Running Ashigaru
The moment it hit the news that a wallet named "Ashigaru" exists as a fork of Samourai Wallet, I knew that I had to examine the source code and build the APK myself.
I wanted to see, if everything was legit and reproducible, as it was claimed to be.
🧵
👇
The moment it hit the news that a wallet named "Ashigaru" exists as a fork of Samourai Wallet, I knew that I had to examine the source code and build the APK myself.
I wanted to see, if everything was legit and reproducible, as it was claimed to be.
🧵
👇
Samourai Wallet built a reputation over the last decade, but unknown and daring Ashigaru Dev is touching on an important project and must not mess up.
So I inspected the commits even from SW-0.99.98g onward, which I happened to have personally downloaded back in 2023.
So I inspected the commits even from SW-0.99.98g onward, which I happened to have personally downloaded back in 2023.
Review route:
SW-0.99.98g → SW-0.99.98ii → Ashigaru-1.0.0 → Ashigaru 1.1.0 → Ashigaru 1.1.1.
Things I watched out for:
• Weird code obfuscuation
• Unexplained binary blobs
• Suspicious URL calls
• Seed Phrase generation / source of entropy
SW-0.99.98g → SW-0.99.98ii → Ashigaru-1.0.0 → Ashigaru 1.1.0 → Ashigaru 1.1.1.
Things I watched out for:
• Weird code obfuscuation
• Unexplained binary blobs
• Suspicious URL calls
• Seed Phrase generation / source of entropy
It took me a while to scroll through and inspect dozens of megabyte (!) of source code. Some code is completely unchanged (even the typos), some is changed, some is completely rewritten.
Résumé: No rogue lines spotted. 👍
So from my perspective, the source code is fine. 👌
Résumé: No rogue lines spotted. 👍
So from my perspective, the source code is fine. 👌
But code review is worthless without reproducibility – and vice versa.
So concerning that: I managed to reproduce the build, by Ashigaru's instructions here:
The hashsum of my build matches the hashsum of the signature-stripped official release APK. ✅ …wrjvajgumgac423pp3y2deprbnzz7id.onion/Ashigaru/Ashig…
So concerning that: I managed to reproduce the build, by Ashigaru's instructions here:
The hashsum of my build matches the hashsum of the signature-stripped official release APK. ✅ …wrjvajgumgac423pp3y2deprbnzz7id.onion/Ashigaru/Ashig…
Hints for setting up a build environment for v1.1.1:
• Linux operating system (VM or native)
• Android Studio Ladybug ≥2024.2.1 (incl. AGP ≥8.7, bringing Gradle 8.9)
• Gradle 8.9 (set and synced automatically at project import)
• GradleJDK: OpenJDK 18.x (up to 20 will work)
• Linux operating system (VM or native)
• Android Studio Ladybug ≥2024.2.1 (incl. AGP ≥8.7, bringing Gradle 8.9)
• Gradle 8.9 (set and synced automatically at project import)
• GradleJDK: OpenJDK 18.x (up to 20 will work)
I'm even inclined to say: Ashigaru really comes close to a role model release and shows the power of FOSS:
Forked a sleeping project, official clearnet presentation site, source code repo via Tor, guide to make reproducible builds, PGP-signed APK checksums, pseudonymous devs.
Forked a sleeping project, official clearnet presentation site, source code repo via Tor, guide to make reproducible builds, PGP-signed APK checksums, pseudonymous devs.
#RunningAshigaru
Visit: ashigaru.rs, the official website.
Use the Tor Browser to see the project's repo and get the APK release file: …wrjvajgumgac423pp3y2deprbnzz7id.onion/Ashigaru/Ashig…
Pair with your Dojo or use: dojobay.pw
Don't fall pray to scams, who claim to be Ashigaru!
Visit: ashigaru.rs, the official website.
Use the Tor Browser to see the project's repo and get the APK release file: …wrjvajgumgac423pp3y2deprbnzz7id.onion/Ashigaru/Ashig…
Pair with your Dojo or use: dojobay.pw
Don't fall pray to scams, who claim to be Ashigaru!
But as always, there's one more thing I'd like to add:
Whenever you open the wallet, there is an update check: a constant homephone. I don't like that. I commented this out in my build. Sorry, Ashigaru. 🤭
The update routine is still triggered when visiting the 'About' menu.
Whenever you open the wallet, there is an update check: a constant homephone. I don't like that. I commented this out in my build. Sorry, Ashigaru. 🤭
The update routine is still triggered when visiting the 'About' menu.
Also I don't know if I like the automatic pull-in and processing of new external data from the onion URLs. It's cleverly made and certainly useful, I get that.
But I'd like to discuss, if the idea to do it that way, really is secure. 🤔 Drop me your opinion on it, please.
But I'd like to discuss, if the idea to do it that way, really is secure. 🤔 Drop me your opinion on it, please.
That being said: thank you, Ashigaru Dev(s), for your effort! Amazing work, to brush this code up that way, in practically no time.
I hope, I can be of help to further improve this piece in the future.
... because, am I the only one seeing that? 👇🫠
I hope, I can be of help to further improve this piece in the future.
... because, am I the only one seeing that? 👇🫠
Closing, I'd like to point you to @ottosch_, who has also inspected and build the first release of Ashigaru v1.0.0 some moons ago.
x.com/ottosch_/statu…
And most of all: don't forget to #FreeSamourai!
freesamourai.com
p2prights.org/donate.html
x.com/ottosch_/statu…
And most of all: don't forget to #FreeSamourai!
freesamourai.com
p2prights.org/donate.html
☝️☝️
I guess, this is how you vet a new bitcoin wallet.
@WatchmanPrivacy
@realUrbanHacker
I guess, this is how you vet a new bitcoin wallet.
@WatchmanPrivacy
@realUrbanHacker
https://x.com/WatchmanPrivacy/status/1839260460652052838?t=JF_8Zogm7ZXBwKwSaPPNew&s=19
• • •
Missing some Tweet in this thread? You can try to
force a refresh
