<metaproperty="description"content="This page contains instructions for verifying that Telegram's open source code is exactly the same as the code that is used…">
<metaproperty="og:title"content="Reproducible Builds for iOS and Android">
<metaproperty="og:description"content="This page contains instructions for verifying that Telegram's open source code is exactly the same as the code that is used…">
<h1id="dev_page_title">Reproducible Builds for iOS and Android</h1>
<divid="dev_page_content"><p>This page contains instructions for verifying that Telegram's <ahref="https://telegram.org/apps#source-code">open source code</a> is exactly the same as the code that is used to build the apps that are available in the <ahref="https://telegram.org/dl/ios">App Store</a>, <ahref="https://telegram.org/dl/android">Google Play</a> and <ahref="https://telegram.org/android">directly</a> on the Telegram website.</p>
<p><strong>Warning:</strong> Telegram supports reproducible builds as of <ahref="https://telegram.org/blog/verifiable-apps-and-more"><strong>version 5.13</strong></a>. Bear in mind that, at this stage, the verification process should be considered <strong>experimental</strong>. We will be updating our apps and these instructions to make this process as straightforward as possible.</p>
<ul>
<li><ahref="#reproducible-builds-for-android">Telegram for Android</a></li>
<li><ahref="#reproducible-builds-for-ios">Telegram for iOS</a></li>
</ul>
<blockquote>
<p>Please read the relevant <strong>notes</strong> and <ahref="#troubleshooting">troubleshooting</a> section carefully.</p>
</blockquote>
<hr>
<divclass="blog_wide_image">
<ahref="/file/464001695/1/nxVa_f-qKS8.216020/9da7686ded6f1e7bef"target="_blank"><imgsrc="/file/464001785/3/GqL9jQg6ChI.76277/1377819b17eaa4dcce"srcset="/file/464001695/1/nxVa_f-qKS8.216020/9da7686ded6f1e7bef, 1200w"title="Builds Telegram verifiable are."alt="Dude in a jacket inspecting the hologram of a mechanical dog to verify it's built according to the blueprints provided."/></a>
</div>
<h2><aclass="anchor"name="reproducible-builds-for-android"href="#reproducible-builds-for-android"><iclass="anchor-icon"></i></a>Reproducible Builds for Android</h2>
<p>Docker can be obtained <ahref="https://www.docker.com/">here</a>. Once the installation is complete, log into your Docker account > Settings > Resources > Advanced and configure the amount of resources Docker may use:</p>
<p>We recommend using the maximum amount allowed by your system's hardware, in order to speed up the build time.</p>
<h3><aclass="anchor"name="step-2-confirm-which-version-you-have-installed-on-your-android"href="#step-2-confirm-which-version-you-have-installed-on-your-android"><iclass="anchor-icon"></i></a>Step 2. Confirm which version you have installed on your Android device</h3>
<p>You can find the <strong>version/build</strong> number and the source (website, Play Store, Huawei Store) at the bottom of the Settings page. Note that Telegram supports reproducible builds starting with version <strong>5.13</strong>.</p>
<p>Please make sure that you're using the correct <strong>version</strong> and <strong>build number</strong> of the version you want to check (and not the one from this example <imgclass="emoji"src="//telegram.org/img/emoji/40/F09F9888.png"width="20"height="20"alt="😈"/>). </p>
The part after the version number will help you know in which folder to look for the correct APK when you've finished [building the app (Step 4)](#step-4-build-the-app):
* “Direct” after version number means that the APK will be inside the “afat/standalone” folder.
* "Universal" after version number means that the APK will be inside the “afat/release” folder.
* If you have Android Version 6.0 or greater, your APK folder will have the “_SDK23” suffix.
* “arm64-v8a” - folder name will start with “arm64”.
* “armeabi-v7” - folder name will start with “armv7”.
