rumboalla / apkupdater

APKUpdater is an open source tool that simplifies the process of finding updates for your installed apps.
GNU General Public License v3.0
2.98k stars 228 forks source link

Reproducible Builds #566

Open IzzySoft opened 3 months ago

IzzySoft commented 3 months ago

I've checked your app if its build is reproducible (see: Reproducible bulds, special client support and more in our repo), but while I was able to successfully generate the APK using ./gradlew assembleRelease, the differences to the one provided at your latest release were huge. Was that APK really built from the commit the tag points to? If so, did I miss some build options? And if not, which commit was it?

APK Diff:

-------------------------------
--- /dev/fd/63  2024-06-28 09:50:07.311351801 +0200
+++ /dev/fd/62  2024-06-28 09:50:07.311351801 +0200
@@ -1,11 +1,11 @@
   META-INF/com/android/build/gradle/app-metadata.properties
   32-bit CRC value (hex):                         3c557a5b
   assets/dexopt/baseline.prof
-  32-bit CRC value (hex):                         882c370a
+  32-bit CRC value (hex):                         32f8d6ad
   assets/dexopt/baseline.profm
-  32-bit CRC value (hex):                         e4ed06bc
+  32-bit CRC value (hex):                         2c022407
   classes.dex
-  32-bit CRC value (hex):                         d6285c69
+  32-bit CRC value (hex):                         6f38adea
   DebugProbesKt.bin
   32-bit CRC value (hex):                         d5ac4dc2

The Dex diff is really huge, almost as if it were an entirely different app, and to me indicates it's very unlikely both APKs were built from the same commit.

We'd appreciate if you could help making your build reproducible. We've prepared some hints on reproducible builds for that.

Looking forward to your reply!

IzzySoft commented 3 months ago

@rumboalla you're still around?

rumboalla commented 3 months ago

I guess it's because of the R8 minifying. In any case, I'm no longer providing manual builds. Instead I let GitHub build and publish them as specified in https://github.com/rumboalla/apkupdater/blob/3.x/.github/workflows/build.yml

IzzySoft commented 3 months ago

I guess it's because of the R8 minifying.

That could very well be. Do you exclude some classes from it? To my experience, R8 mostly works with RB (eh: R8, RB – looks to similarly spelled even) – but often breaks when something is explicitly excluded.

Instead I let GitHub build and publish them as specified in

Could you give me a ping when the first such release is available? I'd test that again then. Thanks!

rumboalla commented 3 months ago

I guess it's because of the R8 minifying.

That could very well be. Do you exclude some classes from it? To my experience, R8 mostly works with RB (eh: R8, RB – looks to similarly spelled even) – but often breaks when something is explicitly excluded.

Instead I let GitHub build and publish them as specified in

Could you give me a ping when the first such release is available? I'd test that again then. Thanks!

All the CI releases are done this way https://github.com/rumboalla/apkupdater/releases?q=CI&expanded=true

IzzySoft commented 3 months ago

OK, then I misunderstood you. I thought you meant you were switching to that now. So the next release won't "magically fix it". Can you then please answer my question if you've set something to be excluded from R8? Oops, never mind, found it – and yes, I see a lot of keeps there. So that could be the cause here.

If you're interested in achieving reproducible builds, we could try to figure out: you could provide me an APK where R8 was turned off, and the corresponding commit. I'd then run that through my builder and report back.