Build issues

[IzzySoft]

I've tried to build your app from source, using OpenJDK 17 on Debian bookworm, but the build failed:

> Task :phoneProfilesPlusExtender:compileReleaseJavaWithJavac FAILED
/build/repo/phoneProfilesPlusExtender/src/main/java/sk/henrichg/phoneprofilesplusextender/CustomACRAReportingAdministrator.java:4: error: cannot find symbol
import android.app.RemoteServiceException;
                  ^
  symbol:   class RemoteServiceException
  location: package android.app
/build/repo/phoneProfilesPlusExtender/src/main/java/sk/henrichg/phoneprofilesplusextender/CustomACRAReportingAdministrator.java:9: error: cannot find symbol
import android.os.DeadSystemRuntimeException;
                 ^
  symbol:   class DeadSystemRuntimeException
  location: package android.os
Note: Some input files use or override a deprecated API.
Note: Recompile with -Xlint:deprecation for details.
2 errors

42 actionable tasks: 42 executed
FAILURE: Build failed with an exception.

Do you have any clue what's wrong there?

PS, while being here: your gradle wrapper lacks the JAR, maybe you could add that before the next release?

[IzzySoft]

PPS, same issue for sk.henrichg.pppputsettings

[henrichg]

android.os.DeadSystemRuntimeException

This is exception class from Android.

Is checked in PPP custom ACRA classes only for Android SDK 33+:

        if (Build.VERSION.SDK_INT >= 33) {
            if (_exception instanceof DeadSystemRuntimeException) {
                // Exit app. This restarts PPP
                System.exit(2);
                return false;
            }
        }

Maybe is for this required android.jar from (it is used used in PPP)

https://github.com/Reginer/aosp-android-jar/tree/main/android-35

Debug brach of PPP has configured compileSDK=35 (release has 34).

[henrichg]

Note: This android.jar (from reginer repo) is used also in PPPE and PPPPS. And: This jar is required also for another functionalities in PPP, PPPE, PPPPS. For this reason, use this android.jar. Without this may be not possible to build PPP, PPE, PPPPS.

[IzzySoft]

Use how? I just clone your repo and run gradle assembleRelease from the repo root. So where would that JAR be expected? It's not part of the resulting APK.

[henrichg]

Replace android.jar in your SDK, folder platforms/android-35 (for compileSdk 35), android-34 (for compileSdk 34). Warning: for compileSdk 34 you nust download android.jar from this: https://github.com/Reginer/aosp-android-jar/tree/main/android-34

[henrichg]

In my AndroidSdk/plaforms folder are downloaded SDKs from 26 to 35. :-) Downloaded using Android Studio with its "SDK manager".

[henrichg]

Warning. All 3 apps uses my own key store for release apk. Android Studio generates its own for debug build variant. Also for PPP is required passwords_key.gradle (used for encript contacts data in backup files). Both are not in GitHub, for security reason.

For encription of contacts data is used this library: implementation 'com.github.simbiose:Encryption:2.0.1'

Read: https://github.com/simbiose/Encryption

[IzzySoft]

There seems to be a misconception: reproducible builds happen in an ephemeral container, so this is not about a local installation. If it can be done within the build recipe, I could check – but then, if it's specific to the SDK version, it will break updates whenever the SDK switches to a newer version. That's impractical, as it adds quite some maintenance burden on the RB side. With a team as small as ours, we cannot do that; we'll have to leave these two apps out of the RB part then, sorry.

Signing is not an issue, as we just need the unsigned APK (basically, the signature is "copied" from your signed APK; if the build was identical, that should verify – if it does not verify, the build was not identical). So the APK generated on our side even must be unsigned for that to work.

For some background, please see: Reproducible Builds, special client support and more at IzzyOnDroid

[henrichg]

Sorry, but by me, is not possible to using Reproducible Builds. Because PPP, PPPE, PPPPS uses hidden API, for which is required special android.jar from reginer repo. For all 3 apps are released also apk file in GitHub "Releases" and each has "fastlane" folder in GitHub. In it is which version is released.

Question: old release support with "fastlane" stays active?

