telegram-crawler/data/web/core.telegram.org/reproducible-builds.html
2023-01-25 15:24:12 +00:00

537 lines
41 KiB
HTML
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

<!DOCTYPE html>
<html class="">
<head>
<meta charset="utf-8">
<title>Reproducible Builds for iOS and Android</title>
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<meta property="description" content="This page contains instructions for verifying that Telegram&#39;s open source code is exactly the same as the code that is used…">
<meta property="og:title" content="Reproducible Builds for iOS and Android">
<meta property="og:image" content="https://core.telegram.org/file/464001785/3/GqL9jQg6ChI.76277/1377819b17eaa4dcce">
<meta property="og:description" content="This page contains instructions for verifying that Telegram&#39;s open source code is exactly the same as the code that is used…">
<link rel="icon" type="image/svg+xml" href="/img/website_icon.svg?4">
<link rel="apple-touch-icon" sizes="180x180" href="/img/apple-touch-icon.png">
<link rel="icon" type="image/png" sizes="32x32" href="/img/favicon-32x32.png">
<link rel="icon" type="image/png" sizes="16x16" href="/img/favicon-16x16.png">
<link rel="alternate icon" href="/img/favicon.ico" type="image/x-icon" />
<link href="/css/bootstrap.min.css?3" rel="stylesheet">
<link href="/css/telegram.css?234" rel="stylesheet" media="screen">
<style>
</style>
</head>
<body class="preload">
<div class="dev_page_wrap">
<div class="dev_page_head navbar navbar-static-top navbar-tg">
<div class="navbar-inner">
<div class="container clearfix">
<ul class="nav navbar-nav navbar-right hidden-xs"><li class="navbar-twitter"><a href="https://twitter.com/telegram" target="_blank" data-track="Follow/Twitter" onclick="trackDlClick(this, event)"><i class="icon icon-twitter"></i><span> Twitter</span></a></li></ul>
<ul class="nav navbar-nav">
<li><a href="//telegram.org/">Home</a></li>
<li class="hidden-xs"><a href="//telegram.org/faq">FAQ</a></li>
<li class="hidden-xs"><a href="//telegram.org/apps">Apps</a></li>
<li class=""><a href="/api">API</a></li>
<li class=""><a href="/mtproto">Protocol</a></li>
<li class=""><a href="/schema">Schema</a></li>
</ul>
</div>
</div>
</div>
<div class="container clearfix">
<div class="dev_page">
<div id="dev_page_content_wrap" class=" ">
<div class="dev_page_bread_crumbs"></div>
<h1 id="dev_page_title">Reproducible Builds for iOS and Android</h1>
<div id="dev_page_content"><p>This page contains instructions for verifying that Telegram&#39;s <a href="https://telegram.org/apps#source-code">open source code</a> is exactly the same as the code that is used to build the apps that are available in the <a href="https://telegram.org/dl/ios">App Store</a>, <a href="https://telegram.org/dl/android">Google Play</a> and <a href="https://telegram.org/android">directly</a> on the Telegram website.</p>
<p><strong>Warning:</strong> Telegram supports reproducible builds as of <a href="https://telegram.org/blog/verifiable-apps-and-more"><strong>version 5.13</strong></a>. Bear in mind that, at this stage, the verification process should be considered <strong>experimental</strong>. We will be updating our apps and these instructions to make this process as straightforward as possible.</p>
<ul>
<li><a href="#reproducible-builds-for-android">Telegram for Android</a></li>
<li><a href="#reproducible-builds-for-ios">Telegram for iOS</a></li>
</ul>
<blockquote>
<p>Please read the relevant <strong>notes</strong> and <a href="#troubleshooting">troubleshooting</a> section carefully.</p>
</blockquote>
<hr>
<div class="blog_wide_image">
<a href="/file/464001695/1/nxVa_f-qKS8.216020/9da7686ded6f1e7bef" target="_blank"><img src="/file/464001785/3/GqL9jQg6ChI.76277/1377819b17eaa4dcce" srcset="/file/464001695/1/nxVa_f-qKS8.216020/9da7686ded6f1e7bef, 1200w" title="Builds Telegram verifiable are." alt="Dude in a jacket inspecting the hologram of a mechanical dog to verify it's built according to the blueprints provided."/></a>
</div>
<h2><a class="anchor" name="reproducible-builds-for-android" href="#reproducible-builds-for-android"><i class="anchor-icon"></i></a>Reproducible Builds for Android</h2>
<h3><a class="anchor" name="step-1-install-docker" href="#step-1-install-docker"><i class="anchor-icon"></i></a>Step 1. Install Docker</h3>
<p>Docker can be obtained <a href="https://www.docker.com/">here</a>. Once the installation is complete, log into your Docker account &gt; Preferences &gt; Advanced and configure the amount of resources Docker may use:</p>
<div class="blog_image_wrap">
<a href="/file/464001855/2/KKDBKSKjE5I.159342/06f9af6592719a3d6e" target="_blank"><img src="/file/464001855/2/KKDBKSKjE5I.159342/06f9af6592719a3d6e" title="Docker Performance" /></a>
<p>Docker Performance</p>
</div>
<p>We recommend using the maximum amount allowed by your system&#39;s hardware, in order to speed up the build time.</p>
<h3><a class="anchor" name="step-2-confirm-which-version-you-have-installed-on-your-android" href="#step-2-confirm-which-version-you-have-installed-on-your-android"><i class="anchor-icon"></i></a>Step 2. Confirm which version you have installed on your Android device</h3>
<p>You can find the <strong>version/build</strong> number at the bottom of the Settings page. Note that Telegram supports reproducible builds starting with version <strong>5.13</strong>.</p>
<div class="blog_image_wrap">
<a href="/file/464001596/1/BdL82fVZIdg.72900/f22d064f20c6b40209" target="_blank"><img src="/file/464001596/1/BdL82fVZIdg.72900/f22d064f20c6b40209" title="App Version" /></a>
<p>App Version</p>
</div>
<p>The commit tag to checkout source code for the example above will be <code>release-5.13.0_1821</code>.</p>
<blockquote>
<p>Please make sure that you&#39;re using the correct <strong>version</strong> and <strong>build number</strong> of the version you want to check (and not the one from this example <img class="emoji" src="//telegram.org/img/emoji/40/F09F9888.png" width="20" height="20" alt="😈" />). </p>
</blockquote>
<!--
The part after the version number will help you know in which folder to look for the correct APK when you've finished [building the app (Step 4)](#step-4-build-the-app):
* “Direct” after version number means that the APK will be inside the “afat/standalone” folder.
