PhilKes
commented
6 days ago Thanks for all the infos/logs. I am really not to deep into the whole reproducible-builds topic, but I guess this some local caching problem in my IDE since I built it not via the gradle CLI but with IntelliJs menus.
I re-assembled the .apk locally from the https://github.com/PhilKes/NotallyX/commit/8c321803306c4f7ca4dee3ec0dae941d86a8f673 commit and tried to use diffoscope to find some problems, this is the log (comparing the tmp/com.philkes.notallyx_611.apk from the jobs/8378245253 build artifacts and the locally built app-release.apk):
docker run --rm -t -w $(pwd) -v $(pwd):$(pwd):ro registry.salsa.debian.org/reproducible-builds/diffoscope com.philkes.notallyx_611.apk app-release.apk
--- com.philkes.notallyx_611.apk
+++ app-release.apk
│┄ 'androguard' Python package not installed; cannot extract V2 signing keys.
│┄ 'apktool' not available in path. Format-specific differences are supported for Android APK files. Installing the 'apktool' package may produce better output.
├── /usr/lib/android-sdk/build-tools/debian/apksigner verify --verbose --print-certs {}
│┄ error from `/usr/lib/android-sdk/build-tools/debian/apksigner verify --verbose --print-certs {}` (a):
│┄ DOES NOT VERIFY
│┄ ERROR: Missing META-INF/MANIFEST.MF
│ @@ -0,0 +1,22 @@
│ +Verifies
│ +Verified using v1 scheme (JAR signing): true
│ +Verified using v2 scheme (APK Signature Scheme v2): true
│ +Verified using v3 scheme (APK Signature Scheme v3): false
│ +Verified using v4 scheme (APK Signature Scheme v4): false
│ +Verified for SourceStamp: false
│ +Number of signers: 1
│ +Signer #1 certificate DN: C=DE, CN=XXX
│ +Signer #1 certificate SHA-256 digest: d214b6057b79f82509ddcd1e351965b3c6ecc4b2a3896e5cdf885a70a0b61dfd
│ +Signer #1 certificate SHA-1 digest: a4dc79c7c3a747c84a3675c52a3fe242afd37f47
│ +Signer #1 certificate MD5 digest: ebef395b1e2bf1e6113ece0dfadcce39
│ +Signer #1 key algorithm: RSA
│ +Signer #1 key size (bits): 2048
│ +Signer #1 public key SHA-256 digest: 808193255ef5125001570f54f07b0b39fc34623e5a85f9d0c45bd555ef99f253
│ +Signer #1 public key SHA-1 digest: 0cca4f032a4ba2a3e23afc6a6858b966f31a5fdf
│ +Signer #1 public key MD5 digest: f5b5928e52db27c5713f4b3850dd181a
│ +WARNING: META-INF/com/android/build/gradle/app-metadata.properties not protected by signature. Unauthorized modifications to this JAR entry will not be detected. Delete or move the entry outside of META-INF/.
│ +WARNING: META-INF/version-control-info.textproto not protected by signature. Unauthorized modifications to this JAR entry will not be detected. Delete or move the entry outside of META-INF/.
│ +WARNING: META-INF/README.md not protected by signature. Unauthorized modifications to this JAR entry will not be detected. Delete or move the entry outside of META-INF/.
│ +WARNING: META-INF/services/I2.b not protected by signature. Unauthorized modifications to this JAR entry will not be detected. Delete or move the entry outside of META-INF/.
│ +WARNING: META-INF/services/kotlinx.coroutines.android.a not protected by signature. Unauthorized modifications to this JAR entry will not be detected. Delete or move the entry outside of META-INF/.
│ +WARNING: META-INF/services/kotlinx.coroutines.s not protected by signature. Unauthorized modifications to this JAR entry will not be detected. Delete or move the entry outside of META-INF/.
├── zipinfo {}
│ @@ -1,8 +1,8 @@
│ -Zip file size: 8678929 bytes, number of entries: 658
│ +Zip file size: 8737199 bytes, number of entries: 661
│ -rw-r--r-- 0.0 unx 56 b- defN 81-Jan-01 01:01 META-INF/com/android/build/gradle/app-metadata.properties
│ -rw-r--r-- 0.0 unx 120 b- defN 81-Jan-01 01:01 META-INF/version-control-info.textproto
│ -rw-r--r-- 0.0 unx 1215 b- stor 81-Jan-01 01:01 assets/dexopt/baseline.prof
│ -rw-r--r-- 0.0 unx 241 b- stor 81-Jan-01 01:01 assets/dexopt/baseline.profm
│ -rw-r--r-- 0.0 unx 3982044 b- defN 81-Jan-01 01:01 classes.dex
│ -rw-r--r-- 0.0 unx 3598712 b- defN 81-Jan-01 01:01 lib/arm64-v8a/libsqlcipher.so
│ -rw-r--r-- 0.0 unx 2223872 b- defN 81-Jan-01 01:01 lib/armeabi-v7a/libsqlcipher.so
│ @@ -653,8 +653,11 @@
│ -rw---- 0.0 fat 2148 b- defN 81-Jan-01 01:01 res/zM.xml
│ -rw---- 0.0 fat 952 b- defN 81-Jan-01 01:01 res/zR.xml
│ -rw---- 0.0 fat 2463 b- stor 81-Jan-01 01:01 res/zV.9.png
│ -rw---- 0.0 fat 956 b- defN 81-Jan-01 01:01 res/zc.xml
│ -rw---- 0.0 fat 464 b- defN 81-Jan-01 01:01 res/zq.xml
│ -rw---- 0.0 fat 832 b- defN 81-Jan-01 01:01 res/zz.xml
│ -rw---- 0.0 fat 607064 b- stor 81-Jan-01 01:01 resources.arsc
│ -658 files, 18475116 bytes uncompressed, 8608557 bytes compressed: 53.4%
│ +-rw-r--r-- 0.0 unx 57583 b- defN 81-Jan-01 01:01 META-INF/CERT.SF
│ +-rw-r--r-- 0.0 unx 1117 b- defN 81-Jan-01 01:01 META-INF/CERT.RSA
│ +-rw-r--r-- 0.0 unx 57509 b- defN 81-Jan-01 01:01 META-INF/MANIFEST.MF
│ +661 files, 18591325 bytes uncompressed, 8662397 bytes compressed: 53.4%
I'm guessing that looks fine? So I would re-upload the apk to the v6.1.1 release and you can try the build for the original commit https://github.com/PhilKes/NotallyX/commit/8c321803306c4f7ca4dee3ec0dae941d86a8f673 ?
licaon-kter
IzzySoft
What happened?
you've tagged https://github.com/PhilKes/NotallyX/releases/tag/v6.1.1 from https://github.com/PhilKes/NotallyX/commit/8c321803306c4f7ca4dee3ec0dae941d86a8f673
but the tree was at https://github.com/PhilKes/NotallyX/commit/702ddf548e6991b027cae578b3631a786a398153 when you've built the APK
as seen in https://gitlab.com/fdroid/checkupdates-bot-fdroiddata/-/jobs/8378245253
ok, so I use the same commit
702ddf548e6991b027cae578b3631a786a398153but now it's not reproducible any more: https://gitlab.com/fdroid/fdroiddata/-/jobs/8378341071#L451App Version
6.1.1
Android Version
No response
(Optional) Relevant log output
the difflog: not611.log
any ideas?