Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Please update your build instruction and make sure the app on Google Play can be reproduced #69

Open
Giszmo opened this issue Mar 5, 2021 · 4 comments
Open

Please update your build instruction and make sure the app on Google Play can be reproduced #69

Giszmo opened this issue Mar 5, 2021 · 4 comments

Comments

@Giszmo
Copy link

Giszmo commented Mar 5, 2021

I just reviewed your app and failed to build it. The following review can also be found on WalletScrutiny.

This app is an open source Bitcoin wallet with most of its information to be
found not on their website but in the App description and on GitHub.

There they clearly claim:

Bither Cold Wallet
Features:

  1. Cold wallet running on offline mode (Backup phone).

and with an offline wallet, the private key clearly has to live exclusively on
that Cold Wallet phone, making the product a non-custodial wallet.

But can we reproduce the build?
There are build instructions. Let's see how that goes. Those instructions are from 2015 ...

$ git clone [email protected]:bither/bither-android.git --recursive
$ cd bither-android/

...

You must use gradle (v1.10)

... that's scary. v1.10 is from 2013. So as we
won't install gradle system-wide on version 1.10, we hop into docker now:

$ docker run --rm -v$PWD:/mnt --workdir=/mnt -it walletscrutiny/android bash
root@72c683aa390c:/mnt# apt update
root@72c683aa390c:/mnt# apt install gradle          
root@72c683aa390c:/mnt# gradle wrapper
root@72c683aa390c:/mnt# sed -i 's/4.4.1/1.10/g' gradle/wrapper/gradle-wrapper.properties 
root@72c683aa390c:/mnt# ./gradlew assembleRelease
Downloading https://services.gradle.org/distributions/gradle-1.10-bin.zip
......................................
Unzipping /root/.gradle/wrapper/dists/gradle-1.10-bin/948peyqp7eyfqxj7mcl7th1vs/gradle-1.10-bin.zip to /root/.gradle/wrapper/dists/gradle-1.10-bin/948peyqp7eyfqxj7mcl7th1vs
Set executable permissions for: /root/.gradle/wrapper/dists/gradle-1.10-bin/948peyqp7eyfqxj7mcl7th1vs/gradle-1.10/bin/gradle
To honour the JVM settings for this build a new JVM will be forked. Please consider using the daemon: http://gradle.org/docs/1.10/userguide/gradle_daemon.html.

FAILURE: Build failed with an exception.

* Where:
Build file '/mnt/build.gradle' line: 1

* What went wrong:
A problem occurred evaluating root project 'mnt'.
> org/gradle/initialization/BuildCompletionListener

* Try:
Run with --stacktrace option to get the stack trace. Run with --info or --debug option to get more log output.

BUILD FAILED

Total time: 3 mins 46.707 secs

Poking around we see:

root@72c683aa390c:/mnt# cat build.gradle 
...
buildscript {
    ...
    dependencies {
        classpath 'com.android.tools.build:gradle:2.3.2'

and this gradle plugin
requires gradle 3.3+,
not 1.10. The build instructions are clearly lacking and this is where we give
up. This wallet is not verifiable.

To make matters worse, the app also uses proguard obfuscation:

root@72c683aa390c:/mnt# cat bither-android/build.gradle 
...
android {
    ...
    buildTypes {
        release {
            minifyEnabled true
            proguardFiles getDefaultProguardFile('proguard-android.txt'), 'proguard-rules.pro'
        }
@emanuelb
Copy link

emanuelb commented Apr 2, 2021

The build instructions are wrong in:
https://github.com/bither/bither-android/wiki/bulid-bither-android
no need for gradle v1.10 & it won't compile on jdk > 8.

Building the app works with gradle 4.10.3.

build with: podman build --rm -t bither_build_apk_alpine -f Containerfile.alpine

Containerfile.alpine:

FROM frolvlad/alpine-glibc

RUN set -ex; \
    apk update; \
    apk add --no-cache \
        git \
        openjdk8; \
    adduser -D appuser;

USER appuser

ENV ANDROID_HOME="/home/appuser/app/sdk/" \
    ANDROID_SDK_ROOT="/home/appuser/app/sdk"
    
RUN set -ex; \
    mkdir -p "/home/appuser/app/sdk/licenses" "/home/appuser/app/bither" "/home/appuser/app/gradle"; \
    printf "\n24333f8a63b6825ea9c5514f83c2829b004d1fee" > "/home/appuser/app/sdk/licenses/android-sdk-license"; \
    cd /home/appuser/app/bither; \
    git clone --depth 1 https://github.com/bither/bither-android/; \
    cd /home/appuser/app/bither/bither-android/; \
    sed -i 's/[email protected]:/https:\/\/github.com\//g'  /home/appuser/app/bither/bither-android/.gitmodules; \
    git submodule init; \
    git submodule update; \
    cd /home/appuser/app/gradle/; \
    wget https://services.gradle.org/distributions/gradle-4.10.3-bin.zip; \
    unzip gradle-4.10.3-bin.zip; \
    rm gradle-4.10.3-bin.zip;
    
RUN set -ex; \    
    cd /home/appuser/app/bither/bither-android/; \
    /home/appuser/app/gradle/gradle-4.10.3/bin/gradle assembleRelease

The result is almost/kinda reproducible, there small diff in classes.dex file.

rebuild on debian resulted in the same result as alpine above.

FROM debian:stretch-slim

RUN set -ex; \
    mkdir -p /usr/share/man/man1/; \
    apt-get update; \
    apt-get install --yes --no-install-recommends openjdk-8-jdk git wget unzip; \
    rm -rf /var/lib/apt/lists/*; \
    useradd -ms /bin/bash appuser; 

USER appuser

ENV ANDROID_HOME="/home/appuser/app/sdk/" \
    ANDROID_SDK_ROOT="/home/appuser/app/sdk"
    
RUN set -ex; \
    mkdir -p "/home/appuser/app/sdk/licenses" "/home/appuser/app/bither" "/home/appuser/app/gradle"; \
    printf "\n24333f8a63b6825ea9c5514f83c2829b004d1fee" > "/home/appuser/app/sdk/licenses/android-sdk-license"; \
    cd /home/appuser/app/bither; \
    git clone --depth 1 https://github.com/bither/bither-android/; \
    cd /home/appuser/app/bither/bither-android/; \
    sed -i 's/[email protected]:/https:\/\/github.com\//g'  /home/appuser/app/bither/bither-android/.gitmodules; \
    git submodule init; \
    git submodule update; \
    cd /home/appuser/app/gradle/; \
    wget https://services.gradle.org/distributions/gradle-4.10.3-bin.zip; \
    unzip gradle-4.10.3-bin.zip; \
    rm gradle-4.10.3-bin.zip;
    
RUN set -ex; \    
    cd /home/appuser/app/bither/bither-android/; \
    /home/appuser/app/gradle/gradle-4.10.3/bin/gradle assembleRelease

@emanuelb
Copy link

emanuelb commented Apr 3, 2021

@zhenHH can you tell what the environment used to build the app on google-play? on what OS? using script? or Android-Studio, etc..
as can be seen in: https://gitlab.com/walletscrutiny/walletScrutinyCom/-/issues/161#note_544097616
it looks like the diff might be because toolchain variations (different version used of installed deps, other OS, etc..)

@keraliss
Copy link

Hey. i built your wallet. the build was successful, and we were able to generate the apk. but comparing the apk with the official version resulted in a huge diff. You can see the full review here

woud love to hear your thoughts on how we can fix this!

@Giszmo
Copy link
Author

Giszmo commented Oct 9, 2024

I also checked this product and compiled it with a slightly modified (checkout v2.1.5, gradle assembleRelease) dockerfile compared to what @keraliss used. The diff was substantial and minified or in other words obfuscated. I would ask to either provide build instructions that allow for binary transparency or to at least not use minification.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@Giszmo @emanuelb @keraliss