<h3><aclass="anchor"name="step-3-obtain-the-source-code"href="#step-3-obtain-the-source-code"><iclass="anchor-icon"></i></a>Step 3. Obtain the source code</h3>
<p>Open Terminal, run the commands:<br><code>git clone https://github.com/DrKLO/Telegram.git $HOME/telegram-android</code><br><code>cd $HOME/telegram-android</code><br><code>git checkout release-{VERSION AND BUILD NUMBER FROM STEP 2}</code></p>
<p>For our <ahref="#step-2-confirm-which-version-you-have-installed-on-your-android">example</a>, the command would be:<br><code>git checkout release-5.13.0_1821</code></p>
<divclass="blog_wide_image">
<ahref="/file/464001840/1/5DrefLlg3vw.116770/8901e43605c30939d4"target="_blank"><imgsrc="/file/464001840/1/5DrefLlg3vw.116770/8901e43605c30939d4"title="Obtaining the source code"/></a>
</div>
<h3><aclass="anchor"name="step-4-build-the-app"href="#step-4-build-the-app"><iclass="anchor-icon"></i></a>Step 4. Build the app</h3>
<p>Open Terminal, run the commands:<br><code>cd $HOME/telegram-android</code><br><code>docker build -t telegram-build .</code></p>
<divclass="blog_wide_image">
<ahref="/file/464001202/1/UyO3_tLDRPg.35170/31865250522be6db86"target="_blank"><imgsrc="/file/464001202/1/UyO3_tLDRPg.35170/31865250522be6db86"title="Building the app"/></a>
</div>
<p><code>docker run --rm -v "$PWD":/home/source telegram-build</code></p>
<divclass="blog_wide_image">
<ahref="/file/464001691/2/SFreJq5OZ4U.34208/f69b83468ac2a07276"target="_blank"><imgsrc="/file/464001691/2/SFreJq5OZ4U.34208/f69b83468ac2a07276"title="Building the app"/></a>
<ahref="/file/464001014/116e8/0BQSMuzynOI.10222/1293c6fc237ab85f7e"target="_blank"><imgsrc="/file/464001014/116e8/0BQSMuzynOI.10222/1293c6fc237ab85f7e"title="Building the app"/></a>
<p><code>/apk/afat/standalone/app.apk</code>– used for direct downloads from telegram.org/android<br><code>/apk/afat/elease/app.apk</code>– the playstore version<br><code>/apk/afat/release/app-huawei.apk</code>– used exclusively for the Huawei store</p>
<p>Use the folder name from <ahref="#step-4-build-the-app">Step 4</a> to find the correct folder that holds the same APK as installed on your device. For example, for the Play Store version, the path to your APK will be:</p>
<p><code>$HOME/telegram-android/TMessagesProj/build/outputs/apk/afat/release/app.apk</code><br>Copy this APK to the root source directory by running this command in Terminal:<br><code>cp $HOME/telegram-android/TMessagesProj/build/outputs/apk/afat/release/app.apk $HOME/telegram-android/telegram_built.apk</code></p>
<ahref="/file/464001970/1/9nwL42h9lAU.32529/9b39cebcdb8c6daff7"target="_blank"><imgsrc="/file/464001970/1/9nwL42h9lAU.32529/9b39cebcdb8c6daff7"title="Copy the APK"/></a>
</div>
<h3><aclass="anchor"name="step-5-the-telegram-apk-installed-on-your-device"href="#step-5-the-telegram-apk-installed-on-your-device"><iclass="anchor-icon"></i></a>Step 5. The Telegram APK installed on your device</h3>
<p>You will need <ahref="https://developer.android.com/studio/releases/platform-tools.html#downloads">adb</a> for this step. </p>
<p>If you downloaded your APK <ahref="https://telegram.org/android"><strong>directly from Telegram's website</strong></a>, use the package name <code>org.telegram.messenger.web</code> in this step. To verify the <strong>Google Play APK</strong>, use <code>org.telegram.messenger</code>.</p>
</blockquote>
<p>Connect your device to the computer, open Terminal, run the commands:<br><code>adb shell pm path org.telegram.messenger</code></p>
<p>The output will look something like this:<br><code>package:/data/app/org.telegram.messenger-_zOSURFEx2GpHM8UDF_PVg==/base.apk</code><br>By using this information, pull the APK from your device to $HOME/telegram-android using command:<br><code>adb pull /data/app/org.telegram.messenger-_zOSURFEx2GpHM8UDF_PVg==/base.apk $HOME/telegram-android/telegram_store.apk</code></p>
<h3><aclass="anchor"name="step-6-compare-the-apks"href="#step-6-compare-the-apks"><iclass="anchor-icon"></i></a>Step 6. Compare the APKs</h3>
<p>To compare Direct and Huawei Store versions, open Terminal, run the commands:<br><code>cd $HOME/telegram-android</code><br><code>python apkdiff.py telegram_store.apk telegram_built.apk</code><br>If the APKs are the same, you will see<br><code>APKs are the same!</code></p>
<p>If your APKs don't match, please make sure that you chose <ahref="#step-2-confirm-which-version-you-have-installed-on-your-android">the correct code version</a> and <ahref="#step-4-build-the-app">the right SDK</a>.</p>
<p>Check out the <ahref="#troubleshooting">Troubleshooting</a> section first in case you run into trouble.</p>
<hr>
<h2><aclass="anchor"name="reproducible-builds-for-ios"href="#reproducible-builds-for-ios"><iclass="anchor-icon"></i></a>Reproducible Builds for iOS</h2>
<p>The verification process for iOS builds is, unfortunately, a lot more complex than for Android. The two main issues with Apple's current policies and infrastructure are as follows:</p>
<li><p>Apple insists on using <strong>FairPlay</strong> encryption to “protect” even <strong>free</strong> and <strong>open source</strong> apps from “app pirates” which makes obtaining the executable code of apps impossible without a jailbroken device. To solve this issue, Apple would simply need to allow submitting unencryptable binaries to the App Store. This would not affect security since the code would still be signed – and would enable anyone to check the integrity of apps supporting reproducible builds without endangering the integrity and security of their devices.</p>
