[tor-bugs] #31564 [Applications/Tor Browser]: Android bundles based on ESR 68 are not built reproducibly anymore

Tor Bug Tracker & Wiki blackhole at torproject.org
Mon Sep 16 16:57:36 UTC 2019


#31564: Android bundles based on ESR 68 are not built reproducibly anymore
-------------------------------------------------+-------------------------
 Reporter:  gk                                   |          Owner:  tbb-
                                                 |  team
     Type:  defect                               |         Status:  new
 Priority:  Very High                            |      Milestone:
Component:  Applications/Tor Browser             |        Version:
 Severity:  Normal                               |     Resolution:
 Keywords:  tbb-9.0-must-alpha,                  |  Actual Points:
  TorBrowserTeam201909, GeorgKoppen201909        |
Parent ID:  #30324                               |         Points:  5
 Reviewer:                                       |        Sponsor:
-------------------------------------------------+-------------------------

Comment (by sisbell):

 I did the apktool decompile/decompile approach. The apktool that can be
 added in config/arch_deps is an old version of apktool with a bug


 {{{
 I: Using Apktool 2.2.1-dirty on tor-browser-unsigned-unaligned.apk
 I: Loading resource table...
 I: Decoding AndroidManifest.xml with resources...
 I: Loading resource table from file:
 /home/rbm/.local/share/apktool/framework/1.apk
 I: Regular manifest package...
 I: Decoding file-resources...
 I: Decoding values */* XMLs...
 Exception in thread "main" java.lang.NullPointerException
         at
 brut.androlib.res.data.value.ResStyleValue.serializeToResValuesXml(ResStyleValue.java:58)
         at
 brut.androlib.res.AndrolibResources.generateValuesFile(AndrolibResources.java:516)
         at
 brut.androlib.res.AndrolibResources.decode(AndrolibResources.java:267)
         at brut.androlib.Androlib.decodeResourcesFull(Androlib.java:132)
         at brut.androlib.ApkDecoder.decode(ApkDecoder.java:108)
         at brut.apktool.Main.cmdDecode(Main.java:166)
         at brut.apktool.Main.main(Main.java:81)
 }}}

 https://github.com/iBotPeaches/Apktool/issues/1399

 So I'm using apktool 2.4.0, downloading it as part of the build.

 When re-zipping the file, I was getting some zip entry extra field flags
 that would change each build. I'm not exactly sure what the extra field
 info was as its platform specific and not standard fields like timestamp..
 I removed these using the -X option. After that, multiple builds of the
 apk result in the same checksum. I'll need someone to verify that the
 checksum matches across different build machine OSes.

 There is some room to cleanup the build further if it is verified to fix
 this bug.

 The code is at https://github.com/sisbell/tor-browser-
 build/commit/694de9f7431b022cf974aa5bd8b6150e59f0bcbf

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/31564#comment:26>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online


More information about the tor-bugs mailing list