Verification Server

The idea of a verification server is to automatically reproduce official releases published by f-droid.org (or any other server). This ensures that everything in the release APK came from the source code, and nothing was inserted or included during the build process. This is also useful for verifying that the build process is not including proprietary libraries.

The ultimate goal is a simple installation that any third party can make, that will continuously check for new published packages, make its own builds, and confirm that the binaries match exactly. There are many issues to resolve to get to this final destination, but the basic concept is already tested and working. (see the ‘fdroid verify’ command).

The output of multiple verification servers would then be available to the F-Droid client. The idea would be to configure the client such that it does not trust a binary until multiple verification servers are in agreement that it correct.

Verification based on APK signature

The verification process currently works by building a new unsigned APK, then copying the APK signature from the existing APK into the newly built unsigned APK. If the APK signature verifies, then the APK has been reproduced, and is marked as verified. If not, a diffoscope log is generated to show what the differences are between the two builds. The verification server needs no signing capability, just building.

Setting one up

This is still pretty raw, so expect some tinkering. It also will likely only work on Debian, Ubuntu and other Debian-derivatives. The first step is getting the fdroidserver tools setup and working. Run the fdroidserver tools directly out of git (e.g. ~/code/fdroidserver/fdroid build org.adaway), that’s going to be the easiest for now since the verification server stuff is a moving target. The base server needs to be at minimum Debian/jessie, or there will need to be some heavy tweaking. If you run Ubuntu or derivative distro, you can get any packages missing from your version, like vagrant-cachier, from this PPA: https://launchpad.net/~fdroid/+archive/ubuntu/buildserver/

Then you can find more on the process by reading Build Server Setup. You can also see the Continuous Integration scripts for this process to see how the whole thing can work:

Dealing with missing git repos

From time to time, app authors delete or move their git repos. With github and other services, running git clone on a URL that does not exist will prompt you for a username and password (ostensibly to check if it is an existing private repo). In order to prevent the prompt from stalling the build jobs forever, set a fake username and password as part of the git URL. One way to do that is to add this to ~/.gitconfig:

[url "https://fakeusername:fakepassword@github.com"]
    insteadOf = https://github.com
[url "https://fakeusername:fakepassword@gitlab.com"]
    insteadOf = https://gitlab.com
[url "https://fakeusername:fakepassword@bitbucket.org"]
    insteadOf = https://bitbucket.org