EdgeApp
App on Google Play can't be verified
At the time of writing this article your app was not verifiable. Please help make your app verifiable for outside developers and let me know when you think it's worth reviewing your wallet again!
3.5 months later ... how is it going? No plan to make your wallet secure against the release manager being put under duress?
+1 for making the wallet fully open source and build-able on Android. This will allow people to verify the code to ensure it is truely a private wallet and this can allow the app to be added onto F-Droid!
@Giszmo Can you more precisely specify what you are requesting with respect to the app being verifiable?
The app was reviewed more than a year ago and back then, the complaint was basically the lack of clear build instructions. If you claim the binary from Google Play can be rebuilt from the public source code, I'll happily look into this again.
Just as a quick check, I compared the version from Google Play (1.19.0) with tags here in the repo and can't find a higher tag than 1.17.5, so that to me looks like "not reproducible" is still the right verdict.
Currently use NODE_ENV="development" until issue #2611 is fixed, or the replacement needed (patch file) done in the container itself, also the below Containerfile don't run the ./scripts/updateVersion.js as explained in: (which might be needed)
https://github.com/EdgeApp/edge-react-gui#build-release-version-of-app
which will fail with: env: can't execute 'node -r sucrase/register': No such file or directory
installing the deps can be done by: yarn add disklet cleaners sucrase or npm install -g --save-dev disklet cleaners sucrase
https://github.com/EdgeApp/edge-react-gui/blob/6de5ffa7761ab36201f8e5823072b7b2e0673a91/Jenkinsfile#L37
just need to ensure it's found by the script when it's called.
build: podman build --pull --rm -t edge_build_2013n_apk -f ContainerFile2013
run: podman run --rm --name edge_build_2013_apk -ti edge_build_2013_apk
APK in: /home/appuser/app/edge/edge-react-gui-v.2.0.13/android/app/build/outputs/apk/release/app-release.apk
FROM frolvlad/alpine-glibc
RUN set -ex; \
apk update; \
apk add --no-cache \
git \
npm \
yarn \
openjdk8; \
adduser -D appuser;
USER appuser
ENV NODE_ENV="development" \
ANDROID_SDK_ROOT="/home/appuser/app/sdk/" \
ANDROID_HOME="/home/appuser/app/sdk/"
RUN set -ex; \
mkdir -p "/home/appuser/app/sdk/licenses" "/home/appuser/app/edge" "/home/appuser/app/edgeUpstreamAPK"; \
printf "\n24333f8a63b6825ea9c5514f83c2829b004d1fee" > "/home/appuser/app/sdk/licenses/android-sdk-license"; \
cd /home/appuser/app/edgeUpstreamAPK; \
wget https://edge.app/app; \
unzip app; \
cd /home/appuser/app/edge/; \
wget https://github.com/EdgeApp/edge-react-gui/archive/refs/tags/v.2.0.13.zip; \
sha256sum v.2.0.13.zip; \
unzip v.2.0.13.zip; \
rm v.2.0.13.zip; \
git clone https://github.com/EdgeApp/edge-react-gui/; \
cd /home/appuser/app/edge/edge-react-gui/;
WORKDIR /home/appuser/app/edge/
RUN set -ex; \
cd edge-react-gui-v.2.0.13; \
sed -i 's/bin\/bash/bin\/sh/g' ./postinstall.sh; \
yarn install --frozen-lockfile --ignore-optional --ignore-scripts; \
yarn postinstall; \
yarn prepare; \
cp /home/appuser/app/edgeUpstreamAPK/res/raw/env.json ./env.json; \
cd android; \
./gradlew assembleRelease
compared to APK from: https://edge.app/app
Files ./LocalBuild/AndroidManifest.xml and ./FromSite/AndroidManifest.xml differ
Files ./LocalBuild/assets/edge-core/plugin-bundle.js and ./FromSite/assets/edge-core/plugin-bundle.js differ
Files ./LocalBuild/assets/edge-core/plugin-bundle.js.map and ./FromSite/assets/edge-core/plugin-bundle.js.map differ
Files ./LocalBuild/assets/index.android.bundle and ./FromSite/assets/index.android.bundle differ
