selfhosted
/
padloc
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
padloc/docs/checksums/ios/README.md

2.0 KiB
Raw Blame History

Checksums (iOS)

We use file checksums (SHA-256) to verify the source code you see matches the code served by our app. These are instructions for you to verify that too, so you don't have to trust us.

NOTE: These commands are meant for Linux and should also work on macOS. For Windows systems, we suggest you run them via WSL2.

Verify checksums against source code

Unfortunately, because we sign our iOS builds, it's not really possible to locally build the exact same file unless you had access to our certificates and keys. You can still see how we build them here, and see how to build unsigned ones yourself, though.

Verify what you're using has the same source code

  1. Download the ipa file.

    You can do that from our releases page or from the store you've downloaded it from, to make sure that wasn't tampered with in the process of uploading there.

  2. Download the latest sha256sum-ipa.txt checksum file:

    wget https://github.com/padloc/padloc/releases/latest/download/sha256sum-ipa.txt

  3. Verify checksum matches:

    sha256sum -c sha256sum-ipa.txt

    You should see the .ipa filename with an OK next to it for matching checksums. You'll get a warning at the end of the script if something didn't match.

    NOTE: If there's a warning about failing to find a file, your .ipa file probably doesn't match what sha256sum-ipa.txt expects, so you can change your .ipa file's name to Padloc.ipa (or whatever's in the file) for it to be found.

    Here's an illustrative example of success:

    ./Padloc.ipa: OK

    And one with a tampered file:

    ./Padloc.ipa: FAILED
sha256sum: WARNING: 1 computed checksum did NOT match