Since version 3.15.0 Signal for Android has supported reproducible builds. This is achieved by replicating the build environment as a Docker image. You'll need to build the image, run a container instance of it, compile Signal inside the container and finally compare the resulted APK to the APK that is distributed in the Google Play Store.
This script automates that.
- Enable developer options and USB debugging on your phone.
- Connect your phone to the computer via USB.
- Run the commands below and follow the instructions.
mkdir -p "$HOME/reproducible-signal"
cd "$HOME/reproducible-signal"
wget https://raw.githubusercontent.com/oittaa/reproducible-signal/master/reproducible-signal.sh
chmod +x ./reproducible-signal.sh
./reproducible-signal.sh
The script might take several minutes to complete. If everything went right and the APKs match, the last line of output will be APKs match!
- You will need around 10GB of free space for Docker images and Signal build process
- Required packages can be installed manually
sudo apt install aapt adb docker.io unzip wget - If you had to install Docker
- Add yourself to the group
sudo usermod -aG docker $USER - Reboot your computer before continuing.
- Add yourself to the group
You can compare a previously extracted APK without connecting your phone.
./reproducible-signal.sh /path/to/signal.apk
Many different apps can extract installed APKs. Here's an example how to get the APK to your computer with Files by Google and Google Drive.
- Open Files by Google
- Tap
Browse - Tap
Apps - Under
Installed appsscroll down toSignal - On it's right side expand the options and select
Share - Tap
Save to Drive. - Set
Document titleto something likeSignal.apkand tapSave - Now you can download the APK to your computer from Google Drive
Probably the easiest way to use this script is to install a virtual machine with Ubuntu 18.04 on it. Then follow the instructions for Ubuntu 18.04.
At least Windows 10 with VirtualBox worked flawlessly. Just remember to attach the phone to the vm!
