How to verify binary came from this exact source code?

Question

I want to make an app and put the source on GitHub so everybody can verify it. How can I ensure that the corresponding binary really belonged to a specific GIT commit? Is this possible?I know for example that Google Go has reproducible builds and I would get the same hash out of the binary. But I would have to attach this hash to the binary so I could have a &ldquo;print version&rdquo; dialogue. And this attachment would mess up the previous binary.Google Go was an example. I am talking about an Android, iOS app.

closeparen · Accepted Answer

You cannot have the signature as part of the signed message. You can substitute a deterministic value (like all zeroes) where the signature goes, during the signature calculation.You may be interested in Telegram&rsquo;s documentation on reusable iOS and Android builds. https://core.telegram.org/reproducible-builds

z3t4 · Answer

Have a script that builds the app and compares with the released binary. You can have the build script inject the latest commit id as version number. (You dont commit the injected commit id, as that would create a new commit)The build scrip clones the repo into a temp folder. Checks out specific commit/branch. Then runs make release (or equivalent )

mister_hn · Answer

If you use Maven for Android, you can have reproducible builds as well