Telegram X — a slick experimental Telegram client based on TDLib.
This is the complete source code and the build instructions for the official alternative Android client for the Telegram messenger, based on the Telegram API and the MTProto secure protocol via TDLib.
- At least 5,34GB of free disk space: 487,10MB for source codes and around 4,85GB for files generated after building all variants
- 4GB of RAM
- macOS or Linux-based operating system. Windows platform is not yet supported in scripts that build native dependencies, however, it might be easy to patch them in order to make it work.
- Homebrew
- git with LFS, wget and sed:
$ brew install git git-lfs wget gsed && git lfs install
- git with LFS:
# apt install git git-lfs
- Run
$ git lfs install
for the current user, if you didn't havegit-lfs
previously installed
$ git clone --recursive --depth=1 --shallow-submodules https://github.com/TGX-Android/Telegram-X tgx
— clone Telegram X with submodules- In case you forgot the
--recursive
flag,cd
intotgx
directory and:$ git submodule init && git submodule update --init --recursive --depth=1
- Create
keystore.properties
file outside of source tree with the following properties:keystore.file
: absolute path to the keystore filekeystore.password
: password for the keystorekey.alias
: key alias that will be used to sign the appkey.password
: key password.
Warning: keep this file safe and make sure nobody, except you, has access to it. For production builds one could use a separate user with home folder encryption to avoid harm from physical theft $ cd tgx
- Run
$ scripts/./setup.sh
and follow up the instructions - If you specified package name that's different from the one Telegram X uses, setup Firebase and replace
google-services.json
with the one that's suitable for theapp.id
you need - Now you can open the project using Android Studio or build manually from the command line:
./gradlew assembleUniversalRelease
.
arm64
: arm64-v8a build withminSdkVersion
set to21
(Lollipop)arm32
: armeabi-v7a buildx64
: x86_64 build withminSdkVersion
set to21
(Lollipop)x86
: x86 builduniversal
: universal build that includes native bundles for all platforms.
In order to verify that there is no additional source code injected inside official APKs, you must use Ubuntu 21.04 and comply with the following requirements:
- Create user called
vk
with the home directory located at/home/vk
- Clone
tgx
repository to/home/vk/tgx
- Check out the specific commit you want to verify
- In rare cases of builds that include unmerged pull requests, you must follow actions performed by Publisher's
fetchPr
andsquashPr
tasks cd
intotgx
folder and install dependencies:# apt install $(cat reproducible-builds/dependencies.txt)
- Follow up the build instruction from the previous section
- Run
$ apkanalyzer apk compare --different-only <remote-apk> <reproduced-apk>
- If only signature files and metadata differ, build reproduction is successful.
In future build reproduction might become easier. Here's a list of related PR-welcome TODOs:
- Project path must not affect the resulting
.so
files, so user & project location requirement could be removed - When building native binaries on macOS,
.comment
ELF section differs from the one built with Linux version of NDK. It must be removed or made deterministic without any side-effects like breakingnative-debug-symbols.zip
(or should be reported to NDK team?) - It might be a good idea to use
--build-id=0x<commit>
instead of--build-id=none
- Checksums of cold APK builds always differ, even though the same keystore applied and generated inner APK contents do not differ. Real cause must be investigated and fixed, if possible.
To generate cold build, invoke$ scripts/./reset.sh
and$ scripts/./setup.sh --skip-sdk-setup
.
Warning: this will also reset changes inside some of the submodules (ffmpeg, libvpx, webp, opus and ExoPlayer) - Move local pull requests squash-merging from Publisher to some script inside this repository to make reproduction of builds that include them easier.
PS: Docker is not considered an option, as it just hides away these tasks, and requires that all published APKs must be built using it.
If you downloaded Telegram X APK from somewhere and would like to simply verify whether it's an original APK without any injected malicious source code, you need to get checksum (SHA-256
, SHA-1
or MD5
) of the downloaded APK file and find whether it corresponds to any known Telegram X version.
In order to obtain SHA-256 of the APK:
$ sha256sum <path-to-apk>
on Ubuntu$ shasum -a 256 <path-to-apk>
on macOS
Once obtained, there are three ways to find out the commit for the specific checksum:
- Sending checksum to
@tgx_bot
- Searching for a checksum in
@tgx_log
. You can do so without need in installing any Telegram client by using this URL format:https://t.me/s/tgx_log?q={checksum}
(click to see in action). Note: unpublished builds cannot be verified this way.
Telegram X
is licensed under the terms of the GNU General Public License v3.0.
For more information, see LICENSE file.
License of components and third-party dependencies it relies on might differ, check LICENSE
file in the corresponding folder.
List of third-party components used in Telegram X can be found here. Additionally you can check the specific commit of the third-party component used, for example, here and here.
Telegram X welcomes contributions. Check out pull request template and guide for contributors to learn more about Telegram X internals before creating the first pull request.
If you are a regular user and experience a problem with Telegram X, the best place to look for solution is Telegram X chat — a community with over 4 thousand members. Please do not use this repository to ask questions: if you have general issue with Telegram, refer to FAQ or contact Telegram Support.