Reproducible Builds

[IzzySoft]

I've checked your app if its build is reproducible (see: Reproducible bulds, special client support and more in our repo), but while I was able to successfully generate the APK using ./gradlew assembleRelease, the differences to the one provided at your latest release were huge. Was that APK really built from the commit the tag points to? If so, did I miss some build options? And if not, which commit was it?

APK Diff:

-------------------------------
--- /dev/fd/63  2024-06-27 19:11:31.934606276 +0200
+++ /dev/fd/62  2024-06-27 19:11:31.934606276 +0200
@@ -1,7 +1,7 @@
   META-INF/com/android/build/gradle/app-metadata.properties
   32-bit CRC value (hex):                         05cd8676
   classes.dex
-  32-bit CRC value (hex):                         1b44306c
+  32-bit CRC value (hex):                         86d0052d
   META-INF/androidx.activity_activity.version
   32-bit CRC value (hex):                         7c5a3320
   META-INF/androidx.annotation_annotation-experimental.version

A tiny section from the Dex diff:

  Class descriptor  : 'Lch/virt/smartphonemouse/transmission/DeviceStorage$1;'
   Access flags      : 0x0000 ()
@@ -810396,7 +810394,6 @@
.
   VISIBILITY_SYSTEM Ldalvik/annotation/EnclosingClass; value=Lch/virt/smartphonemouse/ui/connect/ConnectSelectSubfragment$ListAdapter;
   VISIBILITY_SYSTEM Ldalvik/annotation/InnerClass; accessFlags=1 name="ViewHolder"
-  VISIBILITY_SYSTEM Ldalvik/annotation/MethodParameters; accessFlags={ 32784 0 } names={ null null }
.
   Class descriptor  : 'Lch/virt/smartphonemouse/ui/connect/ConnectSelectSubfragment$ListAdapter$ViewHolder;'
   Access flags      : 0x0001 (PUBLIC)
@@ -810584,8 +810581,6 @@
   VISIBILITY_SYSTEM Ldalvik/annotation/Signature; value={ "Landroidx/recyclerview/widget/RecyclerView$Adapter<" "Lch/virt/smartphonemouse/ui/connect/ConnectSelectSubfragment$ListAdapter$ViewHolder;" ">;" }
   VISIBILITY_SYSTEM Ldalvik/annotation/Signature; value={ "Ljava/util/List<" "Lch/virt/smartphonemouse/transmission/HostDevice;" ">;" }
   VISIBILITY_SYSTEM Ldalvik/annotation/Signature; value={ "(" "Ljava/util/List<" "Lch/virt/smartphonemouse/transmission/HostDevice;" ">;)V" }
-  VISIBILITY_SYSTEM Ldalvik/annotation/MethodParameters; accessFlags={ 4096 4096 } names={ null null }
-  VISIBILITY_SYSTEM Ldalvik/annotation/MethodParameters; accessFlags={ 4096 4096 } names={ null null }
.
   Class descriptor  : 'Lch/virt/smartphonemouse/ui/connect/ConnectSelectSubfragment$ListAdapter;'
   Access flags      : 0x0000 ()
@@ -811085,7 +811080,6 @@
.
   VISIBILITY_SYSTEM Ldalvik/annotation/EnclosingClass; value=Lch/virt/smartphonemouse/ui/connect/dialog/AddSelectSubdialog$ListAdapter;
   VISIBILITY_SYSTEM Ldalvik/annotation/InnerClass; accessFlags=1 name="ViewHolder"
-  VISIBILITY_SYSTEM Ldalvik/annotation/MethodParameters; accessFlags={ 32784 0 } names={ null null }
.
   Class descriptor  : 'Lch/virt/smartphonemouse/ui/connect/dialog/AddSelectSubdialog$ListAdapter$ViewHolder;'
   Access flags      : 0x0001 (PUBLIC)
@@ -811220,8 +811214,6 @@
   VISIBILITY_SYSTEM Ldalvik/annotation/Signature; value={ "Landroidx/recyclerview/widget/RecyclerView$Adapter<" "Lch/virt/smartphonemouse/ui/connect/dialog/AddSelectSubdialog$ListAdapter$ViewHolder;" ">;" }
   VISIBILITY_SYSTEM Ldalvik/annotation/Signature; value={ "Ljava/util/List<" "Lch/virt/smartphonemouse/transmission/BluetoothDiscoverer$DiscoveredDevice;" ">;" }
   VISIBILITY_SYSTEM Ldalvik/annotation/Signature; value={ "(" "Ljava/util/List<" "Lch/virt/smartphonemouse/transmission/BluetoothDiscoverer$DiscoveredDevice;" ">;)V" }
-  VISIBILITY_SYSTEM Ldalvik/annotation/MethodParameters; accessFlags={ 4096 4096 } names={ null null }
-  VISIBILITY_SYSTEM Ldalvik/annotation/MethodParameters; accessFlags={ 4096 4096 } names={ null null }
.
   Class descriptor  : 'Lch/virt/smartphonemouse/ui/connect/dialog/AddSelectSubdialog$ListAdapter;'
   Access flags      : 0x0000 ()

We'd appreciate if you could help making your build reproducible. We've prepared some hints on reproducible builds for that.

Looking forward to your reply!

