Cwa-documentation: Verifying binary releases are built from CWA source code repositories

Hello Everyone,

and first of all: Good Work! I believe the Corona Warn App can be considered a very successful IT project. I was positively surprised many times throughout the decision making and implementation phases. Let's hope for the best when it comes to the adoption now.

I just recently looked into the code and compiled the (android app) application myself - building works flawlessly.

I appreciate the fact that all of this is open source. I am also aware, that there are various issues (just like this one https://github.com/corona-warn-app/cwa-documentation/issues/214 or https://github.com/corona-warn-app/cwa-app-android/issues/508#issuecomment-644728557 etc) discussing the aspect of not being able to compile the app(s) from source and run them productively on my own device. As far as I understood, the underlying reason for this is, that an app has to be signed and the signature has to be accepted by the respective authorities in order to prevent bogus messages.

I believe this is uncovers a fundamental flaw in the whole app lifecycle as it seems unclear how a concerned user can make sure, that the app binary uploaded to and delivered by the Google Play Store is actually the built-from-this-repository-source one. Many public discussions go into that direction, the whole "they might sneak in some unwanted code later" aspect is fueled by this. I also understand that the whole OSS complex has other implications, just like dependencies on proprietary google-play-apis and so on.

I see various possible exits from this dilemma:

• The documentation explicitly acknowledges the fact, that the binary release delivered through app stores cannot be verified against any original source code. This statement is potentially harmful to the apps reputation, but it's the truth.
• There in fact is a way to verify that the binary release delivered through an app store was compiled using code (and only that code) in these open repositories here and the author of this post is just not aware of it. It's very likely that others are also not aware of it. They should now, this should be somewhere in the documentation, then.
• With the on-going development of the app+infrastructure a way is implemented and illustrated, how downloading+building+running your own release of the CWA can be achieved in the near future.

I invite you to explore and discuss further options. I am happy about any more insights on this.

It is my personal belief that there's no safer way to run open source software by building it yourself. How are your thoughts on this?

Sorry if this was already discussed somewhere, a quick check on the search function didn't bring enlightenment here. Feel free to mark this issue as a duplicate and close it, if necessary. Same if I just missed that aspect being present inside the documentation already!

Best & Thank You again,
Hendrik