[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-bugs] #31564 [Applications/Tor Browser]: Android bundles based on ESR 68 are not built reproducibly anymore

#31564: Android bundles based on ESR 68 are not built reproducibly anymore
-------------------------------------------------+-------------------------
 Reporter:  gk                                   |          Owner:  tbb-
                                                 |  team
     Type:  defect                               |         Status:
                                                 |  needs_information
 Priority:  Very High                            |      Milestone:
Component:  Applications/Tor Browser             |        Version:
 Severity:  Normal                               |     Resolution:
 Keywords:  tbb-9.0-must-alpha,                  |  Actual Points:
  TorBrowserTeam201909R, GeorgKoppen201909       |
Parent ID:  #30324                               |         Points:  5
 Reviewer:                                       |        Sponsor:
-------------------------------------------------+-------------------------

Comment (by boklm):

 Replying to [comment:26 sisbell]:
 > When re-zipping the file, I was getting some zip entry extra field flags
 that would change each build. I'm not exactly sure what the extra field
 info was as its platform specific and not standard fields like timestamp..
 I removed these using the -X option. After that, multiple builds of the
 apk result in the same checksum. I'll need someone to verify that the
 checksum matches across different build machine OSes.

 That's probably not enough to make it reproductible on multiple machines
 as the order in which files are included in the zip might be different.
 You can fix it with:
 {{{
 diff --git a/projects/tor-browser/build.android b/projects/tor-
 browser/build.android
 index f93e46d..f621a83 100644
 --- a/projects/tor-browser/build.android
 +++ b/projects/tor-browser/build.android
 @@ -44,8 +44,10 @@ java -jar $apktool b -o $resfix decompiled
  # Fix timestamps and remove extra field info from zip entries
  unzip $resfix -d tmp
  cd tmp
 -find . -exec [% c("var/touch") %] {} \;
 -zip -rX $resfix .
 +[% c('zip', {
 +  zip_src => [ '.' ],
 +  zip_args => '$resfix',
 +  }) %]

  # Sign a QA build. This apk is not a debug version and doesn't contain a
 debug flag in the manifest
  java -jar /usr/share/apksigner/apksigner.jar sign --verbose --min-sdk-
 version [% c("var/android_min_api") %] --ks $rootdir/android-qa.keystore
 --out $qa_apk --in $resfix --ks-key-alias androidqakey --key-pass
 pass:android --ks-pass pass:android
 }}}

 Also do we really need a separate `$resfix` file, or could we just
 overwrite the `$apk`?

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/31564#comment:31>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs