Ask HN: Crucial question about trust in open source apps
how can users verify that the app they're downloading from app stores is built from the exact open source code they can see in github?
how can users verify that the app they're downloading from app stores is built from the exact open source code they can see in github?
I just download it from the repository. That's not am option on iOS, which is one of many anti-features.
If the threat vector is the code owner is lying that their app is the same code as the repo, even downloading artefacts from that same report is risky. Even the code itself should be manually read and verified.
They can't. The only way to be certain is to take that code and build the app yourself. If you're downloading prebuilt binary, you have to trust that the author is correctly representing what it was built from.
This is even more true with SaaS, because the binaries used there can and do change without warning.
If I am building an iOS app and decide to open source it to build trust with customers, it will not work.
You might be interested in sigstore[1], although I'm not sure if/how it can be used in an iOS app.
[1] https://www.sigstore.dev/
If I understand correctly sigstore can guarantee that the software is what the the author intended to, but it cannot guarantee that it is was built from a specific source code. It is somewhat like web site certificates, you can register and have a valid certificate for "facenook.com" (someone actually did) but that doesn't mean that the web site is credible.
It is really hard to verify that a binary is based on the same source code, in addition libraries and build environment are not always included in the repository itself.
If you build the binary locally chances are that the binary will be slightly different, due to changes in the build environment for example. You will need to do a binary comparison and understand the reason and meaning of each change.