* "Universal" after version number means that the APK will be inside the “afat/release” folder.
* If you have Android Version 6.0 or greater, your APK folder will have the “_SDK23” suffix.
* “arm64-v8a” - folder name will start with “arm64”.
* “armeabi-v7” - folder name will start with “armv7”.
* “x86” - folder name will start with “x86”.
* “x86_64” - folder name will start with “x64”.
-->
<div class="blog_image_wrap">
<a href="/file/464001368/2/fgnFkr2Id3Q.55259/d03599849440e62b52" target="_blank"><img src="/file/464001368/2/fgnFkr2Id3Q.55259/d03599849440e62b52" title="Relevant folder" /></a>
<p>APK Folders</p>
</div>
<h3><a class="anchor" name="step-3-obtain-the-source-code" href="#step-3-obtain-the-source-code"><i class="anchor-icon"></i></a>Step 3. Obtain the source code</h3>
<p>Open Terminal, run the commands:<br><code>git clone https://github.com/DrKLO/Telegram.git $HOME/telegram-android</code><br><code>cd $HOME/telegram-android</code><br><code>git checkout release-{VERSION AND BUILD NUMBER FROM STEP 2}</code></p>
<p>For our <a href="#step-2-confirm-which-version-you-have-installed-on-your-android">example</a>, the command would be:<br><code>git checkout release-5.13.0_1821</code></p>
<div class="blog_wide_image">
<a href="/file/464001840/1/5DrefLlg3vw.116770/8901e43605c30939d4" target="_blank"><img src="/file/464001840/1/5DrefLlg3vw.116770/8901e43605c30939d4" title="Obtaining the source code" /></a>
</div>
<h3><a class="anchor" name="step-4-build-the-app" href="#step-4-build-the-app"><i class="anchor-icon"></i></a>Step 4. Build the app</h3>
<p>Open Terminal, run the commands:<br><code>cd $HOME/telegram-android</code><br><code>docker build -t telegram-build .</code></p>
<div class="blog_wide_image">
<a href="/file/464001202/1/UyO3_tLDRPg.35170/31865250522be6db86" target="_blank"><img src="/file/464001202/1/UyO3_tLDRPg.35170/31865250522be6db86" title="Building the app" /></a>
</div>
<p><code>docker run --rm -v &quot;$PWD&quot;:/home/source telegram-build</code></p>
<div class="blog_wide_image">
<a href="/file/464001691/2/SFreJq5OZ4U.34208/f69b83468ac2a07276" target="_blank"><img src="/file/464001691/2/SFreJq5OZ4U.34208/f69b83468ac2a07276" title="Building the app" /></a>
</div>
<p>These commands will produce 3 different APKs and 2 bundles:</p>
<p><code>apk/standalone/app.apk</code> used for direct downloads from telegram.org/android<br><code>apk/release/app.apk</code> the playstore version<br><code>apk/release/app-huawei.apk</code> used exclusively for the Huawei store</p>
<p><code>bundle/bundleAfat_SDK23Release/TMessagesProj_App-bundleAfat_SDK23-release.aab</code><br><code>bundle/bundleAfatRelease/TMessagesProj_App-bundleAfat-release.aab</code></p>
<p>These APKs can be found in:<br><code>$HOME/telegram-android/TMessagesProj/build/outputs/apk/</code></p>
<p>Use the folder name from <a href="#step-2-confirm-which-version-you-have-installed-on-your-android">Step 2</a> to find the correct folder that holds the same APK as installed on your device. For example, for non-universal Android 9.0 arm64-v8a, the path to your APK will be:<br><code>$HOME/telegram-android/TMessagesProj/build/outputs/apk/arm64_SDK23/release/app.apk</code><br>Copy this APK to the root source directory by running this command in Terminal:<br><code>cp $HOME/telegram-android/TMessagesProj/build/outputs/apk/arm64_SDK23/release/app.apk $HOME/telegram-android/telegram_built.apk</code></p>
<div class="blog_wide_image">
<a href="/file/464001970/1/9nwL42h9lAU.32529/9b39cebcdb8c6daff7" target="_blank"><img src="/file/464001970/1/9nwL42h9lAU.32529/9b39cebcdb8c6daff7" title="Copy the APK" /></a>
</div>
<h3><a class="anchor" name="step-5-the-telegram-apk-installed-on-your-device" href="#step-5-the-telegram-apk-installed-on-your-device"><i class="anchor-icon"></i></a>Step 5. The Telegram APK installed on your device</h3>
<p>You will need <a href="https://developer.android.com/studio/releases/platform-tools.html#downloads">adb</a> for this step. </p>
<div class="blog_image_wrap">
<a href="/file/464001167/1/ekMuxStZVes.485894/eb0a512392500d53b3" target="_blank"><img src="/file/464001167/1/ekMuxStZVes.485894/eb0a512392500d53b3" title="ADB" /></a>
<p>ADB</p>
</div>
<blockquote>
<p>If you downloaded your APK <a href="https://telegram.org/android"><strong>directly from Telegram&#39;s website</strong></a>, use the package name <code>org.telegram.messenger.web</code> in this step. To verify the <strong>Google Play APK</strong>, use <code>org.telegram.messenger</code>.</p>
</blockquote>
<p>Connect your device to the computer, open Terminal, run the commands:<br><code>adb shell pm path org.telegram.messenger</code></p>
<div class="blog_wide_image">
<a href="/file/464001688/1/CJrBoBPxoKU.31587/670238fac9bc5f869d" target="_blank"><img src="/file/464001688/1/CJrBoBPxoKU.31587/670238fac9bc5f869d" title="ADB" /></a>
</div>
<p>The output will look something like this:<br><code>package:/data/app/org.telegram.messenger-_zOSURFEx2GpHM8UDF_PVg==/base.apk</code><br>By using this information, pull the APK from your device to $HOME/telegram-android using command:<br><code>adb pull /data/app/org.telegram.messenger-_zOSURFEx2GpHM8UDF_PVg==/base.apk $HOME/telegram-android/telegram_store.apk</code></p>
