-1

How to verify a binary was actually built using a particular version of git commit/release and not built from a modified version.

For small project we can build it ourself but for large projects like Android custom ROMs how to verify the build is really from a git release they claim it to be?

Edit: Cannot expect Open source binaries to be signed as those are free. Downloads are from a third party location.

Improve this question
5
  • Pull the built binary from git and compare the file hashes. Also, ensure your binaries are digitally code-signed (eg, with signature timestamps), and include build version info in your built files. Finally, ensure your git runner logs contain all this info during builds (eg, file hash, file size, timestamp, build version).
    – leeharvey1
    Commented Dec 31, 2021 at 11:54
  • @leeharvey1, most people don't store built binaries in their source tree. Short answer Ronnie, unless leeharvey1 is onto something and you saved the binaries (even though this is not a good plan), you can't. In general, this is why only binaries built on a build server are "valid" and the MD5 (or whatever checksum) from those build server binaries are stored somewhere secure for a comparison. Not even an identical git version from another (non build server) machine is acceptable in any real scenario. Think about it, your source is only a TINY piece of what makes that binary.
    – Señor CMasMas
    Commented Jan 1, 2022 at 0:48
  • Although true @leeharvey1 , digitally signing those binaries with info is a mighty good plan! :) .. still isn't clear if the OP means binaries built on a build server, or binaries built by "someone else".
    – Señor CMasMas
    Commented Jan 1, 2022 at 0:50
  • @senor cmasmas, I mean custom ROM images provided by devs for direct flash on a device. If there is way to verify the images were actually built by a server then that is sufficient. As noted in below answer, even a rom built from non official private source can be signed.
    – Ron
    Commented Jan 2, 2022 at 18:11
  • Thanks for the clarification @Ronnie :)
    – Señor CMasMas
    Commented Jan 3, 2022 at 2:27

1 Answer 1

Reset to default
4

Cannot expect Open source binaries to be signed as those are free.

There is no contradiction here: signing is free too. I don't think this helps though, because someone could maliciously build from modified sources and then sign the binary. So signing only works if you trust the original builder and want to make sure that the binary is indeed what they have provided and not an altered version.

It sounds like you're looking for reproducible builds. For this to work the project has to be based on a tech stack and toolchain that support reproducible builds. If it's not, then you're out of luck. If it is, you can build it yourself and compare results. You're right that this may not be practical for large projects. Unfortunately security oftentimes comes at the cost of convenience.

It's worth noting that ultimately you're also trusting that the toolchain isn't malicious. Same for the hardware you're building on. You will have to trust someone, unless you're willing to build the hardware yourself and reverse engineer entire toolchain.

Improve this answer
3
  • We will mostly use toolchains signed by reputed developers so we can trust those.
    – Ron
    Commented Jan 2, 2022 at 17:54
  • 1
    For Android custom ROMs the user has to blindly trust the developer. There needs to be a way to have a verified trust on the build user installs
    – Ron
    Commented Jan 2, 2022 at 18:02
  • @Ronnie I'm afraid that's wishful thinking. You need either reproducible builds (to confirm that binaries match) or ability to revert binaries to their original form (to confirm that sources match). The latter is impossible if you're using any compiler optimizations, and you should.
    – gronostaj
    Commented Jan 2, 2022 at 18:32

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .