T
T
tihunip2017-08-26 09:12:26
Programming
tihunip, 2017-08-26 09:12:26

Is it possible to check whether the binary corresponds to the source code?

Hey!
Please tell me, here is, for example, a telegram client binary from the appstore and there are its sources on github. Is it possible to check that this binary was compiled from these sources?
So, can I trust him? You can’t put one thing on github, but compile something completely different.
How is it checked?
Thank you.
UPD
I read the comments - it turns out open source is not a guarantee of the absence of bookmarks. It's sad - I lost a bet on a bottle of cognac :-)
Does anyone even deal with such a comparison for popular applications at least?
It's the right thing, I think.
I remember a contest from telegrams with a prize of 200 thousand. dollars to those who decipher Durov's correspondence. From that moment on, I and several acquaintances with whom we discussed the topic had a thought - "if there were bookmarks and holes in the program, they would be found, because 200 thousand is good money."
It turns out that this is not so, and it was only about holes, but not about bookmarks, and that contest created a false sense of security in me.

Answer the question

In order to leave comments, you need to log in

5 answer(s)
Z
Zzzz9, 2017-08-26
@Zzzz9

Compile sources.

S
Saboteur, 2017-08-26
@saboteur_kiev

Depending on the compiler version, optimization flags and libraries used, the final binary may be different, so you can only compare by reproducing the original environment in which the binary was created.
A special case of verification can be considered a digital signature, as proof that the current binary was compiled by the author (company), and not by someone who took the source code and compiled it from themselves, adding something superfluous.
And if you take java for example, there is a bunch of timestamp added to the .jar file during assembly, so EVERY time there will be a different hash for the binary.

G
Griboks, 2017-08-26
@Griboks

No. Compilation is, strictly speaking, an irreversible process. However, hashes (md5) were invented for this. If encryption is read protection, then hashes are protection against spoofing. If the hashes match, then everything should be OK, but this is not accurate. Now everyone stupidly trusts off. store, because "it cannot contain malicious applications."

A
Anton, 2017-08-26
@MoonMaster

Compile sources and check the hash.

C
CityCat4, 2017-08-26
@CityCat4

You can’t put one thing on github, but compile something completely different.

Can. OSS - from the point of view of information security, it is good that you can analyze the source codes, and then assemble the program from these analyzed ones. And so - everyone trusts the official turnips, believing that there can be no substitution, which of course is wrong, but generally accepted ...

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question