search

d4rken-org / permission-pilot

Android permission explorer 🧑‍✈️
GNU General Public License v3.0
398 stars 39 forks source link

Reproducible Builds #206

Open IzzySoft opened 3 days ago

IzzySoft commented 3 days ago

At IzzyOnDroid we support Reproducible Builds (see: Reproducible Builds, special client support and more at IzzyOnDroid). Trying for yours, I was able to successfully generate the APK using ./gradlew assembleFossRelease, but the resulting APKs were not identical. One culprit is an embedded build timestamp – but even if I "override" that (using sed to replace ${buildtime()} with the timestamp from your APK), there are differences in classes.dex remaining, see contents of diff.zip. The essential parts are:

-  VISIBILITY_SYSTEM Ldalvik/annotation/Signature; value={ "Leu/darken/myperm/common/lists/differ/AsyncDiffer$callback$1;" }
+  VISIBILITY_SYSTEM Ldalvik/annotation/Signature; value={ "Leu/darken/myperm/common/lists/differ/AsyncDiffer$callback$1<" "TA;TT;>;" }

-  VISIBILITY_SYSTEM Ldalvik/annotation/Signature; value={ "Leu/darken/myperm/common/viewbinding/ViewBindingProperty$onDestroyObserver$1;" }
+  VISIBILITY_SYSTEM Ldalvik/annotation/Signature; value={ "Leu/darken/myperm/common/viewbinding/ViewBindingProperty$onDestroyObserver$1<" "TComponentT;TBindingT;>;" }

(- is your APK, + is the one I built). In case it's relevant: the build here happened on Debian bookworm with OpenJDK 17.

I hope you have an idea where that difference comes from, and how it can be avoided? Also, could the buildtime() be replaced by something reproducible (e.g. commit count, commit hash, time of the last commit) or skipped altogether?

We'd appreciate if you could help making your build reproducible. We've prepared some hints on reproducible builds for that.

Thanks in advance – and looking forward to your reply!

d4rken commented 3 days ago

I can change the build-time being included, but I have no idea where the other differences come from. Don't have time to look into that either, sorry.

IzzySoft commented 3 days ago

Fair enough Matthias – thanks! So maybe fix that build-time thingy, and confirm which SDK you build with and on what OS (so we can rule out anything coming from that end)? Mine is stated above – but I can switch to e.g. ubuntu:jammy and OpenJDK-21 when needed.

IzzySoft commented 3 days ago

confirm which SDK

Oops, JDK I meant of course… But OpenJDK-21 on ubuntu:jammy results in the very same dex diff :man_shrugging:

d4rken commented 3 days ago

and confirm which SDK you build with and on what OS (so we can rule out anything coming from that end)? Mine is stated above – but I can switch to e.g. ubuntu:jammy and OpenJDK-21 when needed.

https://github.com/d4rken-org/permission-pilot/blob/c66a1cf8d766ebbacb22e4ad7e8ffae866f505fa/.github/workflows/release-tag.yml#L38-L41

JDK17 on ubuntu-latest (which should be "Ubuntu 24.04" according to https://github.com/actions/runner-images)

IzzySoft commented 3 days ago

Thanks! So… wait: "adopt"? I must have missed that. Is there any reason not to use OpenJDK? Could be that Adopt deals a little different with annotations, so this could be the cause of the differences.

d4rken commented 3 days ago

Hm not that I remember, I think I took it from a blog post about setting up runners for Android :thinking:

IzzySoft commented 3 days ago

Ah. Mind to make a build with OpenJDK, attach the APK here (just rename it to .zip so you can attach it) and mention the commit it was built from – so I test if that solves the issue before you start "really changing things"?