Example of a reproducible-built gradle-based app

wiktor-k · February 28, 2019, 11:25am

Hello,

I’d like to release one of my apps as free software but while doing so I’d like to experiment with reproducible builds for signing the app with my own developer key (also utilizing v2 signing scheme to rotate the old, insecure signing key).

I’ve read Reproducible Builds | F-Droid - Free and Open Source Android App Repository and it’s good but a little bit to high-level.

Is there an example of a reproducibly built app utilizing gradle I could examine?

If I’d like to check if it works would I have to run fdroidserver and/or verification server locally?

Thanks a lot for your help!

Kind regards,
Wiktor

hans · February 28, 2019, 10:55pm

Check out Briar, Öffi, Bitcoin Wallet, and F-Droid itself!

wiktor-k · March 1, 2019, 9:29am

Excellent pointers! Exactly what I was looking for.

If I can ask one more question, it seems that on the verification server artifacts with names starting with “org.fdroid.fdroid” don’t have “.verified.txt” files. Bitcoin Wallet on the other hand has one. Does that mean that fdroid is not built reproducibly or I’m looking at the wrong data?

Thanks in advance!

hans · March 1, 2019, 9:55am

org.fdroid.fdroid was not reproducible for a while due to a bug in the
Gradle Android Plugin. I then added the Briar disorderfs workaround, so
they are now again reproducible:
https://verification.f-droid.org/org.fdroid.fdroid_1005150.apk.json

wiktor-k · March 1, 2019, 10:10am

Okay, got it. Thanks a lot for your time!

system · April 30, 2019, 10:24am

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.