<h3><a class="anchor" name="step-6-compare-the-apks" href="#step-6-compare-the-apks"><i class="anchor-icon"></i></a>Step 6. Compare the APKs</h3>
<p>Open Terminal, run the commands:<br><code>cd $HOME/telegram-android</code><br><code>python apkdiff.py telegram_store.apk telegram_built.apk</code><br>If the APKs are the same, you will see<br><code>APKs are the same!</code></p>
<div class="blog_wide_image">
<a href="/file/464001327/1/Qcnkce3q-J4.35468/9791eeabf384c7830d" target="_blank"><img src="/file/464001327/1/Qcnkce3q-J4.35468/9791eeabf384c7830d" title="Match" /></a>
</div>
<p>Play Store versions built from a bundle will be marked as &#39;store bundled&#39;. To verify such builds, use:</p>
<p><code>python apkfrombundle.py telegram_bundle.aab telegram_store.apk</code></p>
<p>If anything goes wrong, you will see this:</p>
<div class="blog_wide_image">
<a href="/file/464001245/1/0wuFZh4wBYM.38635/bf90b5a321b44360fb" target="_blank"><img src="/file/464001245/1/0wuFZh4wBYM.38635/bf90b5a321b44360fb" title="Mismatch" /></a>
</div>
<p>If your APKs don&#39;t match, please make sure that you chose <a href="#step-2-confirm-which-version-you-have-installed-on-your-android">the correct code version</a> and <a href="#step-4-build-the-app">the right SDK</a>.</p>
<p>Check out the <a href="#troubleshooting">Troubleshooting</a> section first in case you run into trouble.</p>
<hr>
<h2><a class="anchor" name="reproducible-builds-for-ios" href="#reproducible-builds-for-ios"><i class="anchor-icon"></i></a>Reproducible Builds for iOS</h2>
<p>The verification process for iOS builds is, unfortunately, a lot more complex than for Android. The two main issues with Apple&#39;s current policies and infrastructure are as follows:</p>
<ol>
<li><p>Apple insists on using <strong>FairPlay</strong> encryption to “protect” even <strong>free</strong> apps from “app pirates” which makes obtaining the executable code of apps impossible without a jailbroken device. To solve this issue, Apple would simply need to allow submitting unencryptable binaries to the App Store. This would not affect security since the code would still be signed and would enable anyone to check the integrity of apps supporting reproducible builds without endangering the integrity and security of their devices.</p>
</li>
<li><p>Building your own reproducible binaries is difficult because macOS doesn&#39;t support containers like Docker. If Apple followed in the footsteps of Linux (and even Microsoft!) and added container support, it would eliminate the need for steps 1-3 in the guide below.</p>
</li>
</ol>
<blockquote>
<p>As things stand now, you&#39;ll need a <strong>jailbroken device</strong>, at least <strong>1,5 hours</strong> and approximately <strong>90GB</strong> of free space to properly set up a virtual machine for the verification process.</p>
</blockquote>
<p>To provide a stable and easily reproducible environment, Telegram iOS builds are compiled on a virtual machine. Parallels is used to verify the builds.</p>
<blockquote>
<p>Despite the compiler bugs introduced by Apple in <strong>Xcode 14</strong> (<a href="#troubleshooting-ios">read more</a>), we were able to restore deterministic builds using manually crafted linker flags. Use the steps below to verify builds compiled with XCode 13 and below, <a href="#ios-xcode-14">see here for XCode 14 instructions</a>.</p>
</blockquote>
<h3><a class="anchor" name="step-1-install-the-parallels-virtual-machine" href="#step-1-install-the-parallels-virtual-machine"><i class="anchor-icon"></i></a>Step 1. Install the Parallels virtual machine</h3>
<p>Parallels can be obtained <a href="https://www.parallels.com/">here</a>, it features a fully-functional trial version.</p>
<h3><a class="anchor" name="step-2-install-the-latest-version-of-macos-big-sur" href="#step-2-install-the-latest-version-of-macos-big-sur"><i class="anchor-icon"></i></a>Step 2. Install the latest version of macOS Big Sur</h3>
<p>To download an image that can be installed on the virtual machine, open the App Store, search for “Catalina” and click “View”.</p>
<div class="blog_image_wrap">
<a href="/file/464001442/2/kdNIHhlKvz4.940110/19c350a98ef2c2c164" target="_blank"><img src="/file/464001442/2/kdNIHhlKvz4.940110/19c350a98ef2c2c164" title="Search for macOS Catalina on App Store > View" /></a>
<p>Search for macOS Catalina on App Store > View</p>
</div>
<div class="blog_image_wrap">
<a href="/file/464001556/2/ZSibb9LRuCg.903011/8d1216a3b375d69651" target="_blank"><img src="/file/464001556/2/ZSibb9LRuCg.903011/8d1216a3b375d69651" title="macOS Catalina > Get" /></a>
<p>macOS Catalina > Get
</p>
</div>
<p>This will open a system pop-up offering to download the OS:</p>
<div class="blog_wide_image">
<a href="/file/464001021/1/zCJcO6j4L88.223192/6cccdc989a372734b0" target="_blank"><img src="/file/464001021/1/zCJcO6j4L88.223192/6cccdc989a372734b0" title="macOS Catalina > Download" /></a>
</div>
Choose “Download” and wait for the download to finish.
> If you were not using the latest version of the OS, your system may start updating instead. Please finish updating to download macOS Catalina.
When done, open Parallels and choose macOS Catalina:
<div class="blog_image_wrap">
<a href="/file/464001612/2/MX23LbMTi9s.387733/04fbf3e50047b87e99" target="_blank"><img src="/file/464001612/2/MX23LbMTi9s.387733/04fbf3e50047b87e99" title="Select 'Install Windows or another OS' > Continue" /></a>
<p>Select 'Install Windows or another OS' > Continue</p>
</div>
<div class="blog_image_wrap">
<a href="/file/464001694/1/WD85AiGle9A.404893/9c435d6582b9be04f6" target="_blank"><img src="/file/464001694/1/WD85AiGle9A.404893/9c435d6582b9be04f6" title="Select a file... > Applications (All files) > Install macOS Сatalina" /></a>
<p>Select a file... > Applications (All files) > Install macOS Сatalina</p>
</div>
<p>Before starting the installation, configure the virtual machine:</p>
<div class="blog_image_wrap">
<a href="/file/464001210/2/FVlrqHY_Vqw.231478/0167b02433bf413c67" target="_blank"><img src="/file/464001210/2/FVlrqHY_Vqw.231478/0167b02433bf413c67" title="Enable checkbox 'Customize settings before installation'" /></a>
<p>Checkbox 'Customize settings before installation'</p>
</div>
<p>Change the name of the virtual machine to <code>macos11_Xcode12_5_1</code></p>
<div class="blog_image_wrap">
<a href="/file/464001398/1/SB22XXoAWTg.151444/8e479c26b30ceccc01" target="_blank"><img src="/file/464001398/1/SB22XXoAWTg.151444/8e479c26b30ceccc01" title="Name VM as macos10_15_Xcode11_2" /></a>
<p>Name VM as macos10_15_Xcode12_2</p>
</div>
<p>Hardware &gt; Processors: 2-4<br>Memory &gt; 4GB may suffice but 8GB is recommended</p>
<div class="blog_image_wrap">
<a href="/file/464001494/1/_BIf-UvwS3Q.239110/d52cb48ec3d6e76e84" target="_blank"><img src="/file/464001494/1/_BIf-UvwS3Q.239110/d52cb48ec3d6e76e84" title="At least 2 CPUs + 4 (8 recommended) GB Memory." /></a>
<p>At least 2 CPUs + 4 (8 recommended) GB Memory.</p>
</div>
<p>You will get something like this:</p>
<div class="blog_image_wrap">
<a href="/file/464001423/2/yoakfT7DemM.200481/2fbd4e1d1fcbe60c9a" target="_blank"><img src="/file/464001423/2/yoakfT7DemM.200481/2fbd4e1d1fcbe60c9a" title="Click Continue" /></a>
<p>Click Continue</p>
</div>
<p>Parallels may request access to your microphone and camera, this is not required just press <strong>Close</strong>.</p>
<div class="blog_image_wrap">
<a href="/file/464001037/3/uPUYKKQ0JXY.1190506/9f9567853a1be5f194" target="_blank"><img src="/file/464001037/3/uPUYKKQ0JXY.1190506/9f9567853a1be5f194" title="Install macOS > Continue" /></a>
<p>Install macOS > Continue</p>
</div>
<p>Your Apple ID is also not required, you can choose <strong>Set Up Later</strong>.</p>
<div class="blog_image_wrap">
<a href="/file/464001885/3/-EDysKEKxN4.872188/4fd018cdc5b1e9f3f4" target="_blank"><img src="/file/464001885/3/-EDysKEKxN4.872188/4fd018cdc5b1e9f3f4" title="Skip Apple ID with 'Set Up Later'" /></a>
<p>Skip Apple ID with 'Set Up Later'</p>
</div>
<p>Use “telegram” for both the account name and password.</p>
<blockquote>
<p>Do not ever use the password “telegram” for <strong>anything</strong> else, it&#39;s cursed.</p>
</blockquote>
<div class="blog_image_wrap">
<a href="/file/464001994/1/uhQTRCzmHj0.805076/9fe8aaf3ade46b3bbf" target="_blank"><img src="/file/464001994/1/uhQTRCzmHj0.805076/9fe8aaf3ade46b3bbf" title="Create a computer account with 'telegram' set both as account name and password" class="dev_page_image" /></a>
<p>Create a computer account with 'telegram' set both as account name and password</p>
</div>
<p>Now install Parallels tools from the menu bar:</p>
<div class="blog_wide_image">
<a href="/file/464001486/1/kvHNFzvxjA8.2491846/d75c7b01cb0d3e4115" target="_blank"><img src="/file/464001486/1/kvHNFzvxjA8.2491846/d75c7b01cb0d3e4115" title="Install Parallels Tools using menu bar > Parallels icon > Actions > Install (Reinstall) Parallels Tools" /></a>
<a href="/file/464001061/5/Hiye9EUwr58.424786/543027492e073abd74" target="_blank"><img src="/file/464001061/5/Hiye9EUwr58.424786/543027492e073abd74" title="Install Parallels Tools" /></a>
<p>Install Parallels Tools using menu bar > Parallels icon > Actions > Install (Reinstall) Parallels Tools...</p>
</div>
<p>After the system restarts, log in.<br>Open <strong>Terminal</strong> and run:<br><code>sudo visudo</code><br>Enter the password “telegram”</p>
<div class="blog_wide_image">
<a href="/file/464001603/1/syuA7Rk-n2Q.40736/a5e73335e5c7d3a36c" target="_blank"><img src="/file/464001603/1/syuA7Rk-n2Q.40736/a5e73335e5c7d3a36c" title="Run Terminal on the VM, enter 'sudo visudo' > enter password (telegram)" /></a>
</div>
<p>Find this line at the end of the file:<br><code>%admin ALL=(ALL) ALL</code><br>Press “i” on your keyboard, add “NOPASSWD:”<br><code>%admin ALL=(ALL) NOPASSWD: ALL</code><br>Press Escape.<br>Type in “:wq”<br>Press Enter</p>
<div class="blog_wide_image">
<a href="/file/464001750/1/T6mMRrNkTUY.105833/6c491ac94ba52c30a0" target="_blank"><img src="/file/464001750/1/T6mMRrNkTUY.105833/6c491ac94ba52c30a0" title="Press i to edit the highlighted string" class="dev_page_image" /></a>
<p>Press i to edit the highlighted string.</p>
<a href="/file/464001078/1/fvlwH44qF9A.87241/d994289fe3967fbcd0" target="_blank"><img src="/file/464001078/1/fvlwH44qF9A.87241/d994289fe3967fbcd0" title="Enter :wq > press Enter" /></a>
<p>Enter :wq > press Enter.</p>
</div>
<p>In the terminal, run:<br><code>sudo systemsetup -setcomputersleep Never</code></p>
<div class="blog_wide_image">
<a href="/file/464001368/3/4nNsEU8siSo.54459/fdccb77de26ce89c25" target="_blank"><img src="/file/464001368/3/4nNsEU8siSo.54459/fdccb77de26ce89c25" title="sudo systemsetup -setcomputersleep Never > press Enter" /></a>
<p>sudo systemsetup -setcomputersleep Never > press Enter.</p>
</div>
<h3><a class="anchor" name="step-3-install-ssh-keys-on-the-virtual-machine" href="#step-3-install-ssh-keys-on-the-virtual-machine"><i class="anchor-icon"></i></a>Step 3. Install SSH keys on the virtual machine</h3>
<p>In the virtual machine, open System Settings &gt; Sharing and enable <strong>Remote Login</strong>.</p>
<div class="blog_wide_image">
<a href="/file/464001585/1/PEomlV3X5tY.2043293/4945fabb3f0dbc3498" target="_blank"><img src="/file/464001585/1/PEomlV3X5tY.2043293/4945fabb3f0dbc3498" title="Go to macOS Settings > Sharing > enable Remote Login" /></a>
</div>
<p>In the virtual machine, open Terminal and run:<br><code>mkdir -p .ssh; nano .ssh/authorized_keys</code></p>
<div class="blog_wide_image">
<a href="/file/464001545/2/D1m3uumpixY.80253/33723ae7bf268e4e7b" target="_blank"><img src="/file/464001545/2/D1m3uumpixY.80253/33723ae7bf268e4e7b" title="Enter mkdir -p .ssh; nano .ssh/authorized_keys > press Enter" /></a>
</div>
<p>In your main OS, open Terminal and run:<br><code>if [ ! -e ~/.ssh/id_rsa.pub ]; then ssh-keygen -t rsa -b 4096; fi &amp;&amp; cat ~/.ssh/id_rsa.pub | pbcopy</code></p>
<div class="blog_wide_image">
<a href="/file/464001768/1/UQHpZ06ximo.31911/c5244223a99661c5e9" target="_blank"><img src="/file/464001768/1/UQHpZ06ximo.31911/c5244223a99661c5e9" title="Terminal" /></a>
</div>
<p>If you see the line “Enter file in which to save the key (/Users/…/.ssh/id_rsa):”, press Enter<br>In the virtual machine, press <strong>CMD+V</strong><br>Then <strong>Ctrl+O</strong>, <strong>Ctrl+X</strong></p>
<div class="blog_wide_image">
<a href="/file/464001578/2/jHqc2jci2Ck.54202/7a0014ad6fb0d1c173" target="_blank"><img src="/file/464001578/2/jHqc2jci2Ck.54202/7a0014ad6fb0d1c173" title="Press Cmd+V > Ctrl+O > Ctrl+X." /></a>
</div>
<h3><a class="anchor" name="step-4-install-xcode-version-12-5-1" href="#step-4-install-xcode-version-12-5-1"><i class="anchor-icon"></i></a>Step 4. Install Xcode version 12.5.1</h3>
<p>In the virtual machine, open Safari and go to https://developer.apple.com<br>Sign in to your Account:</p>
<div class="blog_image_wrap">
<a href="/file/464001443/2/LhmF4qgPgn4.501969/6edbc244d8b9f8298e" target="_blank"><img src="/file/464001443/2/LhmF4qgPgn4.501969/6edbc244d8b9f8298e" title="developer.apple.com > Account > sign in with your Apple ID" /></a>
<p>developer.apple.com > Account > sign in with your Apple ID</p>
</div>
<p>Go to <strong>Downloads &gt; More</strong><br>Enter <strong>Xcode</strong> in the search field and find the version 12.5.1</p>
<div class="blog_image_wrap">
<a href="/file/464001260/1/njYJxQDnzzQ.664134/d4e8de0aed2d74d6e0" target="_blank"><img src="/file/464001260/1/njYJxQDnzzQ.664134/d4e8de0aed2d74d6e0" title="Downloads > More > 12.5.1" /></a>
<p>Downloads > More > Xcode 12.5.1</p>
</div>
<p>Once the installation is complete, open the file Xcode 12.5.1.xip. The system will unarchive the app into the same folder. Move it to the <strong>Applications</strong> folder using Finder.</p>
<div class="blog_image_wrap">
<a href="/file/464001707/1/GIIAXXifhbI.2058152/af989007034194b28b" target="_blank"><img src="/file/464001707/1/GIIAXXifhbI.2058152/af989007034194b28b" title="Unarchive Xcode > drag the app to Applications folder" /></a>
<p>Unarchive Xcode > drag the app to Applications folder</p>
</div>
<div class="blog_image_wrap">
<a href="/file/464001214/1/CZJfqS7Fhr8.2206987/d29e070d1cef8de8fb" target="_blank"><img src="/file/464001214/1/CZJfqS7Fhr8.2206987/d29e070d1cef8de8fb" title="Move Xcode to Applications using Finder > Run > Agree to install additional components" /></a>
</div>
<p>On the virtual machine, run this command from the terminal:<br><code>sudo xcode-select -s /Applications/Xcode.app/Contents/Developer</code></p>
<div class="blog_wide_image">
<a href="/file/464001410/1/OZcFX2KwPrg.49547/a84ac3100d693a3982" target="_blank"><img src="/file/464001410/1/OZcFX2KwPrg.49547/a84ac3100d693a3982" title="sudo xcode-select -s /Applications/Xcode.app/Contents/Developer" /></a>
</div>
<p>Shut down the virtual machine.</p>
<div class="blog_image_wrap">
<a href="/file/464001752/2/kos29MZFaJ0.3515145/88dff67ef53dbf4dcc" target="_blank"><img src="/file/464001752/2/kos29MZFaJ0.3515145/88dff67ef53dbf4dcc" title="Shut down the virtual machine" /></a>
<p>Shut down the virtual machine</p>
</div>
<h3><a class="anchor" name="step-4-1" href="#step-4-1"><i class="anchor-icon"></i></a>Step 4.1</h3>