[VirtCode]

The APK I uploaded to the v1.4.1 release page was indeed not actually built from the tag, but rather from https://github.com/VirtCode/SmartMouse/commit/4bbbdd83d53336237fa2a060f57d35bb98c2a5f6 (as specified on the release page). I wanted to remove the signature blobs, but didn't feel like creating a new release just for that, so I manually built and uploaded an APK from a later commit.

So I tried to reproduce the build from that commit, and I indeed got the same diff as you posted here. After some poking around, it turns out that I seem have built that APK with openjdk-21 (my system JDK at the time), and not openjdk-17, which you are using? If I build with 17, I'd get the same diff as you, but the diff is empty when building with 21 or 22.

So the issue currently seems that this one APK, which I built manually, was built with 21, and not 17. This issue should not arise in future releases because normally the APKs would be built in the CI which uses openjdk-17.

But for the current release:

• I could build another APK from the same commit with openjdk-17, and replace the current one.
• Or I could also create a new release (there was even a tiny change on main), which would then be correctly built, and the tag would match the revision too.

What would be best?

[IzzySoft]

Ah, that explains! And we can use either SDK 17 or 21, both are fine. As replacing an already distributed APK is not recommended, I'd suggest we start with the next release to attempt RB. You say that will use SDK-17, so we can stick with that. Just remember to let me know should you switch – or make it "clearly visible" e.g. in your build.gradle (a comment suffices, though there are settings to indicate the java version needed. Copy-pasting from a different project:

    compileOptions {
        sourceCompatibility = JavaVersion.VERSION_1_8
        targetCompatibility = JavaVersion.VERSION_1_8
    }

Though that just indicates the minimum compatible version – as your app compiles fine with 17, putting that to 21 would be a little lie I guess :see_no_evil: Should you go for that, please check for the implications though; I'm not an Android dev, so my knowledge there is pure theoretical.

Leaving it to you which variant to use. Giving me a ping is the fastest variant I guess. So yes, your last bullet point would be great! Let me know when the release is out, and I'll start verification ASAP.

[VirtCode]

Okay, just pushed a new release and tag v1.4.2.

I've decided to update the CI to JDK 21, as that will be supported for longer. So the current and all the future builds will be built with JDK 21. I will ping you here if I decide to upgrade the release JDK in the future, as that is probably the easiest.

I hope this works with your reproducible build system, and thank you so much for taking the time to look into this.

[IzzySoft]

Aaaaand… Congrats! :partying_face:

    "upstream_signed_apk_sha256": "a710a793077fa5cae595f9600133561608bb83178b01bf9b97710d12e6acc34d",
    "built_unsigned_apk_sha256": "418bcb79c94aea88b09478755c285b9f12730dced4e25ec2501d41c95704bd17",
    "signature_copied_apk_sha256": "a710a793077fa5cae595f9600133561608bb83178b01bf9b97710d12e6acc34d"

Testrun says that's RB! Now going for the real one… Yupp, twice confirmed:

--- END BUILD LOG ---
Keeping 'a710a793077fa5cae595f9600133561608bb83178b01bf9b97710d12e6acc34d-ch.virt.smartphonemouse-v1.4.2-upstream.apk'...
Keeping '418bcb79c94aea88b09478755c285b9f12730dced4e25ec2501d41c95704bd17-ch.virt.smartphonemouse-v1.4.2-unsigned.apk'...
Reproducible: True

so even consistent. So here's the log (aka "proof") – and with the next sync around 6 pm UTC, your app will show up with the green shield at IoD:

(screenshot from staging). Seeing the chocolate: what is the location permission needed for? And, would there maybe a screenshot or two to make it "look nicer"?

[VirtCode]

That's great!

As for the location permissions, these are required on Android 11 and below to be able to discover bluetooth devices. This app requires that as it allows the user to directly connect unpaired devices. While newer Android versions (12 and up), have a specific permission just for bluetooth device discovery, I still want to support these older versions for now.

I have also uploaded some screenshots lately to a directory in this repo, which could be used in the listing.

The RBs seem to work nicely, so I think I can closes this one. Thanks again for your efforts.

[IzzySoft]

required on Android 11 and below to be able to discover bluetooth devices

Thanks for confirming my guess! Added the permission to your app's "green list" then with the quoted description, for transparency.

I have also uploaded some screenshots

Nice, thanks! Added them here as well, should show up with the next sync around 6 pm UTC then.

Btw, if you want to, I can send you a PR with the metadata in fastlane format (you can use the IzzyOnDroid Fastlane Documentation as reference to build upon that then). That way you could maintain description and graphics yourself whenever changes are needed, and the IoD updater would pull that along with the next release. Just let me know if you want it, it's a matter of 5 min for me to get it ready.

The RBs seem to work nicely, so I think I can closes this one.

Yupp, full ack. And thanks for your help with that! Earned you a special toot already, to raise awareness for your app :wink:

[VirtCode]

That fastlane metadata sounds cool, I'm gonna look into it once I have a bit more time on my hands. I'll send you a ping then if you don't mind.

[IzzySoft]

Sure! And my offer stands: I can send you a PR with a starter package you then could build on, so you wouldn't have to figure everything yourself. Always easier if one has a ready-to-use template :wink: