When building an APK with Android Studio, the file version-control-info.textproto is automatically embedded. This file contains Git metadata, such as the commit hash (e.g., 9b90ebd). If I later commit the APK, there is a discrepancy: the APK internally references the old commit, while the APK itself gets a new hash (e.g., f1c412e).
Issues:
- Unnecessary Git information in the APK.
- Inconsistent commit references.
- Potential privacy concerns.
Question: How can I prevent this file from being included in the APK? Is there a simple solution via build.gradle or Android Studio settings?
Is there a guide on how to configure Android Studio or a description of how to solve the problem? Everyone who uses Android Studio should have this problem, right?
Output from the f-droid build process:
==== detail begin ====
signature copying failed: Unsupported create_version
Comparing reference APK to unsigned APK...
Unexpected diff output:
diff -r /tmp/tmp9qg9q1ba/tmp_binaries_de.mepi0011.openinghoursmanager_10000.binary/content/META-INF/version-control-info.textproto /tmp/tmp9qg9q1ba/tmp_de. mepi0011.openinghoursmanager_10000/content/META-INF/version-control-info.textproto
4c4
< revision: “81b22f15981d090c1c201e308422602613e60155”
---
> revision: “309b8fae3b92d49c2dad907ec1606157b1c5ccea”
==== detail end ====
Thanks for your help!
How is this unnecessary if it attests the used commit?
It’s not true, if you did not commit yet… the info tells you this.
It’s an open source app, what privacy does “exact commit” break?
The answer is simple: build from the right commit if it’s not commited, do it, then build. Easy,
Yes, you can disable it… https://developer.android.com/reference/tools/gradle-api/9.0/com/android/build/api/dsl/VcsInfo
Can you please explain that in more detail? This is the first time I’ve created an app and am trying to make it available to everyone. This is all new to me and I’ve been trying to find a solution for three days. In total, I’ve probably spent more than 15 hours trying to find a potential solution to pass the build process check. I’m about to give up. How do I proceed so that my commit is correctly replicated and accepted by the F-Droid build system? Please support me.
Please note that English is not my native language.
The chapter “ VCS Info” on the following page describes my error, and I don’t understand how to fix it!
Extract from chapter VCS info:
VCS Info
Since Android Gradle Plugin 8.3, VCS info is generated by default and bundled in the apk in META-INF/version-control-info.textproto, e.g.
repositories {
system: GIT
local_root_path: "$PROJECT_DIR"
revision: "3a443877cd53e37d85cbc52adc8cfd558919d373"
}
While we understand that developers build and test during their normal workflow, please upload release APKs built after tagging, from a clean tree at the actual tagged commit (i.e. without local changes or remaining artefacts from previous builds). Only in exceptional cases, when you cannot do this, should vcsInfo be disabled (as this might otherwise cause problems), which can be done as follows:
buildTypes {
release {
vcsInfo.include false
}
}
While we understand that developers build and test during their normal workflow, please upload releases APKs build after tagging, from the actual tagged commit.
We are lost in translation 
What is unclear from “build at the tagged commit” ?
My problem is that the file version-control-info.textproto always refers to the previous commit.
Example:
I made minor changes to the source code and committed them (c87ef99). Then I built the APK and committed it (5a7f8df).
Overview of the git log:
* 5a7f8df - (1 hours ago) Build new Version 1.0 (HEAD -> master / origin/master / tag v1.0)
* c87ef99 - (1 hours ago) some smal changes
The file version-control-info.textproto in the APK of Version 1.0 (commit 5a7f8df is build from previous commit c87ef99 becaus first in can build then commit and push) look like:
repositories {
system: GIT
local_root_path: "$PROJECT_DIR"
revision: "c87ef999eed86cfa00ccbb0d4b0333e2d2506306"
}
Wen the f-droid builder download the tag v1.0 commit (5a7f8df) and build it, he will get the result:
repositories {
system: GIT
local_root_path: "$PROJECT_DIR"
revision: "5a7f8df81802dec8824b7b6a6724fcbb738f57a9"
}
This means that the build is not equal and an error is displayed.
==== detail begin ====
signature copying failed: Unsupported create_version
Comparing reference APK to unsigned APK...
Unexpected diff output:
diff -r /tmp/tmp9qg9q1ba/tmp_binaries_de.mepi0011.openinghoursmanager_10000.binary/content/META-INF/version-control-info.textproto /tmp/tmp9qg9q1ba/tmp_de. mepi0011.openinghoursmanager_10000/content/META-INF/version-control-info.textproto
4c4
< revision: “5a7f8df81802dec8824b7b6a6724fcbb738f57a9”
---
> revision: “c87ef999eed86cfa00ccbb0d4b0333e2d2506306”
==== detail end ====
How can I solve this problem correctly?
why are you adding the apk to git?
please post your actual compile steps & commands, as well as your fdroid metadata file
edit:
exactly, you should just add it to your tags
@SkewedZeppelin ,
@Licaon_Kter ,
I have attached the apk in the commit, as I need to specify this in the yml file, see Binaries: https://codeberg.org/mepi0011/OpeningHoursManager/raw/tag/v1.0/app/release/app-release.apk
metadata/de.mepi0011.openinghoursmanager.yml
absolutely not at all. the apk goes on a github/gitlab/codeberg release/tag instead.
1 Like
For me it was as simple as having two projects open in android studio and having the release build accidentally put the built apk to the other project app/release folder
(that one was opened and built first)
You seem to be doing some gymnastics with moving the apk to a different folder. Maybe take a second look
I was on vacation for the last few days and would like to revisit this issue to find a solution.
If I don’t include an APK, I get the following error:
BUILD SUCCESSFUL in 2m 40s
57 actionable tasks: 57 executed
2025-09-13 06:33:20,216 INFO: Successfully built version 1.0 of de.mepi0011.openinghoursmanager from fb9e9dab6db45399e3cea6f5d52d7e2a28eb1f28
2025-09-13 06:33:20,275 DEBUG: Checking build/de.mepi0011.openinghoursmanager/app/build/outputs/apk/release/app-release-unsigned.apk
2025-09-13 06:33:20,278 INFO: Scanning APK with dexdump for known non-free classes.
2025-09-13 06:33:20,533 DEBUG: > /opt/android-sdk/build-tools/35.0.0/dexdump /tmp/tmpukp3zebr/classes.dex
2025-09-13 06:33:24,303 DEBUG: > /opt/android-sdk/build-tools/35.0.0/dexdump /tmp/tmpukp3zebr/classes2.dex
2025-09-13 06:33:27,204 INFO: Scanning APK for extra signing blocks.
2025-09-13 06:33:27,215 WARNING: Requested API level 34 is larger than maximum we have, returning API level 28 instead.
2025-09-13 06:33:27,228 INFO: Created directory for storing developer supplied reference binaries: 'tmp/binaries'
2025-09-13 06:33:27,228 INFO: ...retrieving https://codeberg.org/mepi0011/OpeningHoursManager/src/tag/v1.0
2025-09-13 06:33:27,230 DEBUG: Starting new HTTPS connection (1): codeberg.org:443
2025-09-13 06:33:27,639 DEBUG: https://codeberg.org:443 "GET /mepi0011/OpeningHoursManager/src/tag/v1.0 HTTP/1.1" 200 None
Exception in thread "main" com.android.apksig.apk.ApkFormatException: Malformed APK: not a ZIP archive
at com.android.apksig.ApkVerifier.verify(ApkVerifier.java:176)
at com.android.apksig.ApkVerifier.verify(ApkVerifier.java:149)
at com.android.apksigner.ApkSignerTool.verify(ApkSignerTool.java:516)
at com.android.apksigner.ApkSignerTool.main(ApkSignerTool.java:88)
Caused by: com.android.apksig.zip.ZipFormatException: ZIP End of Central Directory record not found
at com.android.apksig.apk.ApkUtilsLite.findZipSections(ApkUtilsLite.java:49)
at com.android.apksig.apk.ApkUtils.findZipSections(ApkUtils.java:60)
at com.android.apksig.ApkVerifier.verify(ApkVerifier.java:174)
... 3 more
2025-09-13 06:33:27,924 ERROR:
tmp/binaries/de.mepi0011.openinghoursmanager_10000.binary.apk:
2025-09-13 06:33:27,925 INFO: ...NOT verified - tmp/binaries/de.mepi0011.openinghoursmanager_10000.binary.apk
2025-09-13 06:33:27,925 WARNING: Keeping failed build "tmp/de.mepi0011.openinghoursmanager_10000.apk"
2025-09-13 06:33:27,925 DEBUG: removing tmp/binaries/de.mepi0011.openinghoursmanager_10000.binary.apk
2025-09-13 06:33:27,925 ERROR: Could not build app de.mepi0011.openinghoursmanager: compared built binary to supplied reference binary but failed
==== detail begin ====
verification of signed APK failed
==== detail end ====
2025-09-13 06:33:27,925 DEBUG: Error encountered, stopping by user request.
Uploading artifacts for failed job 00:02
Uploading artifacts...
repo/: found 3 matching artifact files and directories
unsigned/: found 1 matching artifact files and directories
tmp/: found 3 matching artifact files and directories
Uploading artifacts as "archive" to coordinator... 201 Created correlation_id=a46bc75f9580d90e891b93fe609ae2d0 id=11344018063 responseStatus=201 Created token=6a_sj2KzD
Cleaning up project directory and file based variables 00:00
ERROR: Job failed: exit code 1
@wandomium , can you please explain your strategy in more detail?
binaries or binary lines shoulid point to the APK file not the tag
I changed the yml file to point to the APK:
Binaries: ``https://codeberg.org/mepi0011/OpeningHoursManager/raw/branch/master/app/release/app-release.apk
Now I get following error:
BUILD SUCCESSFUL in 2m 28s
57 actionable tasks: 57 executed
2025-09-13 09:09:20,515 INFO: Successfully built version 1.0 of de.mepi0011.openinghoursmanager from fae3800f2356afdefe871d568a381ea4c5067f81
2025-09-13 09:09:20,559 DEBUG: Checking build/de.mepi0011.openinghoursmanager/app/build/outputs/apk/release/app-release-unsigned.apk
2025-09-13 09:09:20,560 INFO: Scanning APK with dexdump for known non-free classes.
2025-09-13 09:09:20,806 DEBUG: > /opt/android-sdk/build-tools/35.0.0/dexdump /tmp/tmpv3mxlukr/classes.dex
2025-09-13 09:09:24,454 DEBUG: > /opt/android-sdk/build-tools/35.0.0/dexdump /tmp/tmpv3mxlukr/classes2.dex
2025-09-13 09:09:27,237 INFO: Scanning APK for extra signing blocks.
2025-09-13 09:09:27,247 WARNING: Requested API level 34 is larger than maximum we have, returning API level 28 instead.
2025-09-13 09:09:27,259 INFO: Created directory for storing developer supplied reference binaries: 'tmp/binaries'
2025-09-13 09:09:27,259 INFO: ...retrieving https://codeberg.org/mepi0011/OpeningHoursManager/raw/branch/master/app/release/app-release.apk
2025-09-13 09:09:27,261 DEBUG: Starting new HTTPS connection (1): codeberg.org:443
2025-09-13 09:09:27,705 DEBUG: https://codeberg.org:443 "GET /mepi0011/OpeningHoursManager/raw/branch/master/app/release/app-release.apk HTTP/1.1" 200 7251019
2025-09-13 09:09:28,900 DEBUG: tmp/binaries/de.mepi0011.openinghoursmanager_10000.binary.apk: Verifies
Verified using v1 scheme (JAR signing): false
Verified using v2 scheme (APK Signature Scheme v2): true
Verified using v3 scheme (APK Signature Scheme v3): false
Verified using v4 scheme (APK Signature Scheme v4): false
Verified for SourceStamp: false
Number of signers: 1
2025-09-13 09:09:28,902 INFO: ...NOT verified - /tmp/tmpeyuf4451/sigcp_de.mepi0011.openinghoursmanager_10000.apk
2025-09-13 09:09:29,127 DEBUG: > diff -r /tmp/tmpeyuf4451/tmp_binaries_de.mepi0011.openinghoursmanager_10000.binary /tmp/tmpeyuf4451/tmp_de.mepi0011.openinghoursmanager_10000
2025-09-13 09:09:29,229 WARNING: Keeping failed build "tmp/de.mepi0011.openinghoursmanager_10000.apk"
2025-09-13 09:09:29,229 DEBUG: removing tmp/binaries/de.mepi0011.openinghoursmanager_10000.binary.apk
2025-09-13 09:09:29,251 ERROR: Could not build app de.mepi0011.openinghoursmanager: compared built binary to supplied reference binary but failed
==== detail begin ====
signature copying failed: Unsupported create_version
Comparing reference APK to unsigned APK...
Unexpected diff output:
==== detail end ====
2025-09-13 09:09:29,251 DEBUG: Error encountered, stopping by user request.
Uploading artifacts for failed job 00:03
Uploading artifacts...
repo/: found 3 matching artifact files and directories
unsigned/: found 1 matching artifact files and directories
tmp/: found 3 matching artifact files and directories
Uploading artifacts as "archive" to coordinator... 201 Created correlation_id=e8595118310d09ca35e972f8ad2fefc6 id=11344379416 responseStatus=201 Created token=6a_4vcQGR
Cleaning up project directory and file based variables 00:01
ERROR: Job failed: exit code 1
@mepi0011
you’re still including the APK in git. stop doing that. it’ll never work.
you need to attach it to a release tag:
@SkewedZeppelin
@Licaon_Kter
I have now removed all APK in Git source, see master on codeberg. I created a release and append the signed apk.
The file “de.mepi0011.openinghoursmanager.yml” links to the appended signed APK:
Binaries: https://codeberg.org/mepi0011/OpeningHoursManager/releases/download/v1.0/app-release.apk
The build process shown me now following error:
Verified using v1 scheme (JAR signing): false
Verified using v2 scheme (APK Signature Scheme v2): true
Verified using v3 scheme (APK Signature Scheme v3): false
Verified using v4 scheme (APK Signature Scheme v4): false
Verified for SourceStamp: false
Number of signers: 1
2025-09-14 06:09:41,612 INFO: ...NOT verified - /tmp/tmpj0h6eu16/sigcp_de.mepi0011.openinghoursmanager_10000.apk
2025-09-14 06:09:41,847 DEBUG: > diff -r /tmp/tmpj0h6eu16/tmp_binaries_de.mepi0011.openinghoursmanager_10000.binary /tmp/tmpj0h6eu16/tmp_de.mepi0011.openinghoursmanager_10000
2025-09-14 06:09:41,949 WARNING: Keeping failed build "tmp/de.mepi0011.openinghoursmanager_10000.apk"
2025-09-14 06:09:41,949 DEBUG: removing tmp/binaries/de.mepi0011.openinghoursmanager_10000.binary.apk
2025-09-14 06:09:41,974 ERROR: Could not build app de.mepi0011.openinghoursmanager: compared built binary to supplied reference binary but failed
==== detail begin ====
signature copying failed: Unsupported create_version
Comparing reference APK to unsigned APK...
Unexpected diff output:
==== detail end ====
2025-09-14 06:09:41,974 DEBUG: Error encountered, stopping by user request.
Uploading artifacts for failed job 00:03
Uploading artifacts...
repo/: found 3 matching artifact files and directories
unsigned/: found 1 matching artifact files and directories
tmp/: found 3 matching artifact files and directories
Uploading artifacts as "archive" to coordinator... 201 Created correlation_id=483cb5a8821678c559b5cc577f79d176 id=11347328780 responseStatus=201 Created token=6a_pxPwWs
Cleaning up project directory and file based variables 00:00
ERROR: Job failed: exit code 1
I have locally on my PC fdroid build running too. With the same error output.
Comparing the AKP shows me following:
./bin/repro-apk zipalignment /Projekte/OpeningHoursManager/app/release/app-release.apk /Projekte/fdroid/my_fdroid_repo/tmp/de.mepi0011.openinghoursmanager_10000.apk
file='/Projekte/AndroidStudioProjects/OpeningHoursManager/app/release/app-release.apk'
zipaligned (4-byte alignment) : yes
files with apksigner padding : 0
apksigner alignments from extra fields : none
most likely uncompressed .so page alignment : 16KiB
file='/Projekte/fdroid/my_fdroid_repo/tmp/de.mepi0011.openinghoursmanager_10000.apk'
zipaligned (4-byte alignment) : yes
files with apksigner padding : 0
apksigner alignments from extra fields : none
most likely uncompressed .so page alignment : 16KiB
You sign your APK with apksigner, yes?
@Licaon_Kter
I have the APK files signed by Android Studio during the build process.
I will try out the apksigner!
I created a signed APK with
apksigner sign --ks OpeningHoursManager.jks --ks-key-alias key0 --ks-pass pass:"my_password" --key-pass pass:"my_password" --v3-signing-enabled false --out OpeningHoursManager_signed.apk app-release-unsigned.apk
Build output (local) shows me following error:
BUILD SUCCESSFUL in 16s
57 actionable tasks: 57 executed
2025-09-14 10:27:36,597 DEBUG: sys.platform='linux', git_executable='git'
2025-09-14 10:27:36,598 DEBUG: Popen(['git', 'cat-file', '--batch-check'], cwd=/media/Daten/Projekte/fdroid/my_fdroid_repo/build/de.mepi0011.openinghoursmanager, stdin=<valid stream>, shell=False, universal_newlines=False)
2025-09-14 10:27:36,599 INFO: Successfully built version 1.0 of de.mepi0011.openinghoursmanager from fb9e9dab6db45399e3cea6f5d52d7e2a28eb1f28
2025-09-14 10:27:36,650 DEBUG: Checking build/de.mepi0011.openinghoursmanager/app/build/outputs/apk/release/app-release-unsigned.apk
2025-09-14 10:27:36,667 INFO: ...retrieving https://codeberg.org/mepi0011/OpeningHoursManager/releases/download/v1.0/OpeningHoursManager_signed.apk
2025-09-14 10:27:36,669 DEBUG: Starting new HTTPS connection (1): codeberg.org:443
2025-09-14 10:27:36,800 DEBUG: https://codeberg.org:443 "GET /mepi0011/OpeningHoursManager/releases/download/v1.0/OpeningHoursManager_signed.apk HTTP/1.1" 200 7263860
2025-09-14 10:27:40,888 DEBUG: tmp/binaries/de.mepi0011.openinghoursmanager_10000.binary.apk: Verifies
Verified using v1 scheme (JAR signing): false
Verified using v2 scheme (APK Signature Scheme v2): true
Verified using v3 scheme (APK Signature Scheme v3): false
Verified using v3.1 scheme (APK Signature Scheme v3.1): false
Verified using v4 scheme (APK Signature Scheme v4): false
Verified for SourceStamp: false
Number of signers: 1
DOES NOT VERIFY
ERROR: APK Signature Scheme v2 signer #1: APK integrity check failed. CHUNKED_SHA256 digest mismatch. Expected: <ce7f63a87e371258e3c9e4a094d677f0ee401bdc999d54797765d5c932584975>, actual: <402212bfdba6d561fa95d5ee7c827e13b4258367f40eb33f3ecc118b1392f169>
2025-09-14 10:27:41,053 ERROR:
/tmp/tmpwuyia_cc/sigcp_de.mepi0011.openinghoursmanager_10000.apk:
2025-09-14 10:27:41,053 INFO: ...NOT verified - /tmp/tmpwuyia_cc/sigcp_de.mepi0011.openinghoursmanager_10000.apk
2025-09-14 10:27:41,191 DEBUG: > diff -r /tmp/tmpwuyia_cc/tmp_binaries_de.mepi0011.openinghoursmanager_10000.binary /tmp/tmpwuyia_cc/_tmp_tmpwuyia_cc_sigcp_de.mepi0011.openinghoursmanager_10000
2025-09-14 10:27:41,291 DEBUG: > /usr/bin/meld /tmp/tmpwuyia_cc/tmp_binaries_de.mepi0011.openinghoursmanager_10000.binary /tmp/tmpwuyia_cc/_tmp_tmpwuyia_cc_sigcp_de.mepi0011.openinghoursmanager_10000
2025-09-14 10:27:47,096 WARNING: Fehlgeschlagener Build "tmp/de.mepi0011.openinghoursmanager_10000.apk" behalten
2025-09-14 10:27:47,096 DEBUG: removing tmp/binaries/de.mepi0011.openinghoursmanager_10000.binary.apk
2025-09-14 10:27:47,106 ERROR: Could not build app de.mepi0011.openinghoursmanager: compared built binary to supplied reference binary but failed
==== detail begin ====
verification of APK with copied signature failed
Comparing reference APK to APK with copied signature...
Unexpected diff output:
==== detail end ====
When I compare the apk files with diffoscope I get following output:
Any idea to solve the problem?
