Reproductible build for apps signed using PlayStore App Signing

lcacheux · January 22, 2025, 5:35pm

Hi everyone,

I’m trying to create a merge request for my application, which has source code on GitHub and is already available on PlayStore. I use the app signing process to build the release APK, by putting app bundle on the Play console and retrieving the APK from the console, then I distribute this APK as the official release on GitHub.

I tried to configure my yaml file to distribute this same APK using F-Droid, but when I launch the “fdroid build” command, it seems that this version is not reproductible, and when investigating, I noticed that the PlayStore version added metadata in the AndroidManifest.xml file, some resources files, dex files are differents…

I tried a few things to make the build reproductible without success. Is it even possible to distribute the same APK on the Play Store and F-Droid or should I stick to a version with a different signature ? Removing links to the existing binaries seems to work fine.

Thanks in advance

Licaon_Kter · January 23, 2025, 5:38am

Google injects some garbage in the APK they serve to you, so no, you can’t reproduce that.

lcacheux · January 23, 2025, 9:11am

Thanks for your answer. I wanted to distribute the same APK on all platforms but it seems impossible now. I think I will distribute another APK signed locally on GitHub and use the reproducibility with this one.

Licaon_Kter · January 23, 2025, 9:13am

Yes, it’s only possible if your app was on Play from before Nov 2021, signed by you.