Example of a reproducible-built gradle-based app

#1

Hello,

I’d like to release one of my apps as free software but while doing so I’d like to experiment with reproducible builds for signing the app with my own developer key (also utilizing v2 signing scheme to rotate the old, insecure signing key).

I’ve read https://f-droid.org/en/docs/Reproducible_Builds/ and it’s good but a little bit to high-level.

Is there an example of a reproducibly built app utilizing gradle I could examine?

If I’d like to check if it works would I have to run fdroidserver and/or verification server locally?

Thanks a lot for your help!

Kind regards,
Wiktor

2 Likes
#2

Check out Briar, Öffi, Bitcoin Wallet, and F-Droid itself!

#3

Excellent pointers! Exactly what I was looking for.

If I can ask one more question, it seems that on the verification server artifacts with names starting with “org.fdroid.fdroid” don’t have “.verified.txt” files. Bitcoin Wallet on the other hand has one. Does that mean that fdroid is not built reproducibly or I’m looking at the wrong data?

Thanks in advance!

#4

org.fdroid.fdroid was not reproducible for a while due to a bug in the
Gradle Android Plugin. I then added the Briar disorderfs workaround, so
they are now again reproducible:
https://verification.f-droid.org/org.fdroid.fdroid_1005150.apk.json

#5

Okay, got it. Thanks a lot for your time!

closed #6

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.

Mastodon