And not only two, but all 3 apps uses reginer andorid.jar: PhoneProfilesPlus (PPP), PhoneProfilesPlusExtender (PPPE), PPPPutSettings (PPPPS).

Exists any notification for new articles in https://android.izzysoft.de/articles.php? For example by e-mail? Or only Mastodon is supported? I do not have account in it. :-)

[henrichg]

Some questions about Reproducible Build:

1. Apk will be signed with its own key as F-Droid applications? If yes, how about apk upgrades? Because by me, will not be possible to upgrade apk with my signing key with reproducible build key.
2. Resulted apk will be with targetSdk by apk gradle file or with latest (currently 34)? Because PPP requires targetSdk 28, PPPE 27, PPPPS 22. It is due to its functionality. Newer targetSdk do not have (deprecated, not workig) functionality required. :-(

[IzzySoft]

1. APKs at IzzyOnDroid are always (built and) signed by the resp. developer (here: you). RB check here happens OTR in a separate process, where APKs are not even retained (just recipe and logs to keep the "proof"). So other than at F-Droid, if RB fails the APK will still become available – just the "shield" will be down. Plans are for the clients (Neo Store, Droid-ify) to be configurable in this regard, whether to update as soon as the APK becomes available or to wait until the shield is "up" and RB confirmed.
2. Resulted APKs will be what you make them. Our process is only to confirm your APK was built from the source you claim it was built from.

So basically, the RB process at IzzyOnDroid, running separately from the app repo itself, works like this (very simplified):

• download the APK from releases
• git clone the app repo (e.g. yours, this one here)
• exec ./gradlew assembleRelease to produce an unsigned APK
• copy the signature from the downloaded APK onto the unsigned one built
• run apksigner verify on the resulting APK. If it verifies, it's RB – otherwise not.
• destroy the ephemeral container used for the process, abandon the APKs, save recipe and logs (committed to an append-only git repository).

As I wrote, that's the simplified variant. For details you can take a look at rbtlog, which is what we use for this. Basically, F-Droid uses the same tools rbtlog uses, just their process is a little bit different.

To the previous comment: RB is not mandatory at IzzyOnDroid – so if it's really not possible for your apps, I'd simply put a note so we don't annoy you over and again, and that's it. No bad feelings.

Exists any notification for new articles in android.izzysoft.de/articles.php?

Subscribe to the RSS feed? Also available in German.

Or only Mastodon is supported? I do not have account in it. :-)

No Mastodon account needed either. It's part of the Fediverse, so any account on the Fedi should do. Or, ahem, use the RSS Feed :stuck_out_tongue_winking_eye:

[henrichg]

Now I can understand. :-)

Unfortunately, if the user in Droid-ify, NeoStore sets that he does not want apps that have not passed RB, then a huge pity for me. If Droid-ify, NeoStore will have such a feature. Yes?

[IzzySoft]

Depends on the implementation in the clients. This is something just "on the list" but IMHO not even yet through draft. I guess there could be 3 options to such a setting:

• I don't care, just install as soon as it becomes available
• only install apps which are RB and ignore all others
• for apps configured with RB, only install/update once RB was confirmed (but all others as soon as they become available)

So if the first or the last option is chosen, your apps would not be affected by this. Only those using the "strict" setting wouldn't get them then – and those will be few IMHO.

So while it would be real nice (and indeed an advantage) if RB can be established, I would not be overly concerned if it's not possible. Currently, 23.4% of the apps at IzzyOnDroid are set up with RB, and only around 10% at F-Droid (in total numbers the difference is smaller: ~300 at IzzyOnDroid versus ~400 at F-Droid). And as F-Droid (at least currently) does not distribute those details via any index, it could not even be enforced for their repo – which at least in my opinion would result in discouraging the "middle option"; "unless you know exactly what you're doing there" :stuck_out_tongue_winking_eye:

[henrichg]

OK, so the future will tell. :-)

If there is nothing else to do with this issue, please close it. Thanks.

[IzzySoft]

Right: if we cannot make it RB, there's nothing left to do here. I will then mark both apps as "not reproducible" – so I cannot forget and ask again in a year or so :wink:

Thanks again!