Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Well, there are several ways to get read access to the iPhone's filesystem. You can grab the binary from the phone and verify that its the same as when you compile the app on your own machine.

No one's going to do that for most apps though.



So, I'm not intimately familiar with the code signing process, but I imagine that the bundle on the iPhone wouldn't match the one you would get by compiling the source on your machine.

The former would be signed with Whisper System's distribution certificate, which you couldn't do on your system because you don't have their certificate.


Compared to other issues I think stripping/ignoring signatures for comparison should be fairly minor issue.


Isn't there chances that different LLVM versions or flags ends up building a slightly different binary ?


And now you are aware of the difficulties in producing reproducible/deterministic builds. This would be a good starting point for further reading: https://wiki.debian.org/ReproducibleBuilds/About


Why not check the signature instead?




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: