PDF-Doc-Scan
PDF-Doc-Scan copied to clipboard
LittleTrickster
Official F-Droid release
Are there any plans to release this application on the official F-Droid repository?
Where we'd like to lift it up one level and confirm it's a Reproducible Build (see: Reproducible bulds, special client support and more in our repo) – but I could not figure out how to build the specific APK we use there. The build spits out several APKs, just not that one.
@LittleTrickster could you give me a hint on how to build that? Obviously, ./gradlew assembleRelease doesn't do the trick.
We'd appreciate if you could help making your build reproducible. We've prepared some hints on reproducible builds for that.
Looking forward to your reply!
OK, I've managed to build the specific APK now (by altering the build.gradle using sed -r '/abi \{/,/}/ { s/include.*/include "arm64-v8a"/ }' -i app/build.gradle), but it is not RB. Here's the APK diff:
-------------------------------
This can probably be ignored if the above error was
'Error: APK Signing Block offset < central directory offset.'
and the following shows the signature files as the only difference:
-------------------------------
--- /dev/fd/63 2024-08-08 10:02:21.267780725 +0200
+++ /dev/fd/62 2024-08-08 10:02:21.267780725 +0200
@@ -1,11 +1,11 @@
META-INF/com/android/build/gradle/app-metadata.properties
32-bit CRC value (hex): fadd38bc
assets/dexopt/baseline.prof
- 32-bit CRC value (hex): 6f3b3aa9
+ 32-bit CRC value (hex): b67e3364
assets/dexopt/baseline.profm
32-bit CRC value (hex): 59be0682
classes.dex
- 32-bit CRC value (hex): 03370966
+ 32-bit CRC value (hex): f7ff0ade
classes2.dex
32-bit CRC value (hex): 83d303cb
lib/arm64-v8a/libc++_shared.so
@@ -20,6 +20,18 @@
32-bit CRC value (hex): d17f9abb
lib/armeabi-v7a/libopencv_java4.so
32-bit CRC value (hex): 10e8443d
+ lib/x86/libc++_shared.so
+ 32-bit CRC value (hex): 346622e6
+ lib/x86/libimage_processing_util_jni.so
+ 32-bit CRC value (hex): 8031e066
+ lib/x86/libopencv_java4.so
+ 32-bit CRC value (hex): e58e5240
+ lib/x86_64/libc++_shared.so
+ 32-bit CRC value (hex): 3e046e92
+ lib/x86_64/libimage_processing_util_jni.so
+ 32-bit CRC value (hex): afc57b58
+ lib/x86_64/libopencv_java4.so
+ 32-bit CRC value (hex): 6fca9e01
assets/com/tom_roush/fontbox/resources/cmap/83pv-RKSJ-H
32-bit CRC value (hex): 506463a6
assets/com/tom_roush/fontbox/resources/cmap/90ms-RKSJ-H
@@ -1395,9 +1407,9 @@
META-INF/kotlinx_coroutines_core.version
32-bit CRC value (hex): 10dbda9d
META-INF/services/a6.y
- 32-bit CRC value (hex): 845a12c4
+ 32-bit CRC value (hex): 755dff9c
META-INF/services/kotlinx.coroutines.internal.i
- 32-bit CRC value (hex): 861cac9d
+ 32-bit CRC value (hex): 5e70ac5f
kotlin-tooling-metadata.json
32-bit CRC value (hex): 955d2730
kotlin/annotation/annotation.kotlin_builtins
@@ -1418,9 +1430,3 @@
32-bit CRC value (hex): 71c94b37
org/bouncycastle/x509/CertPathReviewerMessages_de.properties
32-bit CRC value (hex): 8357ba7f
@IzzySoft Sorry for late reply
did some changes to target specific abi or just arm or universal using Project property singleAbi. Default still splits to many apks.
singleAbi param values arm, x86 x86_64 arm64-v8a armeabi-v7a universal
example
gradlew -PsingleAbi="arm" assembleRelease
By RB what do you mean?
Scroll up a little: Reproducible Builds, special client support and more in our repo. And I needed to build the "universal ARM" APK which is commented out in your build.gradle, so I could compare it against the one attached to your releases. Unfortunately, the builds were not identical, see the diff above. So I don't know if you maybe built from a different commit, or if my way to achieve the "double arm" just causes different results than yours. Unfortunately, in your build.gradle you don't offer a target I could call directly, without altering the file.
For RB, in short: a successful RB basically confirms your APK was really built from the source the tag points to, without any "local modifications" which might have "slipped something in". So it's an additional security indicator.
@IzzySoft Changed app build gradle in latest commit
For arm ./gradlew -PsingleAbi="arm" assembleRelease will add both arm64-v8a and armeabi-v7a to apk
@IzzySoft Sorry for late reply did some changes to target specific abi or just arm or universal using Project property
singleAbi. Default still splits to many apks.singleAbiparam valuesarm,x86x86_64arm64-v8aarmeabi-v7auniversalexamplegradlew -PsingleAbi="arm" assembleRelease
Thanks! Then I can verify again once a new release is available (as verification needs 2 APKs built from the very same commit: one by you, one by the verification builder). Are there any plans for a new release yet? Once that day comes, please remember the "first basic rule" from our hints on reproducible builds – and build the APK from a clean tree at exactly the commit the tag will point to :wink:
And btw, gradlew -PsingleAbi="arm" assembleRelease produces the following APKs:
+ find . -name '*.apk'
./app/build/outputs/apk/release/app-arm64-v8a-release-unsigned.apk
./app/build/outputs/apk/release/app-x86_64-release-unsigned.apk
./app/build/outputs/apk/release/app-universal-release-unsigned.apk
./app/build/outputs/apk/release/app-x86-release-unsigned.apk
./app/build/outputs/apk/release/app-armeabi-v7a-release-unsigned.apk
I don't see the APK combining the two ARM ABis there. But that was at tag 1.03– I see that singleAbi has only been introduced after that. So any ETA for a release including this?