Add instructions for release APK reproducibiltiy #7901
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
albin-mullvad
requested changes
Mar 26, 2025
There was a problem hiding this comment.
Reviewed 1 of 1 files at r1, all commit messages.
Reviewable status: all files reviewed, 5 unresolved discussions
android/BuildInstructions.md line 270 at r1 (raw file):
## Verifying that an official release is reproducible: 1. Obtain the release APK (2025.2-beta1 or newer) from [GitHub releases](https://github.com/mullvad/mullvadvpn-app/releases) or [releases.mullvad.net](https://releases.mullvad.net/android/)
I suggest we skip this part since it's not something we promote. However we can mention our website instead.
Code quote:
or [releases.mullvad.net](https://releases.mullvad.net/android/)android/BuildInstructions.md line 271 at r1 (raw file):
1. Obtain the release APK (2025.2-beta1 or newer) from [GitHub releases](https://github.com/mullvad/mullvadvpn-app/releases) or [releases.mullvad.net](https://releases.mullvad.net/android/) 2. Setup your environment so that you can build a [release build ](#release-build) of the app.
I believe we can use 1. for all list entries and let the markdown parser figure the index out, like we do here:
mullvadvpn-app/BuildInstructions.md
Line 261 in df51289
Could be nice to do that for in the rest of the document as well
Code quote:
2.android/BuildInstructions.md line 272 at r1 (raw file):
1. Obtain the release APK (2025.2-beta1 or newer) from [GitHub releases](https://github.com/mullvad/mullvadvpn-app/releases) or [releases.mullvad.net](https://releases.mullvad.net/android/) 2. Setup your environment so that you can build a [release build ](#release-build) of the app. 3. Make sure you have fetched all tags: `git fetch --tags`
We can skip this fetch step since we can rely on the user/developer following this to figure that out
android/BuildInstructions.md line 274 at r1 (raw file):
3. Make sure you have fetched all tags: `git fetch --tags` 4. Checkout the release tag: `git checkout android/<version>` 5. Build the APK using the containerized script: `../building/containerized-build.sh android`, alternatively build without the container: `./build.sh`. The resuling file is located at `app/build/outputs/apk/ossProd/release/app-oss-prod-release.apk`.
Can we shorten this step a bit? Maybe we can just refer to our build instructions since it's quite likely that they will have to also set up the signing stuff to proceed. For example we can just say: Build a release build using our [build instructions](...).
android/BuildInstructions.md line 275 at r1 (raw file):
4. Checkout the release tag: `git checkout android/<version>` 5. Build the APK using the containerized script: `../building/containerized-build.sh android`, alternatively build without the container: `./build.sh`. The resuling file is located at `app/build/outputs/apk/ossProd/release/app-oss-prod-release.apk`. 6. Delete the signatures from the two APKs by running `zip -d app-oss-prod-release.apk "META-INF/*"` and `new zip -d MullvadVPN-<version>.apk "META-INF/*"`
typo: remove "new"?
Code quote:
and `new zip
android/BuildInstructions.md
Outdated
| 4. Compare the checksums of the two APKs: `md5sum fdroid-container.apk app/build/outputs/apk/ossProd/fdroid/app-oss-prod-fdroid-unsigned.apk` | ||
| 4. Compare the checksums of the two APKs: `sha256sum fdroid-container.apk app/build/outputs/apk/ossProd/fdroid/app-oss-prod-fdroid-unsigned.apk` | ||
|
|
||
| ## Verifying that an official release is reproducible: |
There was a problem hiding this comment.
Nitpicking but other headings do not end with : .
Suggested change
| ## Verifying that an official release is reproducible: | |
| ## Verifying that an official release is reproducible |
android/BuildInstructions.md
Outdated
Comment on lines
270
to
276
| 1. Obtain the release APK (2025.2-beta1 or newer) from [GitHub releases](https://github.com/mullvad/mullvadvpn-app/releases) or [releases.mullvad.net](https://releases.mullvad.net/android/) | ||
| 2. Setup your environment so that you can build a [release build ](#release-build) of the app. | ||
| 3. Make sure you have fetched all tags: `git fetch --tags` | ||
| 4. Checkout the release tag: `git checkout android/<version>` | ||
| 5. Build the APK using the containerized script: `../building/containerized-build.sh android`, alternatively build without the container: `./build.sh`. The resuling file is located at `app/build/outputs/apk/ossProd/release/app-oss-prod-release.apk`. | ||
| 6. Delete the signatures from the two APKs by running `zip -d app-oss-prod-release.apk "META-INF/*"` and `new zip -d MullvadVPN-<version>.apk "META-INF/*"` | ||
| 7. Compare the checksums of the two APKs: `sha256sum app-oss-prod-release.apk MullvadVPN-<version>.apk`. If the checksums are equal the build is reproducible. |
There was a problem hiding this comment.
Suggested change
| 1. Obtain the release APK (2025.2-beta1 or newer) from [GitHub releases](https://github.com/mullvad/mullvadvpn-app/releases) or [releases.mullvad.net](https://releases.mullvad.net/android/) | |
| 2. Setup your environment so that you can build a [release build ](#release-build) of the app. | |
| 3. Make sure you have fetched all tags: `git fetch --tags` | |
| 4. Checkout the release tag: `git checkout android/<version>` | |
| 5. Build the APK using the containerized script: `../building/containerized-build.sh android`, alternatively build without the container: `./build.sh`. The resuling file is located at `app/build/outputs/apk/ossProd/release/app-oss-prod-release.apk`. | |
| 6. Delete the signatures from the two APKs by running `zip -d app-oss-prod-release.apk "META-INF/*"` and `new zip -d MullvadVPN-<version>.apk "META-INF/*"` | |
| 7. Compare the checksums of the two APKs: `sha256sum app-oss-prod-release.apk MullvadVPN-<version>.apk`. If the checksums are equal the build is reproducible. | |
| 1. Obtain the release APK (`2025.2-beta1` or newer) from [GitHub releases](https://github.com/mullvad/mullvadvpn-app/releases) or [releases.mullvad.net](https://releases.mullvad.net/android/) | |
| 2. Set up your environment so that you can build a [release build ](#release-build) of the app. | |
| 3. Make sure you have fetched all tags: `git fetch --tags` | |
| 4. Checkout the release tag: `git checkout android/<version>` | |
| 5. Build the APK using the containerized script: `../building/containerized-build.sh android`, alternatively build without the container: `./build.sh`. The resuling file is located at `app/build/outputs/apk/ossProd/release/app-oss-prod-release.apk`. | |
| 6. Delete the signatures from the two APKs by running `zip -d app-oss-prod-release.apk "META-INF/*"` and `new zip -d MullvadVPN-<version>.apk "META-INF/*"` | |
| 7. Compare the checksums of the two APKs: `sha256sum app-oss-prod-release.apk MullvadVPN-<version>.apk`. If the checksums are equal the build is reproducible. |
android/BuildInstructions.md
Outdated
|
|
||
| ### Troubleshooting reproducibility | ||
|
|
||
| If two APKs built from the same commit have different checksums the build is not reproducible. This could be because of either: | ||
|
|
||
| 1. A build dependency on the local system has the wrong version. | ||
| 2. There is a bug that breaks the build reproducibility. | ||
| 3. The APK built is a version prior to 2025.2-beta1, which is the first version that supports reproducible builds. |
There was a problem hiding this comment.
Suggested change
| 3. The APK built is a version prior to 2025.2-beta1, which is the first version that supports reproducible builds. | |
| 3. The APK built is a version prior to `2025.2-beta1`, which is the first version that supports reproducible builds. |
kl
force-pushed
the
document-how-to-verify-that-a-release-apk-is-reproducible-droid-1847
branch
from
b8d0731 to
d3b8482
Compare
kl
commented
Mar 26, 2025
There was a problem hiding this comment.
Reviewable status: all files reviewed, 4 unresolved discussions (waiting on @albin-mullvad and @MrChocolatine)
android/BuildInstructions.md line 270 at r1 (raw file):
Previously, albin-mullvad wrote…