Reproducible Builds

[IzzySoft]

At IzzyOnDroid (where your app is listed) we support Reproducible Builds (see: Reproducible Builds, special client support and more at IzzyOnDroid). Trying for yours, we were able to successfully generate the APK using ./gradlew assembleFreeRelease (resp. ./gradlew assembleLibreRelease), but the resulting APKs were not identical:

  -rw-r--r--  0.0 unx     3508 b-     3508 stor 1981-01-01 01:01:02 b1d26c19 assets/dexopt/baseline.prof
- -rw-r--r--  0.0 unx      252 b-      252 stor 1981-01-01 01:01:02 55112c4b assets/dexopt/baseline.profm
+ -rw-r--r--  0.0 unx      254 b-      254 stor 1981-01-01 01:01:02 26df88e1 assets/dexopt/baseline.profm
  -rw-r--r--  0.0 unx  9355812 b-  3479028 defN 1981-01-01 01:01:02 4c132719 classes.dex
  -rw-r--r--  0.0 unx  7641740 b-  2896492 defN 1981-01-01 01:01:02 6cb834c5 classes2.dex
- -rw-r--r--  0.0 unx    79696 b-    40563 defN 1981-01-01 01:01:02 9a6fb01e lib/arm64-v8a/libaes.so
- -rw-r--r--  0.0 unx    38808 b-    17039 defN 1981-01-01 01:01:02 af1d6a5a lib/arm64-v8a/libargon2.so
- -rw-r--r--  0.0 unx    83536 b-    46923 defN 1981-01-01 01:01:02 be0a8d6b lib/armeabi-v7a/libaes.so
- -rw-r--r--  0.0 unx    42628 b-    23105 defN 1981-01-01 01:01:02 c1be636e lib/armeabi-v7a/libargon2.so
- -rw-r--r--  0.0 unx    87528 b-    42047 defN 1981-01-01 01:01:02 820823ce lib/x86/libaes.so
- -rw-r--r--  0.0 unx    42564 b-    19230 defN 1981-01-01 01:01:02 4ff661bc lib/x86/libargon2.so
- -rw-r--r--  0.0 unx    88160 b-    41966 defN 1981-01-01 01:01:02 01e0295e lib/x86_64/libaes.so
- -rw-r--r--  0.0 unx    43176 b-    18342 defN 1981-01-01 01:01:02 73ba3fbc lib/x86_64/libargon2.so
+ -rw-r--r--  0.0 unx   198536 b-    77628 defN 1981-01-01 01:01:02 35df9275 lib/arm64-v8a/libaes.so
+ -rw-r--r--  0.0 unx   175160 b-    57212 defN 1981-01-01 01:01:02 3c559bed lib/arm64-v8a/libargon2.so
+ -rw-r--r--  0.0 unx   277088 b-   112758 defN 1981-01-01 01:01:02 124fd0fe lib/armeabi-v7a/libaes.so
+ -rw-r--r--  0.0 unx   259372 b-    95640 defN 1981-01-01 01:01:02 3633c1a3 lib/armeabi-v7a/libargon2.so
+ -rw-r--r--  0.0 unx   197572 b-    81573 defN 1981-01-01 01:01:02 513323e2 lib/x86/libaes.so
+ -rw-r--r--  0.0 unx   143008 b-    55361 defN 1981-01-01 01:01:02 6a3f570d lib/x86/libargon2.so
+ -rw-r--r--  0.0 unx   205144 b-    79780 defN 1981-01-01 01:01:02 08fab0cd lib/x86_64/libaes.so
+ -rw-r--r--  0.0 unx   172680 b-    58658 defN 1981-01-01 01:01:02 4892520e lib/x86_64/libargon2.so
  -rw-r--r--  0.0 unx   169464 b-    85736 defN 1981-01-01 01:01:02 836d0acd assets/fonts/FiraMono-Regular.ttf

As you can see, it's mostly the *.so files that differ – massively at that: in our build they are more than twice as large than in yours. A deeper look reveals in our build they contain a lot of debug code. So obviously we miss some build setting. I could not find any build instructions here – so may I ask for some guidance with this issue?

We'd appreciate if you could help making your build reproducible. We've also prepared some hints on reproducible builds for that.

Looking forward to your reply!

[IzzySoft]

Any chance you could tell me how you run the build?

[J-Jamet]

I simply use the associated fastlane command with storepass and keypass parameters https://github.com/Kunzisoft/KeePassDX/blob/master/fastlane/Fastfile :

bundle exec fastlane android build_release storefile:"keystore.jks"

[IzzySoft]

bundle exec

Gnaaaa… OK, to my knowledge, that will never be RB (if it does what it suggests: generating the APK via AAB). Can you switch to ./gradlew assembleLibreRelease (resp. ./gradlew assembleFreeRelease)? If that's an option for your workflow, I gladly test your APK generated that way (from a clean tree at a commit you specify) before you apply any changes to the repo itself.

[J-Jamet]

The Fastfile script uses fastlane's gradle() method, which already uses gradlew in the background.

[J-Jamet]

bundle exec

is a standard ruby command that can be used to run fastlane operations through Fastfile script.

[IzzySoft]

Ah, OK – then the bundle mislead me, assuming it uses Android App Bundles (AABs). Not sure what Fastlane's gradle does there as I see neither assemble nor bundle being passed to it. If you'd build one as I describe above, I could verify that. If it's RB and "the other" (via bundle exec) is not, we can still dig in.