[guardian-dev] deterministic, repeatable build of LilDebi
Hans-Christoph Steiner
hans at guardianproject.info
Fri Apr 11 16:50:10 EDT 2014
I started messing around with trying to get a deterministic, repeatable build
of an Android app, and I just got it working! Having a deterministic,
repeatable build process that produces the exact same APK wherever it is run
has a lot of benefits:
* makes it easy for anyone to verify that the official APKs are indeed
generated only from the sources in git
* makes it possible for FDroid to distribute APKs with the upstream
developer's signature instead of the FDroid's signature
I started with LilDebi because its a pretty small, simple app. It does
include native parts, which I thought would be hard, but all in all, it was
not too bad. So here's the how to build LilDebi so you can verify it against
the APK that I built:
git clone https://github.com/guardianproject/lildebi
cd lildebi
git submodule init
git submodule update
make NDK_BASE=/path/to/your/android-ndk -C external assets
./update-ant-build.sh
ant debug
This makes a build that is the same in terms of the jar/APK signature (i.e.
the files in the APK that are in META-INF/). So it should now be possible to
build your own APK, then take the APK that I built and swap in my META-INF
files. Then the APK that you built will have my signature on it.
This process does not yet produce APKs with the exact same hash. There are
differences in sort order of the files in the manifest, timestamps on files,
etc. that change the hash.
.hc
--
PGP fingerprint: 5E61 C878 0F86 295C E17D 8677 9F0F E587 374B BE81
More information about the Guardian-dev
mailing list