Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Reproducible Builds #350

Open
IzzySoft opened this issue Aug 4, 2024 · 4 comments
Open

Reproducible Builds #350

IzzySoft opened this issue Aug 4, 2024 · 4 comments

Comments

@IzzySoft
Copy link

IzzySoft commented Aug 4, 2024

I've checked your app if its build is reproducible (see: Reproducible bulds, special client support and more in our repo), but while I was able to successfully generate the APK using ./gradlew assembleRelease, the APKs were not identical.

APK diff:

-------------------------------
--- /dev/fd/63  2024-07-09 09:26:42.925466170 +0200
+++ /dev/fd/62  2024-07-09 09:26:42.925466170 +0200
@@ -191,7 +191,7 @@
   kotlin/reflect/reflect.kotlin_builtins
   32-bit CRC value (hex):                         852a0981
   AndroidManifest.xml
-  32-bit CRC value (hex):                         d2f856b4
+  32-bit CRC value (hex):                         1a2c789d
   res/-8.xml
   32-bit CRC value (hex):                         fd8539fe
   res/-F.xml
@@ -2362,9 +2362,3 @@
   32-bit CRC value (hex):                         88b2a3b0
   resources.arsc
   32-bit CRC value (hex):                         7df0e936

Differences seem to be in the AndroidManifest.xml, so let's look at those:

             A: http://schemas.android.com/apk/res/android:name(0x01010003)="com.bugsnag.android.BUILD_UUID" (Raw: "com.bugsnag.android.BUILD_UUID")
-            A: http://schemas.android.com/apk/res/android:value(0x01010024)="06c71b04-9f59-465a-908c-4beb03b8b018" (Raw: "06c71b04-9f59-465a-908c-4beb03b8b018")
+            A: http://schemas.android.com/apk/res/android:value(0x01010024)="7081aa8d-7e6d-4b68-8a93-fe0727e0fd48" (Raw: "7081aa8d-7e6d-4b68-8a93-fe0727e0fd48")

Looks like that's the non-deterministic BUILD_UUID of Bugsnag. And it seems that Bugsnag has an alternative for that:

should be ok to use reproducible sha256 instead of UUID.

Could you please look into that? We'd appreciate if you could help making your build reproducible. We've also prepared some hints on reproducible builds for that – though those do not include this Bugsnag thingy. So if you cound confirm the alternative, and let us know how to achieve it, that might even help others and we could add it to those hints.

Thanks in advance – and looking forward to your reply!
@IzzySoft
Copy link
Author

@ofalvai any word?

@ofalvai
Copy link
Owner

ofalvai commented Aug 14, 2024

I have not forgotten this, I'll get back to this soon! It totally makes sense and seems doable

@IzzySoft
Copy link
Author

Thanks! Then I resist from further pings at least for a few weeks, hoping you ring my bell earlier 😉

@obfusk
Copy link

obfusk commented Aug 24, 2024
edited
Loading

FairEmail makes its embedded UUID deterministic using manifestPlaceholders and a deterministic UUID that's generated from the version code:

manifestPlaceholders.build_uuid = UUID.nameUUIDFromBytes(("github" + getVersionCode() + getRevision()).getBytes()).toString();

https://github.com/M66B/FairEmail/blob/9386f1380769553815cebaa634022e086f6f2c9d/app/build.gradle#L207

        <meta-data
            android:name="com.bugsnag.android.BUILD_UUID"
            android:value="${build_uuid}" />

https://github.com/M66B/FairEmail/blob/9386f1380769553815cebaa634022e086f6f2c9d/app/src/main/AndroidManifest.xml#L159-L161

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@obfusk @ofalvai @IzzySoft