Jason A. Donenfeld
Jason at zx2c4.com

Tue Apr 11 10:27:21 UTC 2023

Hash: SHA256

Hi folks,

The WireGuard Android app can now be reproducibly built, so that its contents
can be publicly verified. The F-Droid project now does this verification, by
comparing their build of WireGuard to the build that the WireGuard project
publishes. When they match, the new version becomes available. This is very
positive news.

As part of this development, we're taking the opportunity to unify the signing
keys used for WireGuard builds by F-Droid, the Google Play Store, and
elsewhere. Previously, F-Droid would release builds using their own signing
key [1], and the Google Play Store would release builds using yet a different
signing key [2]. Moving forward, both F-Droid and the Google Play Store will
release builds using the same signing key that the WireGuard project uses [3].
(That signing key is held in an HSM, details for which I dumped here [4].)

This means that it will be trivial to switch between F-Droid and the Google
Play Store as a source for downloading WireGuard, as well as for receiving
APKs directly from the WireGuard project, should we ever move to provide that.
It will also let the app be bundled with ROMs more easily and still be
updatable through any channel. And because the builds are reproducible,
interested parties will be able to verify that they're receiving the same code
from all places.

However, since the signing key is changing from the respective app store keys
to the WireGuard project key, a subset of users will need to remove and
re-install the app using this basic procedure:

    1. ⋮ -> Export tunnels to zip file.
    2. Uninstall the WireGuard app entirely.
    3. Reinstall the WireGuard app from the Google Play Store or F-Droid.
       * Be sure to install version ≥ 1.0.20230405.
    4. + -> Import from file or archive -> Downloads/wireguard-export.zip
    5. File Manager -> delete Downloads/wireguard-export.zip

But most users do not need to do this. Specifically:

  - Google Play Store users who do not care about interoperability with
    F-Droid or other app sources do *not* need carry out the above steps, as
    the Google Play Store will continue serving updates using the old key.

  - All F-Droid users (and users of alternative Google Play Store frontends,
    such as Aurora) with WireGuard below version 1.0.20230405 *must* carry out
    the above in order to continue receiving updates from anywhere.

Hopefully this is relatively straight-forward and not too much of an
inconvenience by those who care. I assume that F-Droid users are in general a
more technical crowd, and should be able to manage. Please let me know if you
have any questions or concerns.


[1] Old F-Droid signing key: d2ccbdf13c52e8905b02d9770dabae0b9d76ecdfe7533814134273ba959e2d3f
[2] Old Play Store signing key: 79758d2ae9cd8b9107c0f6e67ff9ff02d255f9191c5e83202129ec081b4960fd
[3] New WireGuard Project signing key: 84a13fa2c4e0064b0c11654b8a86574b7a9b9352a3834cee32455b061c3d4127
[4] YubiHSM APK signing details: https://github.com/Yubico/yubihsm-shell/issues/329



More information about the WireGuard
mailing list

Read More