Reproducible Android Builds
Article Summary
Signal just made their Android builds reproducible, and they're practically begging you not to send them panicked encrypted emails about it. This is transparency done right.
Signal's Android team shipped reproducible builds as a weekend hack, allowing anyone to verify that the APK distributed through Google Play matches the exact source code in their GitHub repository. They've published a Docker image that makes verification straightforward for developers.
Key Takeaways
- Docker-based verification process compares Play Store APK to GitHub source code
- Simple apkdiff script confirms compiled APK matches published source exactly
- Native libraries (WebRTC) remain non-reproducible due to legacy Gradle NDK limitations
- Team emphasizes this wasn't driven by legal pressure, just good engineering practice
Signal now lets anyone verify their Android APK matches public source code through a simple Docker-based build process.
About This Article
Signal's Android app uses native shared libraries for voice calls, like WebRTC, that weren't built through Gradle NDK support. This makes those components impossible to reproduce and blocks full verification of the build.
Signal released a Docker image called whispersystems/signal-android:0.2 that has a complete Android build environment. Developers can use it to rebuild the APK and compare the result against the Play Store version with the apkdiff script.
Developers can now verify that Signal's APK matches the public GitHub source code exactly. The team plans to integrate Gradle NDK support for native libraries in the future.