[tbb-bugs] #31564 [Applications/Tor Browser]: Android bundles based on ESR 68 are not built reproducibly anymore

Tor Bug Tracker & Wiki blackhole at torproject.org
Thu Sep 19 15:40:08 UTC 2019 

#31564: Android bundles based on ESR 68 are not built reproducibly anymore
-------------------------------------------------+-------------------------
 Reporter:  gk                                   |          Owner:  tbb-
                                                 |  team
     Type:  defect                               |         Status:
                                                 |  needs_information
 Priority:  Very High                            |      Milestone:
Component:  Applications/Tor Browser             |        Version:
 Severity:  Normal                               |     Resolution:
 Keywords:  tbb-9.0-must-alpha,                  |  Actual Points:
  TorBrowserTeam201909R, GeorgKoppen201909       |
Parent ID:  #30324                               |         Points:  5
 Reviewer:                                       |        Sponsor:
-------------------------------------------------+-------------------------

Comment (by boklm):

 Replying to [comment:26 sisbell]:
 > When re-zipping the file, I was getting some zip entry extra field flags
 that would change each build. I'm not exactly sure what the extra field
 info was as its platform specific and not standard fields like timestamp..
 I removed these using the -X option. After that, multiple builds of the
 apk result in the same checksum. I'll need someone to verify that the
 checksum matches across different build machine OSes.

 That's probably not enough to make it reproductible on multiple machines
 as the order in which files are included in the zip might be different.
 You can fix it with:
 {{{
 diff --git a/projects/tor-browser/build.android b/projects/tor-
 browser/build.android
 index f93e46d..f621a83 100644
 --- a/projects/tor-browser/build.android
 +++ b/projects/tor-browser/build.android
 @@ -44,8 +44,10 @@ java -jar $apktool b -o $resfix decompiled
  # Fix timestamps and remove extra field info from zip entries
  unzip $resfix -d tmp
  cd tmp
 -find . -exec [% c("var/touch") %] {} \;
 -zip -rX $resfix .
 +[% c('zip', {
 +  zip_src => [ '.' ],
 +  zip_args => '$resfix',
 +  }) %]

  # Sign a QA build. This apk is not a debug version and doesn't contain a
 debug flag in the manifest
  java -jar /usr/share/apksigner/apksigner.jar sign --verbose --min-sdk-
 version [% c("var/android_min_api") %] --ks $rootdir/android-qa.keystore
 --out $qa_apk --in $resfix --ks-key-alias androidqakey --key-pass
 pass:android --ks-pass pass:android
 }}}

 Also do we really need a separate `$resfix` file, or could we just
 overwrite the `$apk`?

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/31564#comment:31>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tbb-bugs mailing list