In order to verify that the published source code was actually used to build the apps available for download in the stores, we provide reproducible builds.
Please note that Threema’s reproducible builds are still experimental. If a build cannot be reproduced, please let us know, and we’ll look into it.
Prerequisites: A command line environment including
unzip as well as a
1. Determine App Version
In the Threema app on your phone, navigate to “Settings > About Threema,” and take note
of the version. Export this information as well as the build variant (either
threemashop) into variables. For example, if you’re
using the Google Play version of Threema 4.5-beta1 for Android:
$ export VERSION=4.5-beta1 VARIANT=googleplay
2. Extract the APK from Your Device
First, you need to extract the APK file from your phone. The recommended way to do this is by using Android Debug Bridge (adb) on a phone where Developer Mode is enabled. Run the following command:
$ adb pull $(adb shell pm path ch.threema.app | grep "/base.apk" | sed 's/^package://') threema-extracted.apk
This will result in a file named
in your current directory.
There are also other ways to extract an APK file, e.g., by using backup apps or by means of a file manager on a rooted phone. How you obtain the APK is up to you.
Please note: If you use the Threema Shop version of Threema, you can also download the APK directly from the website instead of extracting it from your phone.
3. Load Docker Image
In order to reproduce the build, you need to load the Docker image containing the build environment that was used to generate the published app. The image can be downloaded from the Threema website.
$ cd /tmp $ curl -LO https://oss.threema.ch/android/docker/docker-image-android-$VERSION.tar.gz $ gunzip --stdout docker-image-android-$VERSION.tar.gz | docker image load
You can verify that the image was loaded properly by running
docker image ls threema/android-compile.
4. Build Threema for Android
Next, you should compile Threema. First, clone the repository:
$ git clone https://github.com/threema-ch/threema-android $ cd threema-android
Check out the tag corresponding to your app version.
$ git checkout $VERSION
Next, build the release APKs.
$ ./scripts/build-release.sh -v $VARIANT -n $VERSION --no-image-export --i-accept-the-android-sdk-license
This will result in an APK file at
5. Verify the Result
You can use the
verify-build.sh script to verify the locally compiled APK
against the extracted APK.
$ ./scripts/verify-build.sh -n $VERSION -v $VARIANT -p threema-extracted.apk ... ==> Comparing releases ==> Success! The APKs match.
If you get “Success” as log output, you have successfully verified that the app you have installed on your device corresponds to the published source code!
In case the verification fails, don’t panic! Please double-check that the version of the extracted APK corresponds to the source-code version you have checked out. If you are positive that this is correct, please send the log to firstname.lastname@example.org.
At the moment, reproducible builds are available for Threema’s Android app. Due to restrictions by Apple, it’s no easy task to offer reproducible builds for iOS, but we are currently evaluating possible ways to also support reproducible builds for this platform.