v2.0.5 Build Not Reproducible

[xrviv]

Issue Type: Build Reproducibility
Version: v2.0.5
Component: Electron AppImage (specter_desktop-v2.0.5-x86_64-linux-gnu.tar.gz)
Verification Date: 2025-12-19
Verifier: Daniel Garcia
Organization: WalletScrutiny.com

---

Summary

Attempted to reproduce the v2.0.5 Electron AppImage build from source using a containerized
environment matching your official build configuration (Ubuntu 22.04, Python 3.10, Node.js 18). The
resulting binary differs from the official release.

Status: NOT REPRODUCIBLE

---

Build Environment

Container: Ubuntu 22.04 (Jammy)

• Python 3.10.12
• Node.js 18.x
• electron-builder 24.13.3
• All dependencies from requirements.txt (with --require-hashes)

Build Command:

# Phase 1: Build specterd                                                                          
virtualenv --python=python3.10 .buildenv                                                           
pip3 install -r requirements.txt --require-hashes                                                  
pyinstaller specterd.spec                                                                          
                                                                                                   
# Phase 2: Build Electron app                                                                      
cd pyinstaller/electron                                                                            
npm install                                                                                        
npm run dist                                                                                       

Comparison Results

Official Release:
Tarball: specter_desktop-v2.0.5-x86_64-linux-gnu.tar.gz
SHA256: 8a187c4710085186e2618ef181e6d9d91e8d2175975055ef3724c187e977e991

AppImage: Specter-2.0.5.AppImage
SHA256: dbcd46b74d3adf21a626c7a9fc3c67dcff4009277e9d72eea167c6a097df808d
Size: 108,659,362 bytes

Built from Source:
AppImage: Specter-2.0.5.AppImage
SHA256: 669e7a0b3180ef8cf779c8f4a9b9dde6f037fde3259cac4721891ef49403fc06
Size: 108,429,545 bytes
Diff: -229,817 bytes

Result: Completely different hashes

Raw Results

===== Begin Results =====
appId:          specter-desktop
signer:         N/A
apkVersionName: 2.0.5
apkVersionCode: N/A
verdict:        
appHash:        669e7a0b3180ef8cf779c8f4a9b9dde6f037fde3259cac4721891ef49403fc06 (AppImage)
tarballHash:    8a187c4710085186e2618ef181e6d9d91e8d2175975055ef3724c187e977e991 (specter_desktop-v2.0.5-x86_64-linux-gnu.tar.gz)
commit:         v2.0.5

BUILDS MATCH BINARIES
Release: specter_desktop-v2.0.5-x86_64-linux-gnu.tar.gz (tarball hash: 8a187c4710085186e2618ef181e6d9d91e8d2175975055ef3724c187e977e991)
Compared: Specter-2.0.5.AppImage - x86_64-linux-gnu - 669e7a0b3180ef8cf779c8f4a9b9dde6f037fde3259cac4721891ef49403fc06 - 0 (DOESN'T MATCH)

SUMMARY
total: 1
matches: 0
mismatches: 1

===== Also ====
Entry point check: Not applicable for AppImage builds
Built files: 83, Official files: 83
Dependency version drift detected (npm packages)
Project acknowledges non-reproducibility in docs/build-instructions.md

===== End Results =====
 ---> Removed intermediate container 51e64b843c9d
 ---> 5cfabb372ac4
Successfully built 5cfabb372ac4
Successfully tagged specter-verifier:2-0-5-x86-64-linux-gnu-electron-gui-1766146013-3024467

Extracting results...

RESULTS

date: 2025-12-19T12:11:11+0000
script_version: v0.2.9
build_type: electron-gui
results:
  - architecture: x86_64-linux-gnu
    status: not_reproducible
    files:
      - filename: Specter-2.0.5.AppImage
        hash: 669e7a0b3180ef8cf779c8f4a9b9dde6f037fde3259cac4721891ef49403fc06
        match: false
    notes: "AppImage extracted from official tarball specter_desktop-v2.0.5-x86_64-linux-gnu.tar.gz (tarball hash: 8a187c4710085186e2618ef181e6d9d91e8d2175975055ef3724c187e977e991). Compared AppImage extracted from official tarball (specter_desktop-v2.0.5-x86_64-linux-gnu.tar.gz). Built 83 files vs official 83 files. Binary differs due to dependency version drift.

WalletScrutiny Verification Link

[al-munazzim]

Triage Assessment

Status: VALID — Known Limitation

Thank you for this detailed reproducibility report from WalletScrutiny.

As you noted, the project docs acknowledge that builds are not byte-for-byte reproducible. The primary causes:

• NPM dependency version drift between builds
• PyInstaller embeds timestamps and paths
• Electron packaging non-determinism

This is a known limitation in the Python/Electron ecosystem. Achieving full reproducibility would require:

1. Pinning exact npm package versions (including transitive deps) via package-lock.json committed to repo
2. Using reproducible PyInstaller builds (experimental/complex)
3. Potentially moving to a fully reproducible build system like Guix

This is a large architectural effort — probably TOO-BIG for incremental fixes. The current mitigation is GPG signing of releases.

Tagging for visibility but not planning immediate work unless maintainers prioritize this.

[al-munazzim]

Triage Assessment

Type: Build Infrastructure/Security
Verdict: VALID-ISSUE
Priority: HIGH (affects reproducible builds and supply chain security)

Assessment: WalletScrutiny verification shows v2.0.5 AppImage is not reproducible - different SHA256 hash when built from source (669e7a vs dbcd46b). Size difference of -229KB suggests dependency version drift.

Root Cause Analysis:

• "Dependency version drift detected (npm packages)" - npm dependencies not pinned to exact versions
• Electron builds include timestamps and non-deterministic elements
• Build environment differences (despite matching Ubuntu 22.04/Python 3.10/Node 18)

Fix Strategy:

1. Pin all dependencies: Add package-lock.json with exact versions, pin pip requirements with hashes
2. Deterministic builds: Set SOURCE_DATE_EPOCH, remove timestamps from electron-builder
3. Build documentation: Document exact build environment (Docker image SHA)
4. CI verification: Add reproducible build check to GitHub Actions

Implementation: Medium complexity - requires build system overhaul but well-documented solutions exist.

Priority Rationale: Reproducible builds are critical for wallet software security verification.