Verifiable builds? #1244
Comments
|
The section in the README you're referring to explains how you can verify that Aegis APK's were signed by us. Reproducible builds are something completely different and we don't support that currently. |
|
That's what I had understood. Is there a plan to include it on the roadmap? This would greatly increase the trust in the product. |
|
Not currently. I'd first like to see a more detailed proposal and perhaps a proof of concept for this. Maintaining reproducible builds can be painful and it'd be good to have a general impression of what the impact on Aegis' build process would be. |
|
An excellent example is here: From the looks of things, I think it could be done with minimal impact to the build process once the work is carried out. I believe this is truly important to be able to implement a TNO (Trust No One) solution. |
Hello.
Excellent initiative.
Is there a way to verify that the build on the play store is produced from the code in this repo (a la Signal private messenger)? The verification in the readme suggests that the certificate used for signing is the same but is this the same thing as the build being the same? Perhaps I'm missing something?
The text was updated successfully, but these errors were encountered: