Reproducible builds, better build/download verification, etc

[mtigas]

Part of this is a reminder to check activity on signalapp/Signal-iOS#641.

---

User download validation:

Given OnionBrowser.app/, everything inside other than SC_Info and iTunes{Artwork,Metadata.plist} will be identical among end users. Those files will vary from user-to-user — see this comment for lots more technical detail about this.

So, we can check these files for integrity; this check means that we’re sure that the copy they downloaded from Apple matches a copy that someone else downloaded from Apple. However, this does not mean that the app was not tampered with since I compiled it. (That’s reproducibility, below.)

Ghetto version of this verification in some release notes already — https://github.com/OnionBrowser/iOS-OnionBrowser/releases/tag/v1.5.12

---

Reproducibility:

In the "identical" files above, everything other than the OnionBrowser.app/OnionBrowser binary should be identical from build-time all the way through to the end user's downloaded .ipa. The binary is modified by Apple’s DRM (again, this comment describes it well).

With a jailbroken device (to decrypt the Payload/OnionBrowser.app/OnionBrowser binary and sort of pick away the Apple codesigning magicks), the binary could maybe be verified from build-time through to App Store .ipa, too.

This one’s the hard part.

[paulshapiro]

I've commented on the Signal issue in an attempt to open up the discussion about what practical steps we can take to get Apple to support this. Please feel free to comment as I believe this initiative will require dev-community-wide support.

signalapp/Signal-iOS#641

[DavidMOliver]

I want to assign this to milestone number 2.3

[tladesignz]

@DavidMOliver: Neeee. Bad idea. This is currently unattainable as it seems. (See link to Signal-iOS issue in the original issue text.)

[DavidMOliver]

OK, I will drop this item from our Milestones. Let's assign to "Milestone 3.0", please