Closed linsui closed 3 years ago
Mishiranu
commented
3 years ago https://gitlab.com/fdroid/fdroiddata/-/merge_requests/9323 I sign the APK using gradle, but it seems that reproducible builds require APKs signed by apksigner instead. I re-signed the APK and replaced the old one. Hopefully next build will be successful.
linsui
commented
3 years ago It should be that issue. See https://github.com/jellyfin/jellyfin-android/issues/414. Thanks!
Mishiranu
commented
3 years ago The reason is signature copying failed: APK Signing Block offset < central directory offset according to the build log. I reproduced the bug using local fdroidserver. Re-signing the APK using apksigner fixed the issue to me:
2021-07-03 15:12:57,975 INFO: Successfully built version 3.1.4 of com.mishiranu.dashchan from 9cb7bc3b4fdec3aa06fbc6dd9496efcfbe6ad03e
2021-07-03 15:12:58,118 INFO: Created directory for storing developer supplied reference binaries: 'unsigned/binaries'
2021-07-03 15:12:58,118 INFO: ...retrieving https://github.com/Mishiranu/Dashchan/releases/download/3.1.4/Dashchan.apk
2021-07-03 15:13:00,063 INFO: ...successfully verified
2021-07-03 15:13:00,063 INFO: compared built binary to supplied reference binary successfully
2021-07-03 15:13:00,064 INFO: success: com.mishiranu.dashchan
2021-07-03 15:13:00,064 INFO: Finished
2021-07-03 15:13:00,064 INFO: 1 build succeededAlso: https://gitlab.com/fdroid/fdroiddata/-/commit/79b81e09ff293c02233a6b1a1cdef33457968b82 Don't disable releases this fast. Running the build multiple times (and trying fixes on the developer side) is not that bad approach for testing reproducible builds.
linsui
commented
3 years ago It failed in the CI. Is that a CI's issue or the new apk hasn't been uploaded?https://gitlab.com/linsui/fdroiddata/-/jobs/1397311195
Mishiranu
commented
3 years ago It was. But we can't make any conclusions for sure just looking at CI builds. It works on my machine, and it doesn't work on CI. Build server will be the only source of truth there.
I downloaded the artifact built by CI, and its APK matches the APK built on my machine.
$ sha256sum Dashchan-release-unsigned.apk com.mishiranu.dashchan_1043.apk
4066bafd8b3f46aef55d0003558732cf98f00ea8165ff11a62e3c363bf6e5ac1 Dashchan-release-unsigned.apk
4066bafd8b3f46aef55d0003558732cf98f00ea8165ff11a62e3c363bf6e5ac1 com.mishiranu.dashchan_1043.apkAlso:
$ apksigcopier copy Dashchan-release.apk com.mishiranu.dashchan_1043.apk out.apk
$ sha256sum Dashchan-release.apk out.apk
10ead15f12247725495d3b7df1a701949c948b12f949303fcf9d603b246189df Dashchan-release.apk
10ead15f12247725495d3b7df1a701949c948b12f949303fcf9d603b246189df out.apk$ apksigner verify --min-sdk-version 16 --verbose out.apk
Verifies
Verified using v1 scheme (JAR signing): true
Verified using v2 scheme (APK Signature Scheme v2): true
Verified using v3 scheme (APK Signature Scheme v3): true
Verified using v4 scheme (APK Signature Scheme v4): false
Verified for SourceStamp: false
Number of signers: 1
WARNING: META-INF/services/com.fasterxml.jackson.core.JsonFactory not protected by signature. Unauthorized modifications to this JAR entry will not be detected. Delete or move the entry outside of META-INF/.Thanks!
Could you please take a look? Thanks!