Comments (8)
Perhaps, it didn't match because we don't publish here our private parameters which we use for build. But you can be sure that our tags match App on Google Play store.
from coinspace.
I see your wallet was probably the one where I spent the least amount of time trying among all open source ones. I will give it another try but please add build instructions! Also if you want to hide api keys, provide dummy api keys that don't work but that let me compile the app. I only need to get to an unsigned release apk to see if that matches.
Edit: Revisiting this repo I only again find the documentation totally lacking. How is this app supposed to be built?
from coinspace.
3.5 months later ... no change of mind? Is this wallet not welcoming public scrutiny? How is the internal process? Will all users lose all funds if the maintainer under duress puts in a hack that leaks all the private keys?
from coinspace.
No hacks. No duress. No change of mind.
from coinspace.
App can be built with below Containerfile:
it require github personal access token that has only 1 scope "read:packages" "Download packages from GitHub Package Registry" from https://github.com/settings/tokens (replace the value "ghp_github_token_only_read_packages_scope" in script to the ghp token from a user account), the first version of this comment contained github token I used which was automatically revoked by github with notification "Your GitHub Personal Access Token has been revoked - A recent scan found a valid GitHub Personal Access Token linked to your GitHub account in a comment on this issue."
the flle was based on scripts in repo:
- https://github.com/CoinSpace/CoinSpace/blob/master/Dockerfile
- https://github.com/CoinSpace/CoinSpace/blob/master/cloudbuild.yaml
- https://github.com/CoinSpace/CoinSpace/blob/master/.github/workflows/ci.yml and the github action log https://github.com/CoinSpace/CoinSpace/actions/runs/4315462715/jobs/7529897134 of " build (ubuntu-20.04, 16, android-play, phonegap, SENTRY_DSN_ANDROID)"
several tasks remain to be done for rb testing and improving the script for it:
- running diffoscope to look at the diffs and inserting the keys from the diff (more env entries might be needed then currently in below script) instead of "changeme" entries (lists in:
Lines 5 to 14 in 3c0ba16
Lines 1 to 26 in d750729
Lines 1 to 25 in 6d48e24
- changing NODE_ENV to production (will require installing some deps manually, or sed package.json )
APKs will be generated at:
- /home/appuser/CoinSpace/phonegap/build/platforms/android/app/build/outputs/apk/release/app-release-unsigned.apk
- /home/appuser/CoinSpace/deploy/coinspace-release.apk (if release.keystore is created)
FROM docker.io/node:16-bullseye-slim
RUN set -ex; \
apt-get update; \
DEBIAN_FRONTEND=noninteractive apt-get install --yes -o APT::Install-Suggests=false --no-install-recommends \
git \
wget \
unzip \
openjdk-11-jdk-headless; \
rm -rf /var/lib/apt/lists/*; \
useradd -ms /bin/bash appuser;
USER appuser
RUN set -ex; \
cd /home/appuser/; \
git clone --single-branch --no-tags --depth 1 --branch v5.10.0 https://github.com/CoinSpace/CoinSpace/;
WORKDIR /home/appuser/CoinSpace
ENV ANDROID_SDK_ROOT="/home/appuser/sdk" \
ANDROID_HOME="/home/appuser/sdk" \
JAVA_HOME="/usr/lib/jvm/java-11-openjdk-amd64/" \
PATH="/home/appuser/gradle-6.9.4/bin:/home/appuser/sdk/build-tools/32.0.0/:$PATH"
RUN set -ex; \
mkdir -p "/home/appuser/sdk/licenses" ; \
printf "\n24333f8a63b6825ea9c5514f83c2829b004d1fee" > "/home/appuser/sdk/licenses/android-sdk-license"; \
wget https://services.gradle.org/distributions/gradle-6.9.4-bin.zip; \
unzip gradle-6.9.4-bin.zip -d /home/appuser/; \
rm gradle-6.9.4-bin.zip; \
wget https://dl.google.com/android/repository/commandlinetools-linux-9477386_latest.zip; \
unzip commandlinetools-linux-9477386_latest.zip -d /home/appuser/sdk/; \
rm commandlinetools-linux-9477386_latest.zip; \
/home/appuser/sdk/cmdline-tools/bin/sdkmanager --sdk_root=/home/appuser/sdk/ --install "build-tools;32.0.0";
ENV NODE_ENV="development"
RUN set -ex; \
cd /home/appuser/CoinSpace/; \
npm config set @coinspace:registry https://npm.pkg.github.com; \
npm config set "//npm.pkg.github.com/:_authToken" "ghp_github_token_only_read_packages_scope"; \
npm ci; \
cd /home/appuser/CoinSpace/phonegap; \
npm ci;
RUN set -ex; \
cd /home/appuser/CoinSpace; \
node ./cli/i18n.js --json;
ENV MOONPAY_API_KEY="changeme" \
SENTRY_DSN="changeme1" \
SENTRY_ORG="changeme2" \
SENTRY_AUTH_TOKEN="changeme3" \
CHANGELLY_REF="changeme4"
RUN set -ex; \
cd /home/appuser/CoinSpace; \
/home/appuser/CoinSpace/phonegap/node_modules/.bin/cordova telemetry off;
in container run command: (it's ok for it to fail signing the apk)
node ./cli/build.js phonegap --env=prod --release --platform=android-play;
to create the release.keystore
so last command will pass successfully:
keytool -genkey -alias coinspace -keystore release.keystore -storetype PKCS12 -keyalg RSA -keysize 4096 -storepass coinspace -keypass coinspace -validity 10000 -dname CN=IL;
from coinspace.
Latest version v5.10.0 is kinda reproducible (Requires to figure out how to specify or reproduce hash used in filenames and in the content, maybe it's generated from webpack, as it's the only diff)
with updated Containerfile below:
FROM docker.io/node:16-bullseye-slim
RUN set -ex; \
apt-get update; \
DEBIAN_FRONTEND=noninteractive apt-get install --yes -o APT::Install-Suggests=false --no-install-recommends \
git \
wget \
unzip \
openjdk-11-jdk-headless; \
rm -rf /var/lib/apt/lists/*; \
useradd -ms /bin/bash appuser;
USER appuser
ENV ANDROID_SDK_ROOT="/home/appuser/sdk" \
ANDROID_HOME="/home/appuser/sdk" \
JAVA_HOME="/usr/lib/jvm/java-11-openjdk-amd64/" \
PATH="/home/appuser/gradle-6.9.4/bin:/home/appuser/sdk/build-tools/32.0.0/:$PATH" \
NODE_ENV="development" \
MOONPAY_API_KEY="pk_live_Tdc0BhIo7uIk8v9MOtWNxVJHr1WCEm" \
SENTRY_DSN="https://[email protected]/5131667" \
SENTRY_ORG="dummy_string_just_need_to_be_set_to_anything" \
SENTRY_AUTH_TOKEN="dummy_string_just_need_to_be_set_to_anything" \
CHANGELLY_REF="1c6e7ce0484f" \
COMMIT="5af422a" \
COMMIT_SHA="5af422a" \
ORG_GRADLE_PROJECT_cdvVersionCode=3154 \
GITHUB_RUN_NUMBER=624 \
ZENDESK_APP_ID="4acba684eddd4f67b514c05ce516d2b9d34fa284cecaed49" \
ZENDESK_URL="https://coinapp.zendesk.com" \
ZENDESK_CLIENT_ID="mobile_sdk_client_f5b0609f735ecf230d0c"
RUN set -ex; \
cd /home/appuser/; \
git clone --single-branch --no-tags --depth 1 --branch v5.10.0 https://github.com/CoinSpace/CoinSpace/; \