<p>Download the certificates at https://github.com/TelegramMessenger/Telegram-iOS/tree/master/build-system/fake-codesigning/certs/distribution and install them into the virtual machine.</p>
<p>Launch Keychain Access and double-click the installed certificate. Under “Trust”, change “When using this certificate” to “Always Trust”.</p>
<h3><a class="anchor" name="step-5-obtaining-the-source-code" href="#step-5-obtaining-the-source-code"><i class="anchor-icon"></i></a>Step 5. Obtaining the source code</h3>
<p><code>git clone --recursive https://github.com/TelegramMessenger/telegram-ios.git $HOME/telegram-ios</code><br><code>cd $HOME/telegram-ios</code><br><code>git checkout release-${VERSION_NUMBER}</code></p>
<p>E.g., <code>git checkout release-7.3</code>. Please note that you need to check out the whole git history as the build version depends on the number of commits in the repository.</p>
<div class="blog_wide_image">
<a href="/file/464001402/3/U43d2T5SSGY.181052/c86e9e2a72b766e704" target="_blank"><img src="/file/464001402/3/U43d2T5SSGY.181052/c86e9e2a72b766e704" title="git clone" /></a>
</div>
<h3><a class="anchor" name="step-6-downloading-bazel-3-7-0-to-home-bazel-bazel" href="#step-6-downloading-bazel-3-7-0-to-home-bazel-bazel"><i class="anchor-icon"></i></a>Step 6. Downloading Bazel 3.7.0 to $HOME/bazel/bazel</h3>
<p><code>mkdir -p $HOME/bazel &amp;&amp; cd $HOME/bazel</code><br><code>curl -O -L https://github.com/bazelbuild/bazel/releases/download/3.7.0/bazel-3.7.0-darwin-x86_64</code><br><code>mv bazel-3.7.0-darwin-x86_64 bazel</code></p>
<p>Check that you have downloaded the correct version:<br><code>chmod +x bazel</code><br><code>./bazel --version</code></p>
<h3><a class="anchor" name="step-7-building-the-app" href="#step-7-building-the-app"><i class="anchor-icon"></i></a>Step 7. Building the app</h3>
<p>Open Terminal, run the commands:<br><code>cd $HOME/telegram-ios
BAZEL=&quot;$HOME/bazel/bazel&quot; sh buildbox/build-telegram.sh verify</code></p>
<div class="blog_wide_image">
<a href="/file/464001292/1/9vG9rIqfOK0.38309/7f7df70686fc4afc36" target="_blank"><img src="/file/464001292/1/9vG9rIqfOK0.38309/7f7df70686fc4afc36" title="Building the app" /></a>
</div>
<p>If the environment has been set up correctly, this will start the building process. Note that this step can easily take <strong>30-40 minutes</strong>. The average build time on a MacBook Pro (i9 6 core) is 35 minutes.</p>
<div class="blog_wide_image">
<a href="/file/464001704/1/_aK7gK-aRW4.80595/696c8283fe53f291bc" target="_blank"><img src="/file/464001704/1/_aK7gK-aRW4.80595/696c8283fe53f291bc" title="Building started" /></a>
<a href="/file/464001735/1/ymFowz-2P8c.33467/e29b2c4aaa736dc6a1" target="_blank"><img src="/file/464001735/1/ymFowz-2P8c.33467/e29b2c4aaa736dc6a1" title="Building completed" /></a>
</div>
<p>Once the process is complete the resulting IPA file can be found in <code>build/artifacts/Telegram.ipa</code><br>All the following steps will be made via Terminal on your main system.</p>
<h3><a class="anchor" name="step-8-downloading-a-decrypted-version-of-the-app-from-the-app-s" href="#step-8-downloading-a-decrypted-version-of-the-app-from-the-app-s"><i class="anchor-icon"></i></a>Step 8. Downloading a decrypted version of the app from the App Store</h3>
<p>This step requires a jailbroken device equipped with tools for decrypting apps. Wed love to make this process more simple but thats what you get for using Apple tech.</p>
<h3><a class="anchor" name="step-9-comparing-the-appstore-build-and-the-version-built-in-the" href="#step-9-comparing-the-appstore-build-and-the-version-built-in-the"><i class="anchor-icon"></i></a>Step 9. Comparing the AppStore build and the version built in the virtual machine</h3>
<p>Install the necessary tools:<br><code>if ! type brew &gt; /dev/null;
then /usr/bin/ruby -e &quot;$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/master/install)&quot;; fi &amp;&amp; brew install python3</code></p>
<div class="blog_wide_image">
<a href="/file/464001225/1/X65KiZyxvdQ.41739/c7f65f76cc4c827c5d" target="_blank"><img src="/file/464001225/1/X65KiZyxvdQ.41739/c7f65f76cc4c827c5d" title="Installing python" /></a>
</div>
<p><strong>Run</strong><br><code>python3 tools/ipadiff.py build/artifacts/Telegram.ipa PATH-TO-THE-IPA-FILE-FROM-STEP-9</code></p>
<ol>
<li>cd telegram-ios &gt; Enter</li>
<li>python3 tools/ipadiff.py build/artifacts/Telegram.ipa /path/ &gt; Enter</li>
</ol>
<div class="blog_wide_image">
<a href="/file/464001464/2/3skIXy_2ghc.41339/a62e0ea589b713438d" target="_blank"><img src="/file/464001464/2/3skIXy_2ghc.41339/a62e0ea589b713438d" title="Сomparing builds" /></a>
</div>
<p>In case of a successful comparison, you will get a text along these lines:</p>
<pre><code>IPAs are equal, except for the files that can&#39;t currently be checked:
Excluded files that couldn&#39;t be checked due to being encrypted:
PlugIns/SiriIntents.appex/SiriIntents
PlugIns/Widget.appex/Widget
PlugIns/NotificationContent.appex/NotificationContent
PlugIns/NotificationService.appex/NotificationService
PlugIns/Share.appex/Share
IPAs contain Watch directory with a Watch app which can&#39;t be checked currently.
IPAs contain .car (Asset Catalog) files that are compiled by the App Store and can&#39;t currently be checked:
Frameworks/TelegramUI.framework/Assets.car
Assets.car
IPAs contain .nib (compiled Interface Builder) files that are compiled by the App Store and can&#39;t currently be checked:
Base.lproj/LaunchScreen.nib</code></pre>
<div class="blog_wide_image">
<a href="/file/464001561/2/8mgy93NZXIg.138258/a0a0dca779416fba8a" target="_blank"><img src="/file/464001561/2/8mgy93NZXIg.138258/a0a0dca779416fba8a" title="The result > equal IPAs" /></a>
</div>
<p>In case of any mismatches, you&#39;ll get a detailed report.</p>
<div class="blog_wide_image">
<a href="/file/464001384/3/iSp-75NOtIU.58868/7b08b99752cdf7dd22" target="_blank"><img src="/file/464001384/3/iSp-75NOtIU.58868/7b08b99752cdf7dd22" title="Mismatching IPAs" /></a>
</div>
<hr>
<h4><a class="anchor" name="ios-xcode-14" href="#ios-xcode-14"><i class="anchor-icon"></i></a>iOS, XCode 14</h4>
<p>Due to compiler bugs introduced by Apple in <strong>Xcode 14</strong> (<a href="#troubleshooting-ios">read more</a>), you will need to use the modified instructions below to verify the latest builds:</p>
<p><strong>Remove steps 6, 7</strong></p>
<p><strong>Steps 1-4.1</strong> are replaced with:</p>
<h5><a class="anchor" name="running-darwin-containers" href="#running-darwin-containers"><i class="anchor-icon"></i></a>Running Darwin-Containers:</h5>
<ol>
<li>Checkout the latest DarwinContainers code: <code>git clone https://github.com/ali-fareed/darwin-containers.git</code></li>
<li>Open darwin-containers/DarwinContainers.xcodeproj</li>
<li>Select DarwinContainersDaemon target</li>
<li>In Signing &amp; Capabilities select your team and set a unique bundle id</li>
<li>Run</li>
</ol>
<h5><a class="anchor" name="creating-an-os-image" href="#creating-an-os-image"><i class="anchor-icon"></i></a>Creating an OS image:</h5>
<p><code>./darwin-containers fetch</code></p>
<p>Download the appropriate macOS restore image (e.g. 13.0):</p>
<p><code>./darwin-containers fetch &quot;macOS 13.0&quot;</code></p>
<p>Create a new OS image:</p>
<p><code>./darwin-containers create --source &quot;macOS 13.0&quot; --tag &quot;macos-13.0-xcode-14.1&quot; --manual</code></p>
<p>Follow the installation instructions. Set username to <code>containerhost</code> and password to <code>containerhost</code>.<br>Enable Remote Login and allow full disk access for remote users.<br>Connect to the guest VM using SSH with username <code>containerhost</code> and password <code>containerhost</code>.<br>Create directory <code>~/.ssh</code> and set up the <code>authorized_keys</code> using the public key string printed by the <code>darwin-containers create</code> command earlier.<br>Upload the appropriate version of Xcode via <code>scp</code> and install to /Applications. Run it at least once to complete installation.<br>Shutdown the guest OS.</p>
<h5><a class="anchor" name="obtaining-verification-ipa" href="#obtaining-verification-ipa"><i class="anchor-icon"></i></a>Obtaining verification IPA:</h5>
<p><code>python3 -u build-system/Make/Make.py remote-build --darwinContainers=&quot;path-to-darwin-containers-script&quot; --darwinContainersHost=&quot;unix://$HOME/.darwin-containers.sock&quot; --configurationPath=&quot;build-system/appstore-configuration.json&quot; --codesigningInformationPath=build-system/fake-codesigning --configuration=release_arm64</code></p>
<p>For more information see:</p>
<p><code>build-system/Make/RemoteBuild.py</code><br><code>.gitlab-ci.yml</code> lane <code>verify_beta_testflight</code></p>
<hr>
<h3><a class="anchor" name="ios-notes" href="#ios-notes"><i class="anchor-icon"></i></a>iOS: Notes</h3>
<ol>
<li><p>You will get a warning if the archive created in <a href="#step-7-building-the-app">Step 7</a> contains encrypted files. If all these files are in the <code>PlugIns</code> subfolder, they represent various system extensions (e.g. external sharing, Siri, 3D touch). Decrypting such files using existing ways of receiving app archives via Jailbreak is non-trivial (but we&#39;re working on resolving this issue). If you do manage to decrypt them, e.g. on iOS 8, they will be matched.</p>
</li>
<li><p>You will be notified if the archive includes an <strong>Apple Watch app</strong>. The watch app will soon no longer be included in the archive.</p>
</li>
<li><p>Files with the <code>.car</code> extension are app resource archives (images, sounds) which were compiled and processed specifically for the target device. The App Store processes them in non-trivial ways, we&#39;re planning on getting rid of them in future versions.</p>
</li>
<li><p>The <code>LaunchScreen.nib</code> file is an empty file containing a description of the interface which is displayed by the system before the app is launched. It is processed by the App Store in a non-trivial way but doesn&#39;t contain any code and therefore may be ignored.</p>
</li>
</ol>
<hr>
<h2><a class="anchor" name="troubleshooting" href="#troubleshooting"><i class="anchor-icon"></i></a>Troubleshooting</h2>
<p>If you encounter any issues with obtaining the code, building and comparing the apps, please contact us at <a href="https://t.me/botsupport">@BotSupport</a> and include the hashtag <code>#reproducibleBuilds</code> with your message describing the problem.</p>
<h3><a class="anchor" name="troubleshooting-android" href="#troubleshooting-android"><i class="anchor-icon"></i></a>Troubleshooting: Android</h3>
<ol>
<li><p>Make sure that you checkout <a href="#step-2-confirm-which-version-you-have-installed-on-your-android">the correct version</a> of the code.</p>
</li>
<li><p>Make sure that you build the app using <a href="#step-4-build-the-app">the right SDK</a>.</p>
</li>
<li><p>If the gradle version used in the Dockerfile is not available anymore and building of the Docker image fails, wait for a Dockerfile update or update manually to lastest available version.</p>
</li>
</ol>
<h3><a class="anchor" name="troubleshooting-ios" href="#troubleshooting-ios"><i class="anchor-icon"></i></a>Troubleshooting: iOS</h3>
<blockquote>
<p><strong>UPD:</strong> Despite the fact that the issue below persists, we were able to restore deterministic builds using manually crafted linker flags. See these updated <a href="#ios-xcode-14">steps for XCode 14</a>.</p>
</blockquote>
<p>Due to recent changes introduced in <strong>XCode 14</strong> by <strong>Apple</strong>, it is currently not possible to create <a href="#reproducible-builds-for-ios">reproducible builds for iOS</a> using tools officially supported by Apple. <strong>We will update this page as soon as Apple resolves the issue.</strong></p>
<p>To confirm the issue for yourself, follow these steps:</p>
<ol>
<li>Unzip <a href="https://core.telegram.org/resources/link-issue.zip">link-issue.zip</a></li>
<li><code>sh test-link.sh</code></li>
<li>Compare <code>link1.output</code> and <code>link.output</code>. Specifically:</li>
</ol>
<ul>
<li>With some probability, the ordering of the <code>LC_LOAD_DYLIB</code> commands will vary.</li>
<li>The <code>__LIKEDIT</code> section will <strong>always vary</strong>.</li>
</ul>
</div>
</div>
</div>
</div>
<div class="footer_wrap">
<div class="footer_columns_wrap footer_desktop">
<div class="footer_column footer_column_telegram">
<h5>Telegram</h5>
<div class="footer_telegram_description"></div>
Telegram is a cloud-based mobile and desktop messaging app with a focus on security and speed.
</div>
<div class="footer_column">
<h5><a href="//telegram.org/faq">About</a></h5>
<ul>
<li><a href="//telegram.org/faq">FAQ</a></li>
<li><a href="//telegram.org/privacy">Privacy</a></li>
<li><a href="//telegram.org/press">Press</a></li>
</ul>
</div>
<div class="footer_column">
<h5><a href="//telegram.org/apps#mobile-apps">Mobile Apps</a></h5>
<ul>
<li><a href="//telegram.org/dl/ios">iPhone/iPad</a></li>
<li><a href="//telegram.org/android">Android</a></li>
<li><a href="//telegram.org/dl/web">Mobile Web</a></li>
</ul>
</div>
<div class="footer_column">
<h5><a href="//telegram.org/apps#desktop-apps">Desktop Apps</a></h5>
<ul>
<li><a href="//desktop.telegram.org/">PC/Mac/Linux</a></li>
<li><a href="//macos.telegram.org/">macOS</a></li>
<li><a href="//telegram.org/dl/web">Web-browser</a></li>
</ul>
</div>
<div class="footer_column footer_column_platform">
<h5><a href="/">Platform</a></h5>
<ul>
<li><a href="/api">API</a></li>
<li><a href="//translations.telegram.org/">Translations</a></li>
<li><a href="//instantview.telegram.org/">Instant View</a></li>
</ul>
</div>
</div>
<div class="footer_columns_wrap footer_mobile">
<div class="footer_column">
<h5><a href="//telegram.org/faq">About</a></h5>
</div>
<div class="footer_column">
<h5><a href="//telegram.org/blog">Blog</a></h5>
</div>
<div class="footer_column">
<h5><a href="//telegram.org/apps">Apps</a></h5>
</div>
<div class="footer_column">
<h5><a href="/">Platform</a></h5>
</div>
<div class="footer_column">
<h5><a href="https://twitter.com/telegram" target="_blank" data-track="Follow/Twitter" onclick="trackDlClick(this, event)">Twitter</a></h5>
</div>
</div>
</div>
</div>
<script src="/js/main.js?47"></script>
<script>backToTopInit("Go up");
removePreloadInit();
</script>
</body>
</html>