error in gradle wrapper

[IzzySoft]

Trying to build your app, gradle wrapper throws an error:

Your Gradle distribution may have been tampered with.
Confirm that the 'distributionSha256Sum' property in your gradle-wrapper.properties file is correct and you are downloading the wrapper from a trusted source.

 Distribution Url: https://services.gradle.org/distributions/gradle-8.9-bin.zip
Download Location: /build/.gradle/wrapper/dists/gradle-8.9-bin/90cnw93cvbtalezasaz0blq0a/gradle-8.9-bin.zip
Expected checksum: '258e722ec21e955201e31447b0aed14201765a3bfbae296a46cf60b70e66db70'
  Actual checksum: 'd725d707bfabd4dfdc958c624003b3c80accc03f7037b5122c4b1d0ef15cecab'

You've picked the checksum from the -all.zip but use the -bin.zip. So if you replace the hash put here with what the output states as "Actual checksum", that would be fixed. Reference: Gradle checksums. Thanks!

[IzzySoft]

PS, while I'm here:

SigningBlock blobs:
-------------------
0x504b4453 (DEPENDENCY_INFO_BLOCK; GOOGLE)

This can easily be avoided with a minor addition to your build.gradle:

android {
    dependenciesInfo {
        // Disables dependency metadata when building APKs.
        includeInApk = false
        // Disables dependency metadata when building Android App Bundles.
        includeInBundle = false
    }
}

For some background: that BLOB is supposed to be just a binary representation of your app's dependency tree. But as it's encrypted with a public key belonging to Google, only Google can read it – and nobody else can even verify what it really contains. More details can be found e.g. here: Ramping up security: additional APK checks are in place with the IzzyOnDroid repo.

Some positive notes at the end of my report:

• Your app just passed the test for Reproducible Builds :partying_face:
• I'm just adding your app to the IzzyOnDroid repo now. It will show up here with the next sync around 7 pm UTC – so be welcome to pick a badge to link there e.g. from your Readme. Welcome aboard :smiley:
• Combining the two points: the listing will have the "green shield" up, telling the world of the RB – see e.g. Reproducible Builds, special client support and more at IzzyOnDroid :rocket:

[PhilKes]

Thanks, I guess I messed up my gradle setup in AndroidStudio and didnt notice 😁

PS, while I'm here:

SigningBlock blobs:
-------------------
0x504b4453 (DEPENDENCY_INFO_BLOCK; GOOGLE)

This can easily be avoided with a minor addition to your build.gradle:

android {
    dependenciesInfo {
        // Disables dependency metadata when building APKs.
        includeInApk = false
        // Disables dependency metadata when building Android App Bundles.
        includeInBundle = false
    }
}

For some background: that BLOB is supposed to be just a binary representation of your app's dependency tree. But as it's encrypted with a public key belonging to Google, only Google can read it – and nobody else can even verify what it really contains. More details can be found e.g. here: Ramping up security: additional APK checks are in place with the IzzyOnDroid repo.

Is the dependenciesInfo needed when publishing to the Google Play Store?

[IzzySoft]

Thanks, I guess I messed up my gradle setup in AndroidStudio and didnt notice 😁

:hankey: happens :zany_face: Want to know what I did?

apk_url: https://github.com/PhilKes/NotallyX/releases/download/v6.0/NotallyX-6.0.apk
build:
  - sed -r 's/258e722ec21e955201e31447b0aed14201765a3bfbae296a46cf60b70e66db70/d725d707bfabd4dfdc958c624003b3c80accc03f7037b5122c4b1d0ef15cecab/' -i gradle/wrapper/gradle-wrapper.properties
  - chmod +x gradlew
  - ./gradlew assembleRelease
  - mv app/build/outputs/apk/release/*unsigned.apk /outputs/unsigned.apk

I know the gradle sum matching, so that was the easy thing to do. Mission accomplished :rofl:

Is the dependenciesInfo needed when publishing to the Google Play Store?

Not enforced AFAIK. But no prob if you leave it in for the AABs, IzzyOnDroid takes the APKs only. So when in doubt, simply skip the includeInBundle line (or comment it out, or set it to true). We just need to disable it for APKs here.

Btw: The F-Droid badge on your Readme points to a 404. Mind adding the IoD badge, pointing it here? Working page, and working repository that can be used with the F-Droid client of your choice :wink:

PS: If you want, I can help you adjusting the full_description.txt so the results look "more appealing". Just let me know. Minimal changes required. Compatible with F-Droid, IzzyOnDroid, PlayStore… :wink:

[IzzySoft]

So no badge for IzzyOnDroid? And my offer concerning the app description is not tempting you? Just wondering, @PhilKes :wink:

[IzzySoft]

@PhilKes unfortunately, v6.1.1 is no longer reproducible:

  -rw-r--r--  0.0 unx      120 b-      118 defN 1981-01-01 01:01:02 af85df06 META-INF/version-control-info.textproto
- -rw-r--r--  0.0 unx     1343 b-     1343 stor 1981-01-01 01:01:02 6e219c4c assets/dexopt/baseline.prof
- -rw-r--r--  0.0 unx      241 b-      241 stor 1981-01-01 01:01:02 4ade14c7 assets/dexopt/baseline.profm
- -rw-r--r--  0.0 unx  3983372 b-  1734501 defN 1981-01-01 01:01:02 444ec939 classes.dex
+ -rw-r--r--  0.0 unx     1215 b-     1215 stor 1981-01-01 01:01:02 7b0d0898 assets/dexopt/baseline.prof
+ -rw-r--r--  0.0 unx      241 b-      241 stor 1981-01-01 01:01:02 384786e5 assets/dexopt/baseline.profm
+ -rw-r--r--  0.0 unx  3982044 b-  1733848 defN 1981-01-01 01:01:02 956f9ec2 classes.dex
  -rw-r--r--  0.0 unx  3598712 b-  1500371 defN 1981-01-01 01:01:02 e9de471a lib/arm64-v8a/libsqlcipher.so

Baseline differs because of classes.dex differs – and the diff of the latter is rather huge (~1 MB). Do you have any idea what might be wrong there? Maybe you've built from a "dirty tree" (caches, artifacts, local changes)? If you want to take a look: dex.diff.gz

Thanks in advance!

[PhilKes]

See #126

[IzzySoft]

Thanks! See my note there, too :wink: Next release hopefully won't have the same issue then :crossed_fingers: