Add workflow to ensure reproducibility

Co-Authored-By: Albin <albin@mullvad.net>

Author: Pururun

.github/workflows/android-reproducible-builds.yml

@@ -0,0 +1,109 @@
+---
+name: Android - Verify F-Droid and reproducible builds
+on:
+  schedule:
+    # At 04:20 UTC every monday.
+    # Notifications for scheduled workflows are sent to the user who last modified the cron
+    # syntax in the workflow file. If you update this you must have notifications for
+    # Github Actions enabled, so these don't go unnoticed.
+    # https://docs.github.com/en/actions/monitoring-and-troubleshooting-workflows/notifications-for-workflow-runs
+    - cron: '20 6 * * 1'
+  workflow_dispatch:
+
+permissions: {}
+
+jobs:
+  build-fdroid-app:
+    name: Build fdroid container
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+        with:
+          submodules: true
+
+      - name: Build app
+        run: ./building/containerized-build.sh android --fdroid
+
+      - name: Upload apks
+        uses: actions/upload-artifact@v4
+        with:
+          name: container-app
+          path: android/app/build/outputs/apk/ossProd/fdroid/app-oss-prod-fdroid-unsigned.apk
+          if-no-files-found: error
+          retention-days: 7
+
+  build-fdroid-app-server:
+    name: Build fdroid with fdroid server
+    runs-on: ubuntu-latest
+    steps:
+      - name: Install fdroidserver
+        run: |
+          sudo apt-get -y update
+          sudo apt-get -y install fdroidserver
+
+      - name: Install gradle
+        run: |
+          sudo apt-get -y remove gradle
+          mkdir /opt/gradle
+          curl -sfLo /opt/gradle/gradle-8.13-bin.zip https\://services.gradle.org/distributions/gradle-8.13-bin.zip
+          unzip -d /opt/gradle /opt/gradle/gradle-8.13-bin.zip
+
+      # These are equivalent to the sudo section of the metadata file
+      - name: Install dependencies
+        run: sudo apt-get install -y build-essential protobuf-compiler libprotobuf-dev
+
+      - name: Download metadata file
+        uses: actions/checkout@v4
+        with:
+          path: app-repo
+
+      - name: Init fdroid
+        run: fdroid init
+
+      - name: Prepare metadata
+        run: |
+          mkdir metadata
+          cp app-repo/android/fdroid-build/metadata/net.mullvad.mullvadvpn.yml metadata/net.mullvad.mullvadvpn.yml
+          sed -i 's/commit-hash/${{ github.sha }}/' metadata/net.mullvad.mullvadvpn.yml
+
+      - name: Build app
+        run: |
+          export PATH=$PATH:/opt/gradle/gradle-8.13/bin
+          fdroid build net.mullvad.mullvadvpn:1 -v
+
+      - name: Upload apks
+        uses: actions/upload-artifact@v4
+        with:
+          name: fdroidserver-app
+          path: |
+            build/net\.mullvad\.mullvadvpn/android/app/build/outputs/apk/ossProd/fdroid/app-oss-prod-fdroid-unsigned.apk
+          if-no-files-found: error
+          retention-days: 7
+
+  compare-builds:
+    name: Check builds
+    runs-on: ubuntu-latest
+    needs: [build-fdroid-app, build-fdroid-app-server]
+    steps:
+      - name: Download container apk
+        uses: actions/download-artifact@v4
+        with:
+          name: container-app
+          path: container
+
+      - name: Download server apk
+        uses: actions/download-artifact@v4
+        with:
+          name: fdroidserver-app
+          path: fdroidserver
+
+      - name: Print checksums
+        run: |
+          echo "Container build checksum"
+          md5sum container/app-oss-prod-fdroid-unsigned.apk
+          echo "Fdroidserver build checksum"
+          md5sum fdroidserver/app-oss-prod-fdroid-unsigned.apk
+
+      - name: Compare files
+        run: diff container/app-oss-prod-fdroid-unsigned.apk fdroidserver/app-oss-prod-fdroid-unsigned.apk

android/fdroid-build/env.sh

@@ -5,10 +5,13 @@
 # shellcheck source=/dev/null
 source "$HOME/.cargo/env"
 
-# Ensure Go compiler is accessible
+# Ensure Go compiler is accessible (needs to be removed if building locally on macOS)
 export GOROOT="$HOME/go"
 export PATH="$GOROOT/bin:$PATH"
 
+# Set up python3 path for the rust gradle plugin
+export RUST_ANDROID_GRADLE_PYTHON_COMMAND=/usr/bin/python3
+
 # Ensure Rust crates know which tools to use for cross-compilation
 export NDK_TOOLCHAIN_DIR="$NDK_PATH/toolchains/llvm/prebuilt/linux-x86_64/bin"
 

android/fdroid-build/metadata/net.mullvad.mullvadvpn.yml

@@ -0,0 +1,56 @@
+AntiFeatures:
+  NonFreeNet:
+    en-US: Depends on the Mullvad VPN service.
+Categories:
+  - Connectivity
+  - Internet
+  - Security
+  - System
+License: GPL-3.0-or-later
+WebSite: https://mullvad.net
+SourceCode: https://github.com/mullvad/mullvadvpn-app
+IssueTracker: https://github.com/mullvad/mullvadvpn-app/issues
+Translation: https://github.com/mullvad/mullvadvpn-app/blob/HEAD/CONTRIBUTING.md#localization--translations
+Changelog: https://github.com/mullvad/mullvadvpn-app/blob/HEAD/android/CHANGELOG.md
+
+AutoName: Mullvad VPN
+
+RepoType: git
+Repo: https://github.com/mullvad/mullvadvpn-app.git
+
+Builds:
+  - versionName: 'Reproducible'
+    versionCode: 1
+    commit: commit-hash
+    timeout: 10800
+    subdir: android/app
+    sudo:
+      - apt-get update
+      - apt-get install -y build-essential protobuf-compiler libprotobuf-dev
+    init: NDK_PATH="$$NDK$$" ../fdroid-build/init.sh
+    output: build/outputs/apk/ossProd/fdroid/app-oss-prod-fdroid-unsigned.apk
+    rm:
+      - desktop
+      - graphics
+      - ios
+      - windows
+      - building/sigstore
+      - android/lib/billing
+    prebuild:
+      - git -C ../.. submodule update --init --recursive --depth=1 wireguard-go-rs
+      - sed -i -e 's|Repositories.GradlePlugins|"https://plugins.gradle.org/m2/"|'
+        ../build.gradle.kts
+      - sed -i '/\"desktop\//d' ../../Cargo.toml
+      - sed -i '/^android-billingclient/d' ../gradle/libs.versions.toml
+    build:
+      - NDK_PATH="$$NDK$$" source ../fdroid-build/env.sh
+      - cargo install --force cbindgen --version "0.26.0" --locked
+      - echo $NDK_TOOLCHAIN_DIR "$$NDK$$"
+      - ../build.sh --fdroid
+    ndk: 27.2.12479018
+
+AutoUpdateMode: Version
+UpdateCheckMode: Tags ^android/[0-9]{4}\.[0-9]+$
+UpdateCheckData: dist-assets/android-version-code.txt|(\d+)|dist-assets/android-version-name.txt|(.+)
+CurrentVersion: 'Reproducible'
+CurrentVersionCode: 1