Obtainium icon indicating copy to clipboard operation
Obtainium copied to clipboard
Published 3 weeks ago verified publisher icon ImranR98

F-Droid reproducible build failed

Open linsui opened this issue 1 year ago • 18 comments

Prerequisites

Describe the bug

https://gitlab.com/linsui/fdroiddata/-/jobs/7224096941 1.1.13 reproducible build failed. The content of the apk is identical but the zip metadata is different. I checked 1.1.11 again and I can still rebuild the apk.

To Reproduce

Screenshots and Logs

out.txt

Please complete the following information:

  • Device:
  • OS:
  • Obtainium Version:

Additional context

linsui avatar Jun 30 '24 08:06 linsui

Hmm. Do you have any ideas? I haven't changed anything that should affect this afaik.

ImranR98 avatar Jun 30 '24 14:06 ImranR98

I have no idea. Can you try rebuilding 1.1.11 and check if the apk is identical to the old one?

linsui avatar Jun 30 '24 15:06 linsui

app-arm64-v8a-release.zip

ImranR98 avatar Jun 30 '24 17:06 ImranR98

Looks like the file hashes are not identical. I built this through GitHub actions so something might be different there.

ImranR98 avatar Jun 30 '24 17:06 ImranR98

Do you know what zip metadata is different? I'm assuming the APK signature is okay since Android did not complain when the app was updated.

ImranR98 avatar Jun 30 '24 17:06 ImranR98

This is the diff between your new build and old build of 1.1.11. diff.txt

The out.txt above is the diff between your build of 1.1.13 and our build.

linsui avatar Jun 30 '24 17:06 linsui

Lol, I have no idea how to interpret these.

ImranR98 avatar Jun 30 '24 19:06 ImranR98

That's how these look like when hitting aligning issues, iirc.

@linsui, none of the 4, 16, 64 values helped?

licaon-kter avatar Jul 01 '24 05:07 licaon-kter

I didn't try. We shouldn't need to run zipalign again unless we modify the apk.

linsui avatar Jul 01 '24 05:07 linsui

Who is we? We are not modifying anything on purpose, we try to keep up with the "ever evolving" tooling that changes that, right?

licaon-kter avatar Jul 01 '24 05:07 licaon-kter

Yes. It seems something in GHA or macOS or something else suddenly changed.

linsui avatar Jul 01 '24 06:07 linsui

tried 4 (not need as it's already 4), 16 and 64 with zipalign from Debian, but not helpful :crying_cat_face:

licaon-kter avatar Jul 01 '24 11:07 licaon-kter

The fact that the hash is different on every build may be explained by the Dependency Info Block, an encrypted proprietary blob from Google that is added to APK and AAB files by default and that is not reproducible. This causes the APK signature block to be different on every build even though the signature certificate remains the same.

You could try to remove this blob by adding the following to the file build.gradle:

android {
    // …

    dependenciesInfo {
        includeInApk false
        includeInBundle false
    }
}

ldeso avatar Jul 01 '24 12:07 ldeso

worth a try

licaon-kter avatar Jul 01 '24 14:07 licaon-kter

The signature is not same.

linsui avatar Jul 01 '24 16:07 linsui

Can you try signing the apk with apksigner from build-tools 34 or older?

linsui avatar Jul 03 '24 15:07 linsui

@ImranR98 or better yet, adjust https://github.com/ImranR98/Obtainium/blob/v1.1.13/.github/workflows/release.yml#L75 to say apksigner sign --alignment-preserved true ...

ref: https://gitlab.com/fdroid/fdroiddata/-/issues/3299#note_1985568674

licaon-kter avatar Jul 05 '24 15:07 licaon-kter

Based on the docs here: https://github.com/obfusk/apksigcopier#what-about-signatures-made-by-apksigner-from-build-tools--3500-rc1

I've updated the recipe instead: https://gitlab.com/fdroid/fdroiddata/-/commit/b4ad3d5c41cd95caa67d9f4158334209f4cc6601

feel free to star the Google issue https://issuetracker.google.com/issues/351408623

/close this

licaon-kter avatar Jul 09 '24 12:07 licaon-kter