ubuntu.com --recv-keys 04BEBF2E35A2AF2FFDF1FA5DE7F054AA2E76E792
shasum -a 256 --check SHA256SUMS.asc

gpg --verify SHA256SUMS.asc

Diff with unsigned built binary

mkdir unsigned
unzip green_android/green/build/outputs/apk/production/release/BlockstreamGreen-v3.7.1-production-release-unsigned.apk -d unsigned

# Now if all match, the only diff should be the three files generated inside META-INF that are added when signing the APK: GREENADD.RSA, GREENADD.SF and MANIFEST.MF
diff -r signed/ unsigned/

# The hash seems to also appear in SHASUM256.asc under the file named tmp_.apk, let's try it!
cp green_android/green/build/outputs/apk/production/release/BlockstreamGreen-v3.7.1-production-release-unsigned.apk tmp_.apk

# Here's a green hash for ya!
shasum -a 256 --check SHA256SUMS.asc

Video

https://youtu.be/Lm346QcHkf4