Subject: Tangem Wallet v5.29.2 - Reproducible Build Verification Request #4
Description
Dear Tangem Team,
I'm Daniel Garcia from WalletScrutiny.com, and I've been working on verifying the
reproducibility of your Android wallet application.
Good News - Major Progress:
I'm pleased to report that the private submodule issue that blocked all previous verification
attempts (2024-2025) has been resolved. The repository now builds without authentication
errors, which is a significant improvement toward open source transparency. The MR has been
merged and would be reflected in the Tangem page of WalletScrutiny.com website shortly.
Remaining Build Blocker:
The build currently fails at the Firebase/Google Services configuration step:
Task :app:processGoogleReleaseGoogleServices FAILED
No matching client found for package name 'com.tangem.wallet'
Technical Details:
The repository's app/google-services.json contains only stub package configurations:
- com.tangem.wallet.debug
- com.tangem.wallet.internal
- com.tangem.wallet.external
- com.tangem.wallet.release
However, the production package com.tangem.wallet (required for Play Store builds) is missing
from this configuration file.
Analysis:
I've extracted the Firebase configuration from your official APK and confirmed the values are
public identifiers (project ID: tangemapp, API key, etc.). However, reproducible build
principles require building from the exact published source without modifications. Injecting
these values would compromise verification integrity.
Request:
Could you please either:
- Publish the production google-services.json configuration in the repository, or
- Document the official process for obtaining/configuring this file for reproducible builds
This would enable independent verification of your binary builds and allow WalletScrutiny to
upgrade your verdict from "source available" to "reproducible build verified."
Current Status:
Your app has been upgraded from nosource to sourceavailable on WalletScrutiny, acknowledging
the significant improvements you've made. Complete reproducibility verification awaits only
this final configuration piece.
Thank you for your continued commitment to transparency and open source practices.
Best regards,
Daniel Garcia (dannybuntu)
WalletScrutiny Contributor