In the beginning…

Author: vkryl

.gitattributes

@@ -0,0 +1,2 @@
+app/jniLibs/*/*.so filter=lfs diff=lfs merge=lfs -text
+*.zip -delta

.gitignore

@@ -0,0 +1,19 @@
+.DS_Store
+
+.gradle
+.idea
+
+build
+.cxx
+.externalNativeBuild
+obj
+
+*.apk
+*.iml
+
+/builds
+
+/captures
+/local.properties
+
+libc++_shared.so

.gitmodules

@@ -0,0 +1,60 @@
+[submodule "app/jni/thirdparty/webp"]
+	path = app/jni/thirdparty/webp
+	url = https://chromium.googlesource.com/webm/libwebp
+	shallow = true
+[submodule "app/jni/thirdparty/libyuv"]
+	path = app/jni/thirdparty/libyuv
+	url = https://chromium.googlesource.com/libyuv/libyuv
+	shallow = true
+[submodule "app/jni/thirdparty/libtgvoip"]
+	path = app/jni/thirdparty/libtgvoip
+	url = https://github.com/TGX-Android/libtgvoip.git
+	shallow = true
+[submodule "app/jni/thirdparty/ffmpeg"]
+	path = app/jni/thirdparty/ffmpeg
+	url = https://git.ffmpeg.org/ffmpeg.git
+	shallow = true
+[submodule "app/jni/thirdparty/lz4"]
+	path = app/jni/thirdparty/lz4
+	url = https://github.com/lz4/lz4
+	shallow = true
+[submodule "ExoPlayer"]
+	path = thirdparty/ExoPlayer
+	url = https://github.com/google/ExoPlayer.git
+	shallow = true
+[submodule "app/jni/thirdparty/flac"]
+	path = app/jni/thirdparty/flac
+	url = https://gitlab.xiph.org/xiph/flac.git
+	shallow = true
+[submodule "app/jni/thirdparty/opus"]
+	path = app/jni/thirdparty/opus
+	url = https://gitlab.xiph.org/xiph/opus.git
+	shallow = true
+[submodule "app/jni/thirdparty/opusfile"]
+	path = app/jni/thirdparty/opusfile
+	url = https://gitlab.xiph.org/xiph/opusfile
+	shallow = true
+[submodule "app/jni/thirdparty/ogg"]
+	path = app/jni/thirdparty/ogg
+	url = https://gitlab.xiph.org/xiph/ogg.git
+	shallow = true
+[submodule "app/jni/thirdparty/libvpx"]
+	path = app/jni/thirdparty/libvpx
+	url = https://chromium.googlesource.com/webm/libvpx
+	shallow = true
+[submodule "tdlib"]
+	path = tdlib
+	url = https://github.com/TGX-Android/tdlib
+	shallow = true
+[submodule "app/jni/thirdparty/jni-utils"]
+	path = app/jni/thirdparty/jni-utils
+	url = https://github.com/TGX-Android/jni-utils
+	shallow = true
+[submodule "vkryl/leveldb"]
+	path = vkryl/leveldb
+	url = https://github.com/TGX-Android/leveldb
+	shallow = true
+[submodule "app/jni/thirdparty/rlottie"]
+	path = app/jni/thirdparty/rlottie
+	url = https://github.com/TGX-Android/rlottie
+	shallow = true

Dockerfile

@@ -0,0 +1,25 @@
+FROM ubuntu:hirsute
+
+COPY scripts/ scripts/
+COPY version.properties version.properties
+COPY docker/ docker/
+
+RUN apt-get update -y
+RUN apt-get install -y $(cat docker/dependencies.txt)
+
+ENV ANDROID_SDK_ROOT "/usr/local/android-sdk-linux"
+RUN test -d $ANDROID_SDK_ROOT || (mkdir -p "$ANDROID_SDK_ROOT" && echo "Created ANDROID_SDK_ROOT at $ANDROID_SDK_ROOT")
+
+ENV NDK_VERSION $(scripts/./read-property.sh version.properties version.ndk)
+ENV CMAKE_VERSION $(scripts/./read-property.sh version.properties version.cmake)
+ENV ANDROID_NDK "$ANDROID_SDK_ROOT/ndk/$NDK_VERSION"
+
+ENV PATH "$ANDROID_NDK/prebuilt/linux-x86_64/bin:$ANDROID_SDK_ROOT/cmake/$CMAKE_VERSION/bin:$ANDROID_NDK:$ANDROID_SDK_ROOT/tools/bin:$ANDROID_SDK_ROOT/platform-tools:$PATH"
+ENV TERM "xterm"
+
+ENV CC "$(which clang-12)"
+ENV CPP "$(which clang-cpp-12)"
+ENV CXX "$(which clang++-12)"
+ENV LD "$(which ld.lld-12)"
+
+RUN scripts/./setup-sdk.sh

README.md

@@ -0,0 +1,80 @@
+# [Telegram X](https://play.google.com/store/apps/details?id=org.thunderdog.challegram) — a slick experimental Telegram client based on [TDLib](https://core.telegram.org/tdlib).
+
+![Telegram X](/images/feature.png)
+
+This is the complete source code and the build instructions for the official alternative Android client for the Telegram messenger, based on the [Telegram API](https://core.telegram.org/api) and the [MTProto](https://core.telegram.org/mtproto) secure protocol via [TDLib](https://github.com/TGX-Android/tdlib).
+
+* [**Telegram X** on Google Play](http://play.google.com/store/apps/details?id=org.thunderdog.challegram)
+* [Subscribe to Beta](https://play.google.com/apps/testing/org.thunderdog.challegram)
+* [Announcements and Change Logs](https://t.me/tgx_android)
+* [Developer Log and APKs](https://t.me/tgx_log)
+
+## Build instructions
+
+### Prerequisites
+
+* At least **5,34GB** of free disk space: **487,10MB** for source codes and around **4,85GB** for files generated after building all variants;
+* **4GB** of RAM;
+* **macOS** or **Linux**-based operating system. **Windows** platform is not yet supported in [scripts](/scripts) that build native dependencies, however, it might be easy to patch them in order to make it work.
+
+#### macOS
+
+* [Homebrew](https://brew.sh)
+* git with LFS, wget and sed: `$ brew install git git-lfs wget gsed` 
+
+#### Ubuntu
+
+* git with LFS: `# apt install git git-lfs`
+
+### Building
+
+1. `$ git clone --recursive --depth=1 --shallow-submodules https://github.com/TGX-Android/Telegram-X tgx` — clone **Telegram X** with submodules;
+2. In case you forgot the `--recursive` flag, `cd` into `tgx` directory and: `$ git submodule init && git submodule update --init --recursive --depth=1` 
+3. Create `keystore.properties` file outside of source tree with the following properties:<br/>`keystore.file`: absolute path to the keystore file;<br/>`keystore.password`: password for the keystore;<br/>`key.alias`: key alias that will be used to sign the app;<br/>`key.password`: key password.<br/>**Warning**: keep this file safe and make sure nobody, except you, has access to it. For production builds one could use a separate user with home folder encryption to avoid harm from physical theft;
+4. `$ cd tgx`;
+5. Run `$ scripts/./setup.sh` and follow up the instructions;
+6. Now you can open the project using **[Android Studio](https://developer.android.com/studio/)** or build manually from the command line: `./gradlew assembleUniversalRelease`.
+
+#### Available flavors
+
+* `arm64`: **arm64-v8a** build with `minSdkVersion` set to `21` (**Lollipop**) 
+* `arm32`: **armeabi-v7a** build;
+* `x64`: **x86_64** build with `minSdkVersion` set to `21` (**Lollipop**)
+* `x86`: **x86** build;
+* `universal`: universal build that includes native bundles for all platforms.
+
+## Reproducing public builds
+
+In order to verify that there is no additional source code injected inside official APKs, you must use **Ubuntu 21.04** and comply with the following requirements:
+
+1. Create user called `vk` with the home directory located at `/home/vk`;
+2. Clone `tgx` repository to `/home/vk/tgx`;
+3. Check out the specific commit you want to verify;
+4. `cd` into `tgx` folder and install dependencies: `# apt install $(cat reproducible-builds/dependencies.txt)`;
+5. Follow up the build instruction from the previous section;
+6. Run `$ apkanalyzer apk compare --different-only <remote-apk> <reproduced-apk>`;
+7. If only signature files and metadata differ, build reproduction is successful.
+
+In future build reproduction will be made easier. Here's a list of related TODOs (PR-welcome!):
+
+* Project path must not affect the resulting `.so` files, so user & project location requirement could be removed;
+* When building native binaries on **macOS**, `.comment` ELF section differs from the one built with **Linux** version of NDK. It must be removed or made deterministic without any side-effects like breaking `native-debug-symbols.zip` (or should be reported to NDK team?);
+* It might be a good idea to use `--build-id=0x<commit>` instead of `--build-id=none`;
+* Checksums of cold APK builds always differ, even though the same keystore applied and generated inner APK contents do not differ. Real cause must be investigated and fixed, if possible.<br/>To generate cold build, invoke `$ scripts/./reset.sh` and `$ scripts/./setup.sh --skip-sdk-setup`.<br/>**Warning**: this will also reset changes inside some of the submodules ([ffmpeg](/app/jni/thirdparty/ffmpeg), [libvpx](/app/jni/thirdparty/libvpx), [webp](/app/jni/thirdparty/webp), [opus](/app/jni/thirdparty/opus) and [ExoPlayer](/app/jni/thirdparty/exoplayer));
+
+
+<i>PS: [Docker](/Dockerfile) is not considered an option, as it just hides away these tasks, and requires that all published APKs must be built using it.</i>
+
+## Verifying side-loaded APKs
+
+If you downloaded **Telegram X** APK from somewhere and would like to simply verify whether it's an original APK without any injected malicious source code, you need to get `SHA-256` checksum of the downloaded APK file and find whether it corresponds to any known **Telegram X** version.
+
+In order to obtain **SHA-256** of the APK:
+* `$ sha256sum <path-to-apk>` on **Ubuntu**
+* `$ shasum -a 256 <path-to-apk>` on **macOS**
+
+Then there are three ways to find out the commit for the specific **SHA-256** checksum:
+
+* Checking on GitHub releases page — if you don't have an access to Telegram (e.g. using another device);
+* Sending checksum to [`@tgx_bot`](https://t.me/tgx_bot);
+* Searching for a checksum in [`@tgx_log`](https://t.me/tgx_log).

app/.gitignore

@@ -0,0 +1,6 @@
+/jniLibs
+/arm
+/arm64
+/x86
+/x86_64
+/universal