How can I verify if the code being run is the code presented?
support.signal.orghttps://signal.org/blog/reproducible-android/
https://github.com/signalapp/Signal-Android/blob/main/reprod...
This is awesome! thanks.
I guess for the back-end it's a little more difficult to verify? But i'm guessing Signal's security architecture is such that with a verifiable client build it would be tricky to mess with the server?
Signal do some interesting stuff with SGX and remote attestation.
https://signal.org/blog/private-contact-discovery/
"Originally designed for DRM applications, most SGX examples imagine an SGX enclave running on a client. This would allow a server to stream media content to a client enclave with the assurance that the client software requesting the media is the “authentic” software that will play the media only once, instead of custom software that reverse engineered the network API call and will publish the media as a torrent instead.
However, we can invert the traditional SGX relationship to run a secure enclave on the server. An SGX enclave on the server-side would enable a service to perform computations on encrypted client data without learning the content of the data or the result of the computation."
This means Signal server must run on Intel CPUs with SGX enabled?
Yeah - or at least all the ones doing contact discovery anyway.
I know companies and module developers _say_ they run the code which is publicly viewable on GitHub. But how can we be sure the server or client does not have additional code injected during the build process which would invalidate the otherwise secure framework they present to the public?