<li><p>Building your own reproducible binaries is difficult because macOS doesn't support containers like Docker. If Apple followed in the footsteps of Linux (and even Microsoft!) and added container support, it would eliminate the need for steps 1-3 in the guide below.</p>
</li>
</ol>
<blockquote>
<p>As things stand now, you'll need a <strong>jailbroken device</strong>, at least <strong>1,5 hours</strong> and approximately <strong>90GB</strong> of free space to properly set up a virtual machine for the verification process.</p>
<li>In Signing & Capabilities select your team and set a unique bundle id</li>
<li>Run</li>
</ol>
<h3><aclass="anchor"name="step-2-creating-an-os-image"href="#step-2-creating-an-os-image"><iclass="anchor-icon"></i></a>Step 2. Creating an OS image</h3>
<p>Check <ahref="https://github.com/TelegramMessenger/Telegram-iOS/blob/master/versions.json">versions.json</a> for information on the relevant macOS and Xcode versions.</p>
<p>Follow the installation instructions. Set username to <code>containerhost</code> and password to <code>containerhost</code>.</p>
<p>Enable Remote Login and allow full disk access for remote users.</p>
<p>Connect to the guest VM using SSH with username <code>containerhost</code> and password <code>containerhost</code>.</p>
<p>Create the directory <code>~/.ssh</code> and set up the <code>authorized_keys</code> using the public key string printed by the <code>darwin-containers create</code> command earlier.</p>
<p>Upload the appropriate version of Xcode via <code>scp</code> and install to /Applications. Run it at least once to complete installation. Don't forget to download the <strong>iOS SDK</strong>.</p>
<p>E.g., <code>git checkout release-7.3</code>. Please note that you need to check out the whole git history as the build version depends on the number of commits in the repository.</p>
<h3><aclass="anchor"name="step-5-downloading-a-decrypted-version-of-the-app-from-the-app-s"href="#step-5-downloading-a-decrypted-version-of-the-app-from-the-app-s"><iclass="anchor-icon"></i></a>Step 5. Downloading a decrypted version of the app from the App Store</h3>
<p>This step requires a jailbroken device equipped with tools for decrypting apps. We‘d love to make this process more simple but that’s what you get for using Apple tech.</p>
<h3><aclass="anchor"name="step-6-comparing-the-appstore-build-and-the-version-built-in-the"href="#step-6-comparing-the-appstore-build-and-the-version-built-in-the"><iclass="anchor-icon"></i></a>Step 6. Comparing the AppStore build and the version built in the virtual machine</h3>
IPAs contain Watch directory with a Watch app which can't be checked currently.
IPAs contain .car (Asset Catalog) files that are compiled by the App Store and can't currently be checked:
Frameworks/TelegramUI.framework/Assets.car
Assets.car
IPAs contain .nib (compiled Interface Builder) files that are compiled by the App Store and can't currently be checked:
Base.lproj/LaunchScreen.nib</code></pre>
<divclass="blog_wide_image">
<ahref="/file/464001561/2/8mgy93NZXIg.138258/a0a0dca779416fba8a"target="_blank"><imgsrc="/file/464001561/2/8mgy93NZXIg.138258/a0a0dca779416fba8a"title="The result > equal IPAs"/></a>
</div>
<p>In case of any mismatches, you'll get a detailed report.</p>
<li><p>You will get a warning if the archive created in <ahref="#step-5-downloading-a-decrypted-version-of-the-app-from-the-app-s">Step 5</a> contains encrypted files. If all these files are in the <code>PlugIns</code> subfolder, they represent various system extensions (e.g. external sharing, Siri). Decrypting such files using existing ways of receiving app archives via Jailbreak is non-trivial (but we're working on resolving this issue). If you do manage to decrypt them, e.g. on iOS 8, they will be matched.</p>
<li><p>Files with the <code>.car</code> extension are app resource archives (images, sounds) which were compiled and processed specifically for the target device. The App Store processes them in non-trivial ways, we're planning on getting rid of them in future versions.</p>
</li>
<li><p>The <code>LaunchScreen.nib</code> file is an empty file containing a description of the interface which is displayed by the system before the app is launched. It is processed by the App Store in a non-trivial way but doesn't contain any code and therefore may be ignored.</p>
<p>If you encounter any issues with obtaining the code, building and comparing the apps, please contact us at <ahref="https://t.me/botsupport">@BotSupport</a> and include the hashtag <code>#reproducibleBuilds</code> with your message describing the problem.</p>
<li><p>Make sure that you checkout <ahref="#step-2-confirm-which-version-you-have-installed-on-your-android">the correct version</a> of the code.</p>
</li>
<li><p>Make sure that you build the app using <ahref="#step-4-build-the-app">the right SDK</a>.</p>
</li>
<li><p>If the gradle version used in the Dockerfile is not available anymore and building of the Docker image fails, wait for a Dockerfile update or update manually to lastest available version.</p>
</li>
</ol>
</div>
</div>
</div>
</div>
<divclass="footer_wrap">
<divclass="footer_columns_wrap footer_desktop">
<divclass="footer_column footer_column_telegram">
<h5>Telegram</h5>
<divclass="footer_telegram_description"></div>
Telegram is a cloud-based mobile and desktop messaging app with a focus on security and speed.