[FEATURE] Reproducible Builds

[IzzySoft]

Describe the feature

At IzzyOnDroid we support Reproducible Builds (see: Reproducible Builds, special client support and more at IzzyOnDroid). Trying for yours, I was able to successfully generate the APK (going by your Github action for orientation), but the resulting APKs were not identical. Differences were rather plenty:

apk.diff.gz

What did I miss? For one (but that's unlikely to be the only reason), I see that you use JDK 18 in your Github action. That's not an LTS. It's OK for text/debug builds, but I hope for release builds you use an LTS release (e.g. 17 or 21)?

We'd appreciate if you could help making your build reproducible. We've also prepared some hints on reproducible builds for that.

Looking forward to your reply!

Why would it be useful to add?

See the link above: RBs confirm the APKs shipped were indeed built from the source they claim – with nothing removed, added or altered. So they count as a security feature.

Example(s)

n/a

Additional context

Build recipe used here:

build:
  - sed -r '/signingConfig = releaseSigning/d' -i app/build.gradle.kts
  - sed 's/include\(.*\)/include("arm64-v8a")/' -i app/build.gradle.kts
  - chmod +x gradlew
  - ./gradlew assembleFossRelease -PsplitApks

(we remove the signing as we need an unsigned APK to compare against). Build here was done on the commit the release v7.1.0 points to.