Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Reproducible Builds #3559

Merged
merged 8 commits into from
Apr 7, 2024
Merged

Reproducible Builds #3559

merged 8 commits into from
Apr 7, 2024

Conversation

iBotPeaches
Copy link
Owner

@iBotPeaches iBotPeaches commented Mar 31, 2024

In light of recent events - I'm working to prove the builds I make for Apktool are indeed reproducible by the community.


  • Drop ShadowJar for manual archive building.
  • Remove Proguard
  • Clean output folder prior to R8 Run.
  • Keep naming the same on shadowJar even though Plugin not used.
  • Keep naming the same on proguard even though its R8`
  • Investigate suppressing Proguard rule does not match anything
  • Investigate Java8 failure when R8 invoked (java.lang.UnsupportedClassVersionError: com/android/tools/r8/R8 has been compiled by a more recent version of the Java Runtime)
  • Confirm build is reproducible between 2 linux machines.
  • Confirm build is reproducible between 2 mac machines.
  • Confirm build is reproducible between 2 win machines.
  • Confirm build is reproducible between all 3 supported os.

@iBotPeaches
Copy link
Owner Author

iBotPeaches commented Mar 31, 2024

Proguard is our problem now - it rolls its own Zip library and this is not respecting the Gradle properties for Reproducible builds.

Guardsquare/proguard#28

@iBotPeaches
Copy link
Owner Author

Dropping Proguard for r8 - https://r8.googlesource.com/r8#running-r8

@iBotPeaches
Copy link
Owner Author

Yay they are reproducible now between 2 different machines (Kali and Ubuntu). Though build system on different Java versions seems to have a challenge. Unsure what criteria R8 has at the moment.

@iBotPeaches
Copy link
Owner Author

Not sure where this spamming is coming from

Picked up _JAVA_OPTIONS: -Dawt.useSystemAAFontSettings=on -Dswing.aatext=true
Info in /home/ibotpeaches/Desktop/Projects/Java/Apktool/brut.apktool/apktool-cli/build/libs/apktool-cli.jar:META-INF/proguard/base.pro at line 8, column 1:
Proguard configuration rule does not match anything: `-keep class sun.misc.SharedSecrets {
  *** getJavaLangAccess(...);
}`
Info in /home/ibotpeaches/Desktop/Projects/Java/Apktool/brut.apktool/apktool-cli/build/libs/apktool-cli.jar:META-INF/proguard/base.pro at line 12, column 1:
Proguard configuration rule does not match anything: `-keep class sun.misc.JavaLangAccess {
  *** getStackTraceElement(...);
  *** getStackTraceDepth(...);
}`
Info in /home/ibotpeaches/Desktop/Projects/Java/Apktool/brut.apktool/apktool-cli/build/libs/apktool-cli.jar:META-INF/proguard/concurrent.pro at line 32, column 1:
Proguard configuration rule does not match anything: `-keep class com.google.appengine.api.ThreadManager {
  static *** currentRequestThreadFactory(...);
}`
Info in /home/ibotpeaches/Desktop/Projects/Java/Apktool/brut.apktool/apktool-cli/build/libs/apktool-cli.jar:META-INF/proguard/concurrent.pro at line 36, column 1:
Proguard configuration rule does not match anything: `-keep class com.google.apphosting.api.ApiProxy {
  static *** getCurrentEnvironment(...);
}`
Info in /home/ibotpeaches/Desktop/Projects/Java/Apktool/brut.apktool/apktool-cli/build/libs/apktool-cli.jar:META-INF/proguard/io.pro at line 1, column 1:
Proguard configuration rule does not match anything: `-keep class java.lang.Throwable {
  *** addSuppressed(...);
}`

@zerny
Copy link

zerny commented Apr 3, 2024

FYI, from command line you can use --map-diagnostics:UnusedProguardKeepRuleDiagnostic info none to silence those diagnostics if you like. (Or use the Java API to do the same, by providing your own DiagnosticsHandler to the R8Command.Builder).

@iBotPeaches
Copy link
Owner Author

iBotPeaches commented Apr 3, 2024

FYI, from command line you can use --map-diagnostics:UnusedProguardKeepRuleDiagnostic info none to silence those diagnostics if you like. (Or use the Java API to do the same, by providing your own DiagnosticsHandler to the R8Command.Builder).

thanks! I peeked the help output & didn't see anything that stood out. I would have never found that. Thanks again.

@iBotPeaches iBotPeaches marked this pull request as ready for review April 5, 2024 10:19
@iBotPeaches iBotPeaches force-pushed the reproducible-builds branch from b44ebf8 to efb077f Compare April 5, 2024 10:19
@iBotPeaches iBotPeaches merged commit e69ecb5 into master Apr 7, 2024
25 checks passed
@iBotPeaches iBotPeaches deleted the reproducible-builds branch April 7, 2024 15:45
@iBotPeaches iBotPeaches added this to the v2.10.0 milestone Apr 7, 2024
iBotPeaches added a commit that referenced this pull request Apr 7, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants