Cwa-app-ios: How to verify the authenticity of app builds with regards to sources on Github?

Really? It's not even been 24 hours and … ah, nevermind.

Do you have some quick links where these theories originated/where you've heard from them? This would indeed be something interesting to investigate, if you don't mind @zopyx!

(N.B.: Speaking from a sociological perspective, I doubt anything added to the transparency already achieved will in any way help mitigate conspiracy theories)

There is a lot of related BS talk on twitter, just search for "staatstrojaner".

Of course, it is hard to fight. Transparency does not count, everyone is paid...blablabla.

Question is: what can be made to take away the argument that something comes on top with app releases.

Telegram has a good article about this topic: https://core.telegram.org/reproducible-builds

TLDR: Takes a lot of work to make builds reproducible on Android, even harder on iOS (and requires jailbroken device to verify)

Question is: what can be made to take away the argument that something comes on top with app releases.

I'd say tell them to reverse-engineer the app …? I certainly understand this, it's really frustrating. Just had a conversation with my flatmate who reproduced the same arguments 5 minutes ago …

I'll do a Twitter search, thanks!

The only technical approach is described here as zoellner already mentioned
https://core.telegram.org/reproducible-builds
Do you need additional information about the build to do a reproducible build with this manual?

The main problem here is that any Dev certificate other than the one from the SAP Dev team does not have the required entitlements to build and sign the app with the Release schema (=Version downloadable in the Appstore) that contains the hook up for the EN framework. So you cannot build the „same“ app @ home to compare hashes or do other comparisons.

Simplest thing is to just analyze the binarys. Thats not to difficult and concerns from people without any tech experience should be ignored, as you cannot counter them with any technical proofs and they will always exist...

You right but is this ipadiff.py tool from telegram not analyze the binaries independent of the used entitlements?

You right but is this ipadiff.py tool from telegram not analyze the binaries independent of the used entitlements?

Yes, that is correct! You can do that and see the different files (and get even more details). But you can't build the „same“ app, so the script will never just say: Both binarys are equal. People with technical experience can of course point out the differences and then see that it is just the EN framework missing/the mock up is used.
(CCC and other did the same)

Hello thanks for your question. Please see https://github.com/corona-warn-app/cwa-documentation/issues/14 .

Thank you.
KM