mkdir -p "/home/appuser/sdk/licenses" ; \
printf "\n24333f8a63b6825ea9c5514f83c2829b004d1fee" > "/home/appuser/sdk/licenses/android-sdk-license"; \
wget https://services.gradle.org/distributions/gradle-6.9.4-bin.zip; \
unzip gradle-6.9.4-bin.zip -d /home/appuser/; \
rm gradle-6.9.4-bin.zip; \
wget https://dl.google.com/android/repository/commandlinetools-linux-9477386_latest.zip; \
unzip commandlinetools-linux-9477386_latest.zip -d /home/appuser/sdk/; \
rm commandlinetools-linux-9477386_latest.zip; \
/home/appuser/sdk/cmdline-tools/bin/sdkmanager --sdk_root=/home/appuser/sdk/ --install "build-tools;32.0.0"; \
cd /home/appuser/CoinSpace/; \
npm config set @coinspace:registry https://npm.pkg.github.com; \
npm config set "//npm.pkg.github.com/:_authToken" "ghp_github_token_only_read_packages_scope"; \
npm ci; \
cd /home/appuser/CoinSpace/phonegap; \
npm ci; \
cd /home/appuser/CoinSpace; \
node ./cli/i18n.js --json; \
cd /home/appuser/; \
keytool -genkey -alias coinspace -keystore /home/appuser/CoinSpace/phonegap/release.keystore -storetype PKCS12 -keyalg RSA -keysize 4096 -storepass coinspace -keypass coinspace -validity 10000 -dname CN=IL; \
cd /home/appuser/CoinSpace; \
/home/appuser/CoinSpace/phonegap/node_modules/.bin/cordova telemetry off;
ENV NODE_ENV="production"
WORKDIR /home/appuser/CoinSpace
in container run:
node ./cli/build.js phonegap --env=prod --release --platform=android-play
The command will fail with google bucket upload error, it's ok as it happens after 2 APKs already generated by it.
Diff shows (most of the files are the same, just the filenames are different, and the difference itself in filenames 57c44102ebc9698e
vs e7673f52455e6e02
and 57c44102
vs e7673f52
is leaked into some files)
Only in ./Upstream/assets/www/assets/js: application.57c44102.js
Only in ./BuiltApk/assets/www/assets/js: application.e7673f52.js
Only in ./Upstream/assets/www/assets/js/@coinspace: monero-core-js.57c44102.js
Only in ./Upstream/assets/www/assets/js/@coinspace: monero-core-js-asm.57c44102.js
Only in ./BuiltApk/assets/www/assets/js/@coinspace: monero-core-js-asm.e7673f52.js
Only in ./BuiltApk/assets/www/assets/js/@coinspace: monero-core-js.e7673f52.js
Only in ./Upstream/assets/www/assets/js/@coinspace: monero-core-js-wasm.57c44102.js
Only in ./BuiltApk/assets/www/assets/js/@coinspace: monero-core-js-wasm.e7673f52.js
Only in ./Upstream/assets/www/assets/js: deviceready.57c44102.js
Only in ./BuiltApk/assets/www/assets/js: deviceready.e7673f52.js
Only in ./Upstream/assets/www/assets/js/@emurgo: cardano-serialization-lib-asmjs.57c44102.js
Only in ./BuiltApk/assets/www/assets/js/@emurgo: cardano-serialization-lib-asmjs.e7673f52.js
Only in ./Upstream/assets/www/assets/js/@emurgo: cardano-serialization-lib-browser.57c44102.js
Only in ./BuiltApk/assets/www/assets/js/@emurgo: cardano-serialization-lib-browser.e7673f52.js
Only in ./Upstream/assets/www/assets/js/i18n: bs.57c44102.js
Only in ./BuiltApk/assets/www/assets/js/i18n: bs.e7673f52.js
Only in ./Upstream/assets/www/assets/js/i18n: cs.57c44102.js
Only in ./BuiltApk/assets/www/assets/js/i18n: cs.e7673f52.js
Only in ./Upstream/assets/www/assets/js/i18n: de.57c44102.js
Only in ./BuiltApk/assets/www/assets/js/i18n: de.e7673f52.js
Only in ./Upstream/assets/www/assets/js/i18n: en.57c44102.js
