Running Ashigaru

The moment it hit the news that a wallet named "Ashigaru" exists as a fork of Samourai Wallet, I knew that I had to examine the source code and build the APK myself.

I wanted to see, if everything was legit and reproducible, as it was claimed to be.

🧵
👇

Samourai Wallet built a reputation over the last decade, but unknown and daring Ashigaru Dev is touching on an important project and must not mess up.

So I inspected the commits even from SW-0.99.98g onward, which I happened to have personally downloaded back in 2023.

Review route:

SW-0.99.98g → SW-0.99.98ii → Ashigaru-1.0.0 → Ashigaru 1.1.0 → Ashigaru 1.1.1.

Things I watched out for:

• Weird code obfuscuation
• Unexplained binary blobs
• Suspicious URL calls
• Seed Phrase generation / source of entropy

It took me a while to scroll through and inspect dozens of megabyte (!) of source code. Some code is completely unchanged (even the typos), some is changed, some is completely rewritten.

Résumé: No rogue lines spotted. 👍
So from my perspective, the source code is fine. 👌

But code review is worthless without reproducibility – and vice versa.

So concerning that: I managed to reproduce the build, by Ashigaru's instructions here:

The hashsum of my build matches the hashsum of the signature-stripped official release APK. ✅ …wrjvajgumgac423pp3y2deprbnzz7id.onion/Ashigaru/Ashig…

Hints for setting up a build environment for v1.1.1:
• Linux operating system (VM or native)
• Android Studio Ladybug ≥2024.2.1 (incl. AGP ≥8.7, bringing Gradle 8.9)
• Gradle 8.9 (set and synced automatically at project import)
• GradleJDK: OpenJDK 18.x (up to 20 will work)

I'm even inclined to say: Ashigaru really comes close to a role model release and shows the power of FOSS:

Forked a sleeping project, official clearnet presentation site, source code repo via Tor, guide to make reproducible builds, PGP-signed APK checksums, pseudonymous devs.

#RunningAshigaru

Visit: ashigaru.rs, the official website.

Use the Tor Browser to see the project's repo and get the APK release file: …wrjvajgumgac423pp3y2deprbnzz7id.onion/Ashigaru/Ashig…

Pair with your Dojo or use: dojobay.pw

Don't fall pray to scams, who claim to be Ashigaru!

But as always, there's one more thing I'd like to add:

Whenever you open the wallet, there is an update check: a constant homephone. I don't like that. I commented this out in my build. Sorry, Ashigaru. 🤭

The update routine is still triggered when visiting the 'About' menu.

Also I don't know if I like the automatic pull-in and processing of new external data from the onion URLs. It's cleverly made and certainly useful, I get that.

But I'd like to discuss, if the idea to do it that way, really is secure. 🤔 Drop me your opinion on it, please.

Closing, I'd like to point you to @ottosch_, who has also inspected and build the first release of Ashigaru v1.0.0 some moons ago.

x.com/ottosch_/statu…

And most of all: don't forget to #FreeSamourai!
freesamourai.com
p2prights.org/donate.html