F-Droid reproducible build failed - Githubissues

ImranR98 / Obtainium

Get Android app updates straight from the source.

https://obtainium.imranr.dev

GNU General Public License v3.0

5.86k stars 138 forks source link

F-Droid reproducible build failed #1702

Open linsui opened 5 days ago

linsui commented 5 days ago

Prerequisites

Describe the bug

https://gitlab.com/linsui/fdroiddata/-/jobs/7224096941 1.1.13 reproducible build failed. The content of the apk is identical but the zip metadata is different. I checked 1.1.11 again and I can still rebuild the apk.

To Reproduce

Screenshots and Logs

Please complete the following information:

Device:
OS:
Obtainium Version:

Additional context

ImranR98 commented 4 days ago

Hmm. Do you have any ideas? I haven't changed anything that should affect this afaik.

linsui commented 4 days ago

I have no idea. Can you try rebuilding 1.1.11 and check if the apk is identical to the old one?

ImranR98 commented 4 days ago

app-arm64-v8a-release.zip

ImranR98 commented 4 days ago

Looks like the file hashes are not identical. I built this through GitHub actions so something might be different there.

ImranR98 commented 4 days ago

Do you know what zip metadata is different? I'm assuming the APK signature is okay since Android did not complain when the app was updated.

linsui commented 4 days ago

This is the diff between your new build and old build of 1.1.11. diff.txt

The out.txt above is the diff between your build of 1.1.13 and our build.

ImranR98 commented 4 days ago

Lol, I have no idea how to interpret these.

licaon-kter commented 4 days ago

That's how these look like when hitting aligning issues, iirc.

@linsui, none of the 4, 16, 64 values helped?

linsui commented 4 days ago

I didn't try. We shouldn't need to run zipalign again unless we modify the apk.

licaon-kter commented 4 days ago

Who is we? We are not modifying anything on purpose, we try to keep up with the "ever evolving" tooling that changes that, right?

linsui commented 4 days ago

Yes. It seems something in GHA or macOS or something else suddenly changed.

licaon-kter commented 3 days ago

tried 4 (not need as it's already 4), 16 and 64 with zipalign from Debian, but not helpful :crying_cat_face:

ldeso commented 3 days ago

The fact that the hash is different on every build may be explained by the Dependency Info Block, an encrypted proprietary blob from Google that is added to APK and AAB files by default and that is not reproducible. This causes the APK signature block to be different on every build even though the signature certificate remains the same.

You could try to remove this blob by adding the following to the file build.gradle:

android {
    // …

    dependenciesInfo {
        includeInApk false
        includeInBundle false
    }
}

licaon-kter commented 3 days ago

worth a try

linsui commented 3 days ago

The signature is not same.

linsui commented 1 day ago

Can you try signing the apk with apksigner from build-tools 34 or older?