Files ./LocalBuild/classes2.dex and ./FromSite/classes2.dex differ
Files ./LocalBuild/classes.dex and ./FromSite/classes.dex differ
Files ./LocalBuild/lib/arm64-v8a/libcrypto_bridge.so and ./FromSite/lib/arm64-v8a/libcrypto_bridge.so differ
Files ./LocalBuild/lib/arm64-v8a/libmymonero-jni.so and ./FromSite/lib/arm64-v8a/libmymonero-jni.so differ
Files ./LocalBuild/lib/armeabi-v7a/libcrypto_bridge.so and ./FromSite/lib/armeabi-v7a/libcrypto_bridge.so differ
Files ./LocalBuild/lib/armeabi-v7a/libmymonero-jni.so and ./FromSite/lib/armeabi-v7a/libmymonero-jni.so differ
Files ./LocalBuild/lib/x86/libcrypto_bridge.so and ./FromSite/lib/x86/libcrypto_bridge.so differ
Files ./LocalBuild/lib/x86/libmymonero-jni.so and ./FromSite/lib/x86/libmymonero-jni.so differ
Files ./LocalBuild/lib/x86_64/libcrypto_bridge.so and ./FromSite/lib/x86_64/libcrypto_bridge.so differ
Files ./LocalBuild/lib/x86_64/libmymonero-jni.so and ./FromSite/lib/x86_64/libmymonero-jni.so differ
Files ./LocalBuild/META-INF/CERT.RSA and ./FromSite/META-INF/CERT.RSA differ
Files ./LocalBuild/META-INF/CERT.SF and ./FromSite/META-INF/CERT.SF differ
Files ./LocalBuild/META-INF/MANIFEST.MF and ./FromSite/META-INF/MANIFEST.MF differ
Files ./LocalBuild/resources.arsc and ./FromSite/resources.arsc differ
a diffoscope should be run on both files to see what the diffs are.
Latest version v2.12.0 can be built with Containerfile below:
build: podman build --rm -t edge_build_apk -f ContainerFileAlpine
APK in: /home/appuser/app/edge/edge-react-gui/android/app/build/outputs/apk/release/app-release.apk
FROM frolvlad/alpine-glibc
RUN set -ex; \
apk update; \
apk add --no-cache \
git \
npm \
yarn \
openjdk11; \
adduser -D appuser;
USER appuser
ENV NODE_ENV="development" \
ANDROID_SDK_ROOT="/home/appuser/app/sdk/" \
ANDROID_HOME="/home/appuser/app/sdk/"
RUN set -ex; \
mkdir -p "/home/appuser/app/sdk/licenses" "/home/appuser/app/edge" "/home/appuser/app/edgeUpstreamAPK"; \
printf "\n24333f8a63b6825ea9c5514f83c2829b004d1fee" > "/home/appuser/app/sdk/licenses/android-sdk-license"; \
cd /home/appuser/app/edgeUpstreamAPK; \
wget https://edge.app/app; \
unzip app; \
cd /home/appuser/app/edge/; \
git clone https://github.com/EdgeApp/edge-react-gui/; \
cd /home/appuser/app/edge/edge-react-gui/;
WORKDIR /home/appuser/app/edge/
RUN set -ex; \
cd edge-react-gui; \
git checkout v2.12.0; \
yarnpkg install --frozen-lockfile --ignore-optional --ignore-scripts; \
yarnpkg prepare; \
cp /home/appuser/app/edgeUpstreamAPK/res/raw/env.json ./env.json; \
cd android; \
./gradlew assembleRelease
compared to APK from: https://edge.app/app
Files ./edgeRebuild/AndroidManifest.xml and ./edgeUpstreamAPK/AndroidManifest.xml differ
Files ./edgeRebuild/assets/index.android.bundle and ./edgeUpstreamAPK/assets/index.android.bundle differ
Files ./edgeRebuild/classes.dex and ./edgeUpstreamAPK/classes.dex differ
Files ./edgeRebuild/classes2.dex and ./edgeUpstreamAPK/classes2.dex differ
Files ./edgeRebuild/classes3.dex and ./edgeUpstreamAPK/classes3.dex differ
Files ./edgeRebuild/classes4.dex and ./edgeUpstreamAPK/classes4.dex differ
Files ./edgeRebuild/lib/arm64-v8a/libcrypto_bridge.so and ./edgeUpstreamAPK/lib/arm64-v8a/libcrypto_bridge.so differ
Files ./edgeRebuild/lib/arm64-v8a/libedge-core-jni.so and ./edgeUpstreamAPK/lib/arm64-v8a/libedge-core-jni.so differ
Files ./edgeRebuild/lib/arm64-v8a/libmymonero-jni.so and ./edgeUpstreamAPK/lib/arm64-v8a/libmymonero-jni.so differ
Files ./edgeRebuild/lib/arm64-v8a/librenderscript-toolkit.so and ./edgeUpstreamAPK/lib/arm64-v8a/librenderscript-toolkit.so differ
