Context
WalletScrutiny is an independent security research project that verifies whether Bitcoin and cryptocurrency wallet binaries can be reproduced from their public source code. We recently completed reproducible build verification for the Stack Wallet Linux AppImage v2.4.4 (sw-v2.4.4-linux.AppImage, SHA256 ae6f3f31c2c894384aa54bd481506ee6cc133a8de1d61aa18e96722b8d1c8809).
During this work we identified a discrepancy between what the build system produces and what is packaged in the official AppImage.
Finding
The official sw-v2.4.4-linux.AppImage does not contain frostdart.so in its lib/ directory.
We confirmed this by extracting the squashfs from the AppImage and listing its contents:
unsquashfs -o 944632 -d squashfs-root sw-v2.4.4-linux.AppImage
ls squashfs-root/lib/ | grep frost
# (no output)
When we build from the public source at commit edc19aa6a23052de854be0318190f82bdcc0a765 (the commit embedded in the official binary's libapp.so), with Rust 1.71.0 installed, the build produces frostdart.so at:
crypto_plugins/frostdart/scripts/linux/build/frostdart.so
The frostdart Flutter plugin's linux/CMakeLists.txt unconditionally installs this file into the bundle:
install(FILES "${CMAKE_CURRENT_SOURCE_DIR}/../scripts/linux/build/frostdart.so"
DESTINATION "${INSTALL_BUNDLE_LIB_DIR}"
COMPONENT Runtime)There is no OPTIONAL flag and no if(EXISTS ...) guard on this install directive. Our local build includes frostdart.so in the bundle; the official AppImage does not.
Related: Rust 1.71.0 not documented
crypto_plugins/frostdart/scripts/linux/build_all.sh hardcodes:
cargo +1.71.0 build --release ...
However, docs/building.md lists only rustup install 1.89.0 1.85.1 1.81.0 — Rust 1.71.0 is not mentioned anywhere in the documentation. Anyone following the official build instructions exactly will fail to compile frostdart for Linux.
Questions
-
Was the omission of frostdart.so from the official AppImage intentional? For example, is FROST threshold signature functionality intentionally disabled or not supported on Linux desktop?
-
If not intentional: what was the environment used to produce the official AppImage? Was frostdart compiled as part of that build? Is it possible the AppImage was packaged from a bundle where frostdart.so had not yet been built?
-
Should docs/building.md list Rust 1.71.0? We plan to submit a PR with several corrections to docs/building.md (including the Flutter version, missing rsync dependency, and the Ubuntu 24.04 meson install method). We'd like to know whether to include Rust 1.71.0 in that PR, or whether it's intentionally absent from the Linux build path.
Thanks for the open-source work. We're happy to share our full build log or verification script if that's useful.
— WalletScrutiny team
Context
WalletScrutiny is an independent security research project that verifies whether Bitcoin and cryptocurrency wallet binaries can be reproduced from their public source code. We recently completed reproducible build verification for the Stack Wallet Linux AppImage v2.4.4 (
sw-v2.4.4-linux.AppImage, SHA256ae6f3f31c2c894384aa54bd481506ee6cc133a8de1d61aa18e96722b8d1c8809).During this work we identified a discrepancy between what the build system produces and what is packaged in the official AppImage.
Finding
The official
sw-v2.4.4-linux.AppImagedoes not containfrostdart.soin itslib/directory.We confirmed this by extracting the squashfs from the AppImage and listing its contents:
When we build from the public source at commit
edc19aa6a23052de854be0318190f82bdcc0a765(the commit embedded in the official binary'slibapp.so), with Rust 1.71.0 installed, the build producesfrostdart.soat:The frostdart Flutter plugin's
linux/CMakeLists.txtunconditionally installs this file into the bundle:There is no
OPTIONALflag and noif(EXISTS ...)guard on this install directive. Our local build includesfrostdart.soin the bundle; the official AppImage does not.Related: Rust 1.71.0 not documented
crypto_plugins/frostdart/scripts/linux/build_all.shhardcodes:However,
docs/building.mdlists onlyrustup install 1.89.0 1.85.1 1.81.0— Rust 1.71.0 is not mentioned anywhere in the documentation. Anyone following the official build instructions exactly will fail to compilefrostdartfor Linux.Questions
Was the omission of
frostdart.sofrom the official AppImage intentional? For example, is FROST threshold signature functionality intentionally disabled or not supported on Linux desktop?If not intentional: what was the environment used to produce the official AppImage? Was
frostdartcompiled as part of that build? Is it possible the AppImage was packaged from a bundle wherefrostdart.sohad not yet been built?Should
docs/building.mdlist Rust 1.71.0? We plan to submit a PR with several corrections todocs/building.md(including the Flutter version, missingrsyncdependency, and the Ubuntu 24.04 meson install method). We'd like to know whether to include Rust 1.71.0 in that PR, or whether it's intentionally absent from the Linux build path.Thanks for the open-source work. We're happy to share our full build log or verification script if that's useful.
— WalletScrutiny team