Older reviews (show 1 of 2 reproducible)
Help spread awareness for build reproducibility
Please follow Electrum Bitcoin Wallet and thank them for being reproducible via their Twitter!
The following Analysis is not a full code review! We plan to make code reviews available in the future but even then it will never be a stamp of approval but rather a list of incidents and questionable coding practice. Nasa sends probes to space that crash due to software bugs despite a huge budget and stringent scrutiny.
Do your own research!
Try out searching for "lost bitcoins", "stole my money" or "scammers" together with the wallet's name, even if you think the wallet is generally trustworthy. For all the bigger wallets you will find accusations. Make sure you understand why they were made and if you are comfortable with the provider's reaction.
The Analysis ¶
4.1.5 appeared on Play Store. let’s see if that is also reproducible. As for us, that version is still not available, we again go with the direct download from their website and check if that’s the same as what Google distributes later.
$ git clone https://github.com/spesmilo/electrum $ cd electrum/ $ git checkout 4.1.5 $ wget https://download.electrum.org/4.1.5/Electrum-184.108.40.206-arm64-v8a-release.apk $ wget https://download.electrum.org/4.1.5/Electrum-220.127.116.11-armeabi-v7a-release.apk
… and now we are supposed to run
contrib/android/build.sh which has 68 lines of code and calls
contrib/build_tools_util.sh with its 154 lines of code.
That’s a bit too much as we want to automate reproducibility testing and don’t want to run “random” code on our infrastructure - with root privilege even. We filed an issue to adjust the build instructions accordingly but it appears to be easy enough to build without running above scripts at all:
$ cp contrib/deterministic-build/requirements-build-android.txt contrib/android/ $ docker build -t electrum-android-builder-img contrib/android/ $ docker run -it --rm \ --name electrum-android-builder-cont \ --volume $PWD:/home/user/wspace/electrum \ --volume $PWD/.buildozer/.gradle:/home/user/.gradle \ --workdir /home/user/wspace/electrum electrum-android-builder-img \ /bin/bash -c `./contrib/android/make_apk release-unsigned` ... 💬 INFO: done. total 66024 drwxr-xr-x 2 user user 4096 Jul 20 01:04 . drwxrwxr-x 10 user user 4096 Jul 20 01:04 .. -rw-r--r-- 1 user user 22344714 Jul 20 01:04 Electrum-18.104.22.168-arm64-v8a-release-unsigned.apk -rw-r--r-- 1 user user 22228447 Jul 20 01:04 Electrum-22.214.171.124-armeabi-v7a-release-unsigned.apk f1877d80655bf0302609d5a00cade13150d3cead5f7ab8d5a5522f707566cd93 /home/user/wspace/electrum/contrib/android/../../dist/Electrum-126.96.36.199-arm64-v8a-release-unsigned.apk 227cb4fb61157e045313ce42087369782991bfd646d78052e9dd6a8091ad1143 /home/user/wspace/electrum/contrib/android/../../dist/Electrum-188.8.131.52-armeabi-v7a-release-unsigned.apk
That looks good. After unzipping the two APKs from the download and the two just built, the diffs look as follows:
$ unzip -d fromBuild32 dist/Electrum-184.108.40.206-armeabi-v7a-release-unsigned.apk $ unzip -d fromBuild64 dist/Electrum-220.127.116.11-arm64-v8a-release-unsigned.apk $ unzip -d fromDownload32 Electrum-18.104.22.168-armeabi-v7a-release.apk $ unzip -d fromDownload64 Electrum-22.214.171.124-arm64-v8a-release.apk $ diff --recursive --brief from*32 Only in fromDownload32/META-INF: CERT.RSA Only in fromDownload32/META-INF: CERT.SF Files fromBuild32/META-INF/MANIFEST.MF and fromDownload32/META-INF/MANIFEST.MF differ $ diff --recursive --brief from*64 Only in fromDownload64/META-INF: CERT.RSA Only in fromDownload64/META-INF: CERT.SF Files fromBuild64/META-INF/MANIFEST.MF and fromDownload64/META-INF/MANIFEST.MF differ
And with the updated test script:
Results: appId: org.electrum.electrum signer: e543d576fa0f2a33d412bca4c7d61e2301830e956e7d947e75b9052d176027d3 apkVersionName: 126.96.36.199 apkVersionCode: 34010500 verdict: reproducible appHash: de25614cc8f8fa20262f20df816634a349cf796b3e4cf026087e4dec12c15231 commit: d8d2c180aafaec1ae9bc68c27a7d780df8de4348 Diff: Only in /tmp/fromPlay_org.electrum.electrum_34010500/META-INF: CERT.RSA Only in /tmp/fromPlay_org.electrum.electrum_34010500/META-INF: CERT.SF Files /tmp/fromPlay_org.electrum.electrum_34010500/META-INF/MANIFEST.MF and /tmp/fromBuild_org.electrum.electrum_34010500/META-INF/MANIFEST.MF differ Revision, tag (and its signature): object d8d2c180aafaec1ae9bc68c27a7d780df8de4348 type commit tag 4.1.5 tagger ThomasV <email@example.com> 1626708974 +0200 4.1.5
which is a full match except for the signature which is expected. Electrum
4.1.5 is reproducible!
The binary provided was reproducible from the code provided.
As part of our Methodology, we ask:Does the app we built differ from what we downloaded? If not, we tag it
If we can reproduce the app we downloaded from the public source code, with all bytes accounted for, we call the app reproducible. This does not mean we audited the code but it’s the precondition to make sure the code has relevance for the app.
If the provider puts your funds at risk on purpose or by accident, security researchers can see this if they care to look. It also means that inside the company, engineers can verify that the release manager is releasing the app based on code known to all engineers on the team. A scammer would have to work under the potential eyes of security researchers. He would have to take more effort in hiding any exploit.
“Reproducible” does not mean “verified”. There is good reason to believe that security researchers as of today would not detect very blatant backdoors in the public source code before it gets exploited, much less if the attacker takes moderate efforts to hide it. This is especially true for less popular projects.
Share onTwitter Facebook LinkedIn
Or embed a widget in your website
<iframe src="https://walletscrutiny.com/widget/#appId=android/org.electrum.electrum&theme=auto&style=short" name="_ts" style="min-width:180px;border:0;border-radius:10px;max-width:280px;min-height:30px;"> </iframe>
<iframe src="https://walletscrutiny.com/widget/#appId=android/org.electrum.electrum&theme=auto&style=long" style="max-width:100%;width:342px;border:0;border-radius:10px;min-height:290px;"> </iframe>