Files ./edgeRebuild/lib/armeabi-v7a/libcrypto_bridge.so and ./edgeUpstreamAPK/lib/armeabi-v7a/libcrypto_bridge.so differ
Files ./edgeRebuild/lib/armeabi-v7a/libedge-core-jni.so and ./edgeUpstreamAPK/lib/armeabi-v7a/libedge-core-jni.so differ
Files ./edgeRebuild/lib/armeabi-v7a/libmymonero-jni.so and ./edgeUpstreamAPK/lib/armeabi-v7a/libmymonero-jni.so differ
Files ./edgeRebuild/lib/armeabi-v7a/librenderscript-toolkit.so and ./edgeUpstreamAPK/lib/armeabi-v7a/librenderscript-toolkit.so differ
Files ./edgeRebuild/lib/x86/libcrypto_bridge.so and ./edgeUpstreamAPK/lib/x86/libcrypto_bridge.so differ
Files ./edgeRebuild/lib/x86/libedge-core-jni.so and ./edgeUpstreamAPK/lib/x86/libedge-core-jni.so differ
Files ./edgeRebuild/lib/x86/libmymonero-jni.so and ./edgeUpstreamAPK/lib/x86/libmymonero-jni.so differ
Files ./edgeRebuild/lib/x86/librenderscript-toolkit.so and ./edgeUpstreamAPK/lib/x86/librenderscript-toolkit.so differ
Files ./edgeRebuild/lib/x86_64/libcrypto_bridge.so and ./edgeUpstreamAPK/lib/x86_64/libcrypto_bridge.so differ
Files ./edgeRebuild/lib/x86_64/libedge-core-jni.so and ./edgeUpstreamAPK/lib/x86_64/libedge-core-jni.so differ
Files ./edgeRebuild/lib/x86_64/libmymonero-jni.so and ./edgeUpstreamAPK/lib/x86_64/libmymonero-jni.so differ
Files ./edgeRebuild/lib/x86_64/librenderscript-toolkit.so and ./edgeUpstreamAPK/lib/x86_64/librenderscript-toolkit.so differ
Files ./edgeRebuild/resources.arsc and ./edgeUpstreamAPK/resources.arsc differ
I tried for the latest release - 2.25.0 and failed to build from source. I used this container file:
FROM frolvlad/alpine-glibc
RUN set -ex; \
apk update; \
apk add --no-cache \
git \
npm \
yarn \
openjdk11; \
adduser -D appuser;
USER appuser
ENV NODE_ENV="development" \
ANDROID_SDK_ROOT="/home/appuser/app/sdk/" \
ANDROID_HOME="/home/appuser/app/sdk/"
RUN set -ex; \
mkdir -p "/home/appuser/app/sdk/licenses" "/home/appuser/app/edge"; \
printf "\n24333f8a63b6825ea9c5514f83c2829b004d1fee" > "/home/appuser/app/sdk/licenses/android-sdk-license"; \
cd /home/appuser/app/edge/; \
git clone https://github.com/EdgeApp/edge-react-gui/; \
cd /home/appuser/app/edge/edge-react-gui/;
WORKDIR /home/appuser/app/edge/
RUN set -ex; \
cd edge-react-gui; \
git checkout v2.25.0; \
yarnpkg install --frozen-lockfile --ignore-optional --ignore-scripts; \
yarnpkg prepare; \
cd android; \
./gradlew assembleRelease
(same as Emanuel's but without the download of the app and with updated version)
and got this build error:
> Task :bugsnag_react-native:compileReleaseKotlin
w: /home/appuser/app/edge/edge-react-gui/node_modules/@bugsnag/react-native/android/src/main/java/com/bugsnag/android/BugsnagReactNative.kt: (204, 48): Elvis operator (?:) always returns the left operand of non-nullable type ReadableMap
> Task :bugsnag_react-native:javaPreCompileRelease
> Task :disklet:generateReleaseBuildConfig
> Task :bugsnag_react-native:compileReleaseJavaWithJavac FAILED
/home/appuser/app/edge/edge-react-gui/node_modules/@bugsnag/react-native/android/src/main/java/com/bugsnag/android/BugsnagPackage.java:1: error: cannot access com.bugsnag.android
package com.bugsnag.android;
^
/home/appuser/.gradle/caches/transforms-3/db229a6e5f4fe0ba69c000c5a66ca523/transformed/swiperefreshlayout-1.0.0-api.jar: No file descriptors available
/home/appuser/app/edge/edge-react-gui/node_modules/@bugsnag/react-native/android/build/generated/source/buildConfig/release/com/bugsnag/reactnative/BuildConfig.java:4: error: cannot access com.bugsnag.reactnative
package com.bugsnag.reactnative;
^
/home/appuser/.gradle/caches/transforms-3/db229a6e5f4fe0ba69c000c5a66ca523/transformed/swiperefreshlayout-1.0.0-api.jar: No file descriptors available
2 errors
FAILURE: Build failed with an exception.
There is a Jenkinsfile in repo that likely can be used to build the app (also looks like it used to generate the apk) https://github.com/EdgeApp/edge-react-gui/blob/67e9597452cac52aa7062126d4f2713a3120fe22/Jenkinsfile
Also app latest version 3.6.0 can be compiled with Containerfile below:
FROM frolvlad/alpine-glibc
RUN set -ex; \
apk update; \
apk add --no-cache \
git \
npm \
yarn \
openjdk11; \
adduser -D appuser; \
mkdir -p "/Users/jenkins/.jenkins/workspace/Edge_edge-react-gui_master/"; \
chown -R appuser:appuser /Users/;
USER appuser
ENV NODE_ENV="development" \
ANDROID_SDK_ROOT="/home/appuser/sdk/" \
ANDROID_HOME="/home/appuser/sdk/" \
AIRBITZ_API_KEY="74591cbad4a4938e0049c9d90d4e24091e0d4070" \
BUGSNAG_API_KEY="5aca2dbe708503471d8137625e092675" \
NODE_OPTIONS=--openssl-legacy-provider
RUN set -ex; \
mkdir -p "/home/appuser/sdk/licenses"; \
printf "\n24333f8a63b6825ea9c5514f83c2829b004d1fee" > "/home/appuser/sdk/licenses/android-sdk-license"; \
cd /Users/jenkins/.jenkins/workspace/Edge_edge-react-gui_master/; \
git clone --branch v3.6.0 --depth 1 --no-tags --single-branch https://github.com/EdgeApp/edge-react-gui/ . ;
WORKDIR /Users/jenkins/.jenkins/workspace/Edge_edge-react-gui_master/
RUN set -ex; \
sed -i "s/versionCode 21000000/versionCode 23032902/g" android/app/build.gradle; \
sed -i 's/versionName "99.99.99"/versionName "3.6.0"/g' android/app/build.gradle; \
sed -i "s/uploadReactNativeMappings = true/uploadReactNativeMappings = false/g" android/app/build.gradle; \
sed -i '/^\s*<\/application>\s*/i <meta-data android:name="com.bugsnag.android.BUILD_UUID" android:value="fd7bc623-0f99-40f8-b23d-527c1483d077"/>' android/app/src/main/AndroidManifest.xml; \
sed -i 's/BUGSNAG_API_KEY/5aca2dbe708503471d8137625e092675/g' android/app/src/main/AndroidManifest.xml; \
yarnpkg install --frozen-lockfile --ignore-scripts; \
yarnpkg prepare;
sed -i 's/AIRBITZ_API_KEY": "/AIRBITZ_API_KEY": "74591cbad4a4938e0049c9d90d4e24091e0d4070/g' env.json; \
sed -i 's/BUGSNAG_API_KEY": "/BUGSNAG_API_KEY": "5aca2dbe708503471d8137625e092675/g' env.json; \
RUN set -ex; \
cd /Users/jenkins/.jenkins/workspace/Edge_edge-react-gui_master/android/;
./gradlew packageReleaseUniversalApk
Opened issues from comparing it to apk from website:
- Add static value for BUILD_UUID (or at least declare it) in AndroidManifest to avoid ordering differences #4145
- Static versionCode & versionName instead of updated for each tag #4146
There more investigation that need to be done on the diff to figure what should be changed in the build script.
I just tried to reproduce version 3.20.0 and got a huge diff. The bugsnag api key is needed when using the build instructions for an Android release with ./gradlew assembleRelease and as I'm reluctant to apply it to fix the failed upload to Edge's bugsnag account, I'm using ./gradlew packageReleaseUniversalApk which doesn't error out on a missing api key.
The api keys kind of floating around like they do while the app is not reproducible is unfortunate and I would really appreciate if you could provide a non-default branch for reproducibility that actually contains the api keys.