Skip to content

Instantly share code, notes, and snippets.

@eriknylund
Last active September 20, 2021 04:14
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
Star You must be signed in to star a gist
Save eriknylund/d9cf18391e5f0717e398139b9ad9e7e1 to your computer and use it in GitHub Desktop.
Blockstream Green Android v3.7.1 reproducible build

General instructions

Reproducible build

  • Digital Ocean Debian 10 x64

Preparations

apt update && apt install -y git wget curl default-jdk android-sdk
export ANDROID_SDK_ROOT=/usr/lib/android-sdk
echo -e "\n24333f8a63b6825ea9c5514f83c2829b004d1fee" > "$ANDROID_SDK_ROOT/licenses/android-sdk-license"

export GIT_TAG=release_3.7.1
git clone -b $GIT_TAG --depth 1 https://github.com/Blockstream/green_android.git
java -version

Build!

pushd green_android
./gradlew build
popd

Verify released signed binary

wget https://github.com/Blockstream/green_android/releases/download/$GIT_TAG/SHA256SUMS.asc
wget https://github.com/Blockstream/green_android/releases/download/$GIT_TAG/BlockstreamGreen-v3.7.1-production-release.apk

mdkir signed
unzip BlockstreamGreen-v3.7.1-production-release.apk -d signed
keytool -printcert -file signed/META-INF/GREENADD.RSA

gpg --keyserver hkps://keyserver.ubuntu.com --recv-keys 04BEBF2E35A2AF2FFDF1FA5DE7F054AA2E76E792
shasum -a 256 --check SHA256SUMS.asc

gpg --verify SHA256SUMS.asc

Diff with unsigned built binary

mkdir unsigned
unzip green_android/green/build/outputs/apk/production/release/BlockstreamGreen-v3.7.1-production-release-unsigned.apk -d unsigned

# Now if all match, the only diff should be the three files generated inside META-INF that are added when signing the APK: GREENADD.RSA, GREENADD.SF and MANIFEST.MF
diff -r signed/ unsigned/

# The hash seems to also appear in SHASUM256.asc under the file named tmp_.apk, let's try it!
cp green_android/green/build/outputs/apk/production/release/BlockstreamGreen-v3.7.1-production-release-unsigned.apk tmp_.apk

# Here's a green hash for ya!
shasum -a 256 --check SHA256SUMS.asc

Video

https://youtu.be/Lm346QcHkf4

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment