Engine icon indicating copy to clipboard operation
Engine copied to clipboard
verified publisher icon whitescent

Reproducible Builds

Open IzzySoft opened this issue 1 year ago • 4 comments

I don't know if this app is still actively maintained (as I cannot see any commit for about a year now) – but if it is, maybe you could help out here.

I've checked your app if its build is reproducible (see: Reproducible bulds, special client support and more in our repo), but while I was able to successfully generate the APK using ./gradlew assembleRelease, the differences to the one provided at your latest release were huge. Was that APK really built from the commit the tag points to? If so, did I miss some build options? And if not, which commit was it?

APK diff:

--- /dev/fd/63  2024-06-25 02:47:25.511261455 +0200
+++ /dev/fd/62  2024-06-25 02:47:25.511261455 +0200
@@ -1,11 +1,11 @@
   META-INF/com/android/build/gradle/app-metadata.properties
   32-bit CRC value (hex):                         3c557a5b
   assets/dexopt/baseline.prof
-  32-bit CRC value (hex):                         ccd1e46f
+  32-bit CRC value (hex):                         a9d88d3c
   assets/dexopt/baseline.profm
   32-bit CRC value (hex):                         9e3252a0
   classes.dex
-  32-bit CRC value (hex):                         ce1dc50e
+  32-bit CRC value (hex):                         2cb1444f
   classes2.dex
   32-bit CRC value (hex):                         617e88d4
   lib/arm64-v8a/libmmkv.so
@@ -147,9 +147,9 @@
   META-INF/kotlinx_coroutines_jdk8.version
   32-bit CRC value (hex):                         61734425
   META-INF/services/c6.l
-  32-bit CRC value (hex):                         a8ad2415
+  32-bit CRC value (hex):                         5bf5a522
   META-INF/services/x5.s
-  32-bit CRC value (hex):                         aaeb9a4c
+  32-bit CRC value (hex):                         70d8f6e1
   kotlin-tooling-metadata.json
   32-bit CRC value (hex):                         47f8f5cc
   kotlin/annotation/annotation.kotlin_builtins
@@ -255,7 +255,7 @@
   res/Lf.png
   32-bit CRC value (hex):                         83cdc891
   res/M7.json
-  32-bit CRC value (hex):                         dee4a7a4
+  32-bit CRC value (hex):                         56f60404
   res/MD.png
   32-bit CRC value (hex):                         0d1f216a
   res/MO.webp
@@ -414,9 +414,3 @@
   32-bit CRC value (hex):                         0ef1b92c
   resources.arsc
   32-bit CRC value (hex):                         223050dc

The diff in META-INF/services/* I can easily fix (that's most likely just line breaks: you build on Windows, right?). But the Dex diff is huuuge. That fixed, the baseline.prof diff will probably disappear magically as it's a result of the Dex diff.

We'd appreciate if you could help making your build reproducible. We've prepared some hints on reproducible builds for that.

Looking forward to your reply!

IzzySoft avatar Aug 02 '24 10:08 IzzySoft

res/M7.json is aboutlibraries, which by default has a timestamp that can be disabled with:

aboutLibraries {
    // Remove the "generated" timestamp to allow for reproducible builds
    excludeFields = arrayOf("generated")
}

obfusk avatar Aug 07 '24 17:08 obfusk

@whitescent could you please do that ^^?

IzzySoft avatar Aug 07 '24 21:08 IzzySoft

@whitescent you're still there? Any chance we can make progress here?

IzzySoft avatar Oct 14 '24 15:10 IzzySoft

@whitescent did you give up on the app?

IzzySoft avatar Nov 25 '24 23:11 IzzySoft