Only in ./BuiltApk/assets/www/assets/js/i18n: en.e7673f52.js
Only in ./Upstream/assets/www/assets/js/i18n: es.57c44102.js
Only in ./BuiltApk/assets/www/assets/js/i18n: es.e7673f52.js
Only in ./Upstream/assets/www/assets/js/i18n: fil.57c44102.js
Only in ./BuiltApk/assets/www/assets/js/i18n: fil.e7673f52.js
Only in ./Upstream/assets/www/assets/js/i18n: fr.57c44102.js
Only in ./BuiltApk/assets/www/assets/js/i18n: fr.e7673f52.js
Only in ./Upstream/assets/www/assets/js/i18n: hr.57c44102.js
Only in ./BuiltApk/assets/www/assets/js/i18n: hr.e7673f52.js
Only in ./Upstream/assets/www/assets/js/i18n: hu.57c44102.js
Only in ./BuiltApk/assets/www/assets/js/i18n: hu.e7673f52.js
Only in ./Upstream/assets/www/assets/js/i18n: id.57c44102.js
Only in ./BuiltApk/assets/www/assets/js/i18n: id.e7673f52.js
Only in ./Upstream/assets/www/assets/js/i18n: it.57c44102.js
Only in ./BuiltApk/assets/www/assets/js/i18n: it.e7673f52.js
Only in ./Upstream/assets/www/assets/js/i18n: ja.57c44102.js
Only in ./BuiltApk/assets/www/assets/js/i18n: ja.e7673f52.js
Only in ./Upstream/assets/www/assets/js/i18n: km.57c44102.js
Only in ./BuiltApk/assets/www/assets/js/i18n: km.e7673f52.js
Only in ./Upstream/assets/www/assets/js/i18n: ko.57c44102.js
Only in ./BuiltApk/assets/www/assets/js/i18n: ko.e7673f52.js
Only in ./Upstream/assets/www/assets/js/i18n: nb.57c44102.js
Only in ./BuiltApk/assets/www/assets/js/i18n: nb.e7673f52.js
Only in ./Upstream/assets/www/assets/js/i18n: nl.57c44102.js
Only in ./BuiltApk/assets/www/assets/js/i18n: nl.e7673f52.js
Only in ./Upstream/assets/www/assets/js/i18n: pl.57c44102.js
Only in ./BuiltApk/assets/www/assets/js/i18n: pl.e7673f52.js
Only in ./Upstream/assets/www/assets/js/i18n: pt-br.57c44102.js
Only in ./BuiltApk/assets/www/assets/js/i18n: pt-br.e7673f52.js
Only in ./Upstream/assets/www/assets/js/i18n: ru.57c44102.js
Only in ./BuiltApk/assets/www/assets/js/i18n: ru.e7673f52.js
Only in ./Upstream/assets/www/assets/js/i18n: sr.57c44102.js
Only in ./BuiltApk/assets/www/assets/js/i18n: sr.e7673f52.js
Only in ./Upstream/assets/www/assets/js/i18n: th.57c44102.js
Only in ./BuiltApk/assets/www/assets/js/i18n: th.e7673f52.js
Only in ./Upstream/assets/www/assets/js/i18n: tr.57c44102.js
Only in ./BuiltApk/assets/www/assets/js/i18n: tr.e7673f52.js
Only in ./Upstream/assets/www/assets/js/i18n: uk.57c44102.js
Only in ./BuiltApk/assets/www/assets/js/i18n: uk.e7673f52.js
Only in ./Upstream/assets/www/assets/js/i18n: vi.57c44102.js
Only in ./BuiltApk/assets/www/assets/js/i18n: vi.e7673f52.js
Only in ./Upstream/assets/www/assets/js/i18n: zh-cn.57c44102.js
Only in ./BuiltApk/assets/www/assets/js/i18n: zh-cn.e7673f52.js
Only in ./Upstream/assets/www/assets/js: loader.57c44102.js
Only in ./BuiltApk/assets/www/assets/js: loader.e7673f52.js
Only in ./Upstream/assets/www/assets/js: worker.57c44102.js
Only in ./BuiltApk/assets/www/assets/js: worker.e7673f52.js
Only in ./Upstream/assets/www/assets/wasm: 57c44102ebc9698e.module.wasm
Only in ./BuiltApk/assets/www/assets/wasm: e7673f52455e6e02.module.wasm
Files ./Upstream/assets/www/index.html and ./BuiltApk/assets/www/index.html differ
Only in ./Upstream/META-INF: COINSPAC.RSA
Only in ./Upstream/META-INF: COINSPAC.SF
Only in ./Upstream/META-INF: MANIFEST.MF
from coinspace.
