Reproducible Builds

[IzzySoft]

At IzzyOnDroid we support Reproducible Builds (see: Reproducible Builds, special client support and more in our repo). Trying for yours, I was able to successfully generate the APK using ./gradlew assembleRelease, but the resulting APKs were not identical. Was that APK really built from a clean tree at the commit the tag points to? If so, did I miss some build options? And if not, which commit was it? The APK diff is rather huge, here's the "head" of it:

--- /dev/fd/63  2024-07-11 16:17:45.952082322 +0200
+++ /dev/fd/62  2024-07-11 16:17:45.952082322 +0200
@@ -3,19 +3,27 @@
   META-INF/version-control-info.textproto
   32-bit CRC value (hex):                         54032ee8
   assets/dexopt/baseline.prof
-  32-bit CRC value (hex):                         5717ec58
+  32-bit CRC value (hex):                         d9484328
   assets/dexopt/baseline.profm
-  32-bit CRC value (hex):                         6e6f7f40
+  32-bit CRC value (hex):                         494da893
   classes.dex
-  32-bit CRC value (hex):                         ffd0e0df
+  32-bit CRC value (hex):                         16fa3f3f
   classes2.dex
   32-bit CRC value (hex):                         93669005
+  lib/arm64-v8a/libdatastore_shared_counter.so
+  32-bit CRC value (hex):                         4f56ac38
+  lib/armeabi-v7a/libdatastore_shared_counter.so
+  32-bit CRC value (hex):                         ffa6438b
+  lib/x86/libdatastore_shared_counter.so
+  32-bit CRC value (hex):                         db8d550b
+  lib/x86_64/libdatastore_shared_counter.so
+  32-bit CRC value (hex):                         54a56b50
   DebugProbesKt.bin
   32-bit CRC value (hex):                         d5ac4dc2
-  META-INF/services/N3.w
-  32-bit CRC value (hex):                         f7888b5c
-  META-INF/services/O3.a
-  32-bit CRC value (hex):                         f5ce3505
+  META-INF/services/Q3.w
+  32-bit CRC value (hex):                         e3a2b728
+  META-INF/services/R3.a
+  32-bit CRC value (hex):                         c88fe4eb
   kotlin-tooling-metadata.json
   32-bit CRC value (hex):                         89b4e17d
   kotlin/annotation/annotation.kotlin_builtins
@@ -65,7 +73,7 @@
...

Also strange that the APK I've built from the tagged commit has several *.so files missing in the APK attached to the release.

We'd appreciate if you could help making your build reproducible. We've prepared some hints on reproducible builds for that.

Looking forward to your reply!

cc @obfusk

[obfusk]

Also strange that the APK I've built from the tagged commit has several *.so files missing in the APK attached to the release.

Looks like the APK was built before the datastore-preferences downgrade in 25992318c4e0107f97f7e894c89f9de5524b33c9?

[sweakpl]

Yes, that's probably right. First I've built and released the APK and later built the AAB and encountered this problem: https://issuetracker.google.com/issues/342671895

[IzzySoft]

Could you provide an APK built from a clean tree at the commit the latest tag points to? You can attach it to a comment here (simply rename it to *.zip – please do not put the APK into another zip). Then we could check if we can reproduce that, or if there might be other issues. Thanks in advance!

[IzzySoft]

I see there's a new release out, so I've tried it. But oh, what did you build that from? According to META-INF/version-control-info.textproto from a commit with the hash 2ea3e91d2e3ed2f017b965401ba7659757d6afb2 – that doesn't even exist here. First basic rule from our above linked hints on reproducible builds: always build the APK from a clean tree at the commit the tag points to. So: no chance to make 1.7.1 RB unfortunately :cry: Can we hope for a follow-up release respecting that rule? :pray: