
Ask HN: How to verify binary came from this exact source code? - weitzj
I want to make an app and put the source on GitHub so everybody can verify it.
How can I ensure that the corresponding binary really belonged to a specific GIT commit? Is this possible?<p>I know for example that Google Go has reproducible builds and I would get the same hash out of the binary. But I would have to attach this hash to the binary so I could have a “print version” dialogue.
And this attachment would mess up the previous binary.<p>Google Go was an example. I am talking about an Android, iOS app.
======
closeparen
You cannot have the signature as part of the signed message. You _can_
substitute a deterministic value (like all zeroes) where the signature goes,
during the signature calculation.

You may be interested in Telegram’s documentation on reusable iOS and Android
builds. [https://core.telegram.org/reproducible-
builds](https://core.telegram.org/reproducible-builds)

------
z3t4
Have a script that builds the app and compares with the released binary. You
can have the build script inject the latest commit id as version number. (You
dont commit the injected commit id, as that would create a new commit)

The build scrip clones the repo into a temp folder. Checks out specific
commit/branch. Then runs make release (or equivalent )

------
mister_hn
If you use Maven for Android, you can have reproducible builds as well

