Reproducible Builds

[IzzySoft]

At IzzyOnDroid we support Reproducible Builds (see: Reproducible Builds, special client support and more at IzzyOnDroid). Trying for yours, I was able to successfully generate the APK using ./gradlew assembleFossRelease, but the resulting APKs were not identical. One culprit is an embedded build timestamp – but even if I "override" that (using sed to replace ${buildtime()} with the timestamp from your APK), there are differences in classes.dex remaining, see contents of
diff.zip. The essential parts are:

-  VISIBILITY_SYSTEM Ldalvik/annotation/Signature; value={ "Leu/darken/myperm/common/lists/differ/AsyncDiffer$callback$1;" }
+  VISIBILITY_SYSTEM Ldalvik/annotation/Signature; value={ "Leu/darken/myperm/common/lists/differ/AsyncDiffer$callback$1<" "TA;TT;>;" }

-  VISIBILITY_SYSTEM Ldalvik/annotation/Signature; value={ "Leu/darken/myperm/common/viewbinding/ViewBindingProperty$onDestroyObserver$1;" }
+  VISIBILITY_SYSTEM Ldalvik/annotation/Signature; value={ "Leu/darken/myperm/common/viewbinding/ViewBindingProperty$onDestroyObserver$1<" "TComponentT;TBindingT;>;" }

(- is your APK, + is the one I built). In case it's relevant: the build here happened on Debian bookworm with OpenJDK 17.

I hope you have an idea where that difference comes from, and how it can be avoided? Also, could the buildtime() be replaced by something reproducible (e.g. commit count, commit hash, time of the last commit) or skipped altogether?

We'd appreciate if you could help making your build reproducible. We've prepared some hints on reproducible builds for that.

Thanks in advance – and looking forward to your reply!

[d4rken]

I can change the build-time being included, but I have no idea where the other differences come from. Don't have time to look into that either, sorry.

[IzzySoft]

Fair enough Matthias – thanks! So maybe fix that build-time thingy, and confirm which SDK you build with and on what OS (so we can rule out anything coming from that end)? Mine is stated above – but I can switch to e.g. ubuntu:jammy and OpenJDK-21 when needed.

[IzzySoft]

confirm which SDK

Oops, JDK I meant of course… But OpenJDK-21 on ubuntu:jammy results in the very same dex diff 🤷‍♂️

[d4rken]

and confirm which SDK you build with and on what OS (so we can rule out anything coming from that end)? Mine is stated above – but I can switch to e.g. ubuntu:jammy and OpenJDK-21 when needed.

permission-pilot/.github/workflows/release-tag.yml

Lines 38 to 41 in c66a1cf

	uses: actions/setup-java@v3
	with:
	distribution: 'adopt'
	java-version: 17

JDK17 on ubuntu-latest (which should be "Ubuntu 24.04" according to https://github.com/actions/runner-images)

[IzzySoft]

Thanks! So… wait: "adopt"? I must have missed that. Is there any reason not to use OpenJDK? Could be that Adopt deals a little different with annotations, so this could be the cause of the differences.

[d4rken]

Hm not that I remember, I think I took it from a blog post about setting up runners for Android 🤔

[IzzySoft]

Ah. Mind to make a build with OpenJDK, attach the APK here (just rename it to .zip so you can attach it) and mention the commit it was built from – so I test if that solves the issue before you start "really changing things"?