Minor issue with reproducible builds

Question

Minor issue with reproducible builds

Closed this issue 3 months ago · 9 comments

At IzzyOnDroid we support Reproducible Builds (see: Reproducible Builds, special client support and more at IzzyOnDroid). While your app builds fine, there's an issue with the PNGs not being reproducible. Could it be you're using some image optimization (PNGCrunch & Co) at build time? Those are mostly non-deterministic, and thus better applied before checking in the images. It could also be PNGs generated from vector drawables. Both cases are easy to fix with a short addition to your build.gradle.

For reference, this is the commit in one of our builders marking this.

We'd appreciate if you could help making your build reproducible. We've also prepared some hints on reproducible builds for that.

Looking forward to your reply!

cc @obfusk

Answer 1 · 2024-10-08T09:13:44.000Z

I think it's fixed now.
Do I need to make a new release?

Answer 2 · 2024-10-08T10:19:27.000Z

I tried to build 5252702 and use the release/ APK: https://github.com/SlaVcE14/JsonList/tree/52527022b7d9ac3dc9da0aeda008aa392fef7111/app/release

but

==== detail begin ====
verification of APK with copied signature failed
Comparing reference APK to APK with copied signature...
Unexpected diff output:
diff -r /tmp/tmps89bkz19/unsigned_binaries_com.sjapps.jsonlist_20.binary/content/META-INF/version-control-info.textproto /tmp/tmps89bkz19/_tmp_tmps89bkz19_sigcp_com.sjapps.jsonlist_20/content/META-INF/version-control-info.textproto
diff -r /tmp/tmps89bkz19/unsigned_binaries_com.sjapps.jsonlist_20.binary/content/META-INF/version-control-info.textproto /tmp/tmps89bkz19/_tmp_tmps89bkz19_sigcp_com.sjapps.jsonlist_20/content/META-INF/version-control-info.textproto
4c4
<   revision: "7f90bf4356d36107b2ea3144e4f2902494f18246"
---
>   revision: "52527022b7d9ac3dc9da0aeda008aa392fef7111"
==== detail end ====

looks like the attached APK was build from a tree at 7f90bf4 maybe with uncommited code? @SlaVcE14

Answer 3 · 2024-10-08T10:58:56.000Z

Yes, the attached APK and the APK in the releases in the last commit si not the same. Do I only need to change the attached APK in the 1.5 release or remove the 1.5 release and make a new release? @licaon-kter

Answer 4 · 2024-10-08T11:10:57.000Z

not sure how that affects @IzzySoft now, you could attach it here for us to test, rename it to .APK.ZIP (do not archive it!)

Answer 5 · 2024-10-08T11:16:23.000Z

JsonList_1.5.apk.zip

Answer 6 · 2024-10-08T11:32:20.000Z

@SlaVcE14 that attached APK is still built from 7f90bf4

please clone a clean tree, checkout 5252702 and build it

Answer 7 · 2024-10-08T11:46:17.000Z

app-release - 1.5.apk.zip

Answer 8 · 2024-10-08T11:51:59.000Z

@SlaVcE14 👍 🎉 that one if fine

Answer 9 · 2024-10-08T16:15:12.000Z

Do I need to make a new release?

Yes please. Except for very rare occasions (usually security-related), one should never replace existing releases which have already been distributed. And for RB to work, the APK must match the commit the tag points to anyway – see the first golden rule in our hints above.

I'm sure LK wants it the same way for F-Droid. The attachment here is fine for testing (we do the same at IzzyOnDroid), but for distribution it must be a release.

Thanks! Also to @licaon-kter for testing 😉