>> Re Signal and Javascript, Signal offers its code in a signed binary, and >>> offers the source to that binary for anybody to build and check. >> >> Signal offers source, but given that it's distributing binaries via app >> stores, there's really no way to guarantee that the binary matches that >> source code. Open source is great (Expensify.cash is as well), but still >> requires that you trust the party giving you the binaries. > > I don't see your argument here. The only reasonable way to sell > something on an app store is to distribute a binary. Meanwhile with > the source available, people can build their own clients, and share > them via other channels.
Sorry, I failed to notice what you were responding to. Here is information on signal's reproducible builds: https://github.com/signalapp/Signal-Android/tree/master/reproducible-builds You actually can verify that the app from the play store is the one you have the source to. I am not a cryptographer and have no college degree.