App is reproducible, to use the same webpack fullhash I developed a webpack plugin for webpack 5+ that override it via compilation hooking, didn't found anywhere a plugin to do so, therefore had to develop it and after many failed attempts found the way to override it.
The fullhash is calculated from the files in repo, and likely because .env.prod file is used when app is build (but not by Containerfile as .env.prod file content is not in repo and values set in it are set in environment variables instead in the Containerfile) the generated value of fullhash is different, env.prod file may contain some env vars not set in Containerfile below or that set to dummy values instead like for SENTRY_AUTH_TOKEN
and GOOGLE_CLOUD_BUCKET
env vars
Adding file static-build-hash-plugin.js
to repo with content:
function WebPackStaticFullHash() {}
WebPackStaticFullHash.prototype.apply = function(compiler) {
compiler.hooks.thisCompilation.tap("webpack-static-full-hash", (compilation) => {
compilation.hooks.fullHash.tap("webpack-static-full-hash", hash => {
hash.digest = function() {
return "57c44102ebc9698e";
};
})
})
}
module.exports = WebPackStaticFullHash;
and loading it in webpack.prod.js
via calls: (first call at first line in file, second call need to be placed once in right place under plugins
)
const WebPackStaticFullHashPlugin = require('./webpack-static-fullhash-plugin.js');
new WebPackStaticFullHashPlugin()
will generate a reproducible apk, Containerfile that add above steps is: (the value in ghp_github_token_only_read_packages_scope
should be changed to github token with read packages scope, can't be published in github as it will be revoked automatically)
FROM docker.io/node:16-bullseye-slim
RUN set -ex; \
apt-get update; \
DEBIAN_FRONTEND=noninteractive apt-get install --yes -o APT::Install-Suggests=false --no-install-recommends \
git \
wget \
unzip \
openjdk-11-jdk-headless; \
rm -rf /var/lib/apt/lists/*; \
useradd -ms /bin/bash appuser;
USER appuser
ENV ANDROID_SDK_ROOT="/home/appuser/sdk" \
ANDROID_HOME="/home/appuser/sdk" \
JAVA_HOME="/usr/lib/jvm/java-11-openjdk-amd64/" \
PATH="/home/appuser/gradle-6.9.4/bin:/home/appuser/sdk/build-tools/32.0.0/:$PATH" \
NODE_ENV="development" \
MOONPAY_API_KEY="pk_live_Tdc0BhIo7uIk8v9MOtWNxVJHr1WCEm" \
SENTRY_DSN="https://[email protected]/5131667" \
SENTRY_ORG="dummy_string_just_need_to_be_set_to_anything" \
SENTRY_AUTH_TOKEN="dummy_string_just_need_to_be_set_to_anything" \
CHANGELLY_REF="1c6e7ce0484f" \
COMMIT="5af422a" \
COMMIT_SHA="5af422a" \
ORG_GRADLE_PROJECT_cdvVersionCode=3154 \
GITHUB_RUN_NUMBER=624 \
ZENDESK_APP_ID="4acba684eddd4f67b514c05ce516d2b9d34fa284cecaed49" \
ZENDESK_URL="https://coinapp.zendesk.com" \
ZENDESK_CLIENT_ID="mobile_sdk_client_f5b0609f735ecf230d0c"
RUN set -ex; \
cd /home/appuser/; \
git clone --single-branch --no-tags --depth 1 --branch v5.10.0 https://github.com/CoinSpace/CoinSpace/; \
mkdir -p "/home/appuser/sdk/licenses" ; \
printf "\n24333f8a63b6825ea9c5514f83c2829b004d1fee" > "/home/appuser/sdk/licenses/android-sdk-license"; \
wget https://services.gradle.org/distributions/gradle-6.9.4-bin.zip; \
unzip gradle-6.9.4-bin.zip -d /home/appuser/; \
rm gradle-6.9.4-bin.zip; \
wget https://dl.google.com/android/repository/commandlinetools-linux-9477386_latest.zip; \
unzip commandlinetools-linux-9477386_latest.zip -d /home/appuser/sdk/; \
rm commandlinetools-linux-9477386_latest.zip; \
/home/appuser/sdk/cmdline-tools/bin/sdkmanager --sdk_root=/home/appuser/sdk/ --install "build-tools;32.0.0"; \
cd /home/appuser/CoinSpace/; \
npm config set @coinspace:registry https://npm.pkg.github.com; \
npm config set "//npm.pkg.github.com/:_authToken" "ghp_github_token_only_read_packages_scope"; \
npm ci; \
cd /home/appuser/CoinSpace/phonegap; \
npm ci; \
cd /home/appuser/CoinSpace; \
node ./cli/i18n.js --json; \
cd /home/appuser/; \
keytool -genkey -alias coinspace -keystore /home/appuser/CoinSpace/phonegap/release.keystore -storetype PKCS12 -keyalg RSA -keysize 4096 -storepass coinspace -keypass coinspace -validity 10000 -dname CN=IL; \
cd /home/appuser/CoinSpace; \
/home/appuser/CoinSpace/phonegap/node_modules/.bin/cordova telemetry off; \
sed -i "1i\const WebPackStaticFullHashPlugin = require('./webpack-static-fullhash-plugin');" webpack.prod.js; \
sed -i '/webpack.ProgressPlugin(),/i new WebPackStaticFullHashPlugin(),' webpack.prod.js; \
printf 'function WebPackStaticFullHash() {}\nWebPackStaticFullHash.prototype.apply=function(compiler){compiler.hooks.thisCompilation.tap("webpack-static-full-hash",(compilation)=>{compilation.hooks.fullHash.tap("webpack-static-full-hash",hash=>{hash.digest=function(){return "57c44102ebc9698e";};})})};module.exports = WebPackStaticFullHash;' > webpack-static-fullhash-plugin.js
ENV NODE_ENV="production"
WORKDIR /home/appuser/CoinSpace
Compiling it and comparing to apk downloaded from apk.support website or apkcombo.com website result is:
Only in ApkFromWebsite/META-INF: COINSPAC.RSA
Only in ApkFromWebsite/META-INF: COINSPAC.SF
Only in ApkFromWebsite/META-INF: MANIFEST.MF
from coinspace.
Given that @emanuelb was able to verify the reproducibility of this app, I'm re-opening this app for verification in WalletScrutiny. In relation to https://gitlab.com/walletscrutiny/walletScrutinyCom/-/issues/214.
@nikashitsa I hope you would reconsider. As you see, WalletScrutiny has been running for a significant amount of time and has assessed over 6500+ apps/devices. Thank you.
from coinspace.
Related Issues (20)
- Add Groestlcoin (GRS)
- Is it too expensive of the fee for sending doge...? (Fee +50doge)
- how to build? HOT 2
- TAB COLORS HOT 1
- Unable to see EOS balance
- Add .ipa & .apk files to github releases
- [Android] Submit App to F-Droid
- Building an application HOT 1
- Not enough funds to pay transaction fee (...ETH) HOT 1
- feature request
- ETH address does not match other wallets HOT 2
- [Feature Request] Being able to see your total balance + balance per cryptocurrrency in the "coins" tab HOT 1
- [Feature request] Dark mode HOT 1
- Cannot install monero-core-js for Web project HOT 2
- [Feature Request] Support Multiple wallets in one sesion HOT 1
- Snap App scam HOT 1
- Cross-chain swaps: SwapKit
- Add appimage support
- Unable to send crypto "Error! Please try again later." HOT 1
- no AppleSilicon version available anymore HOT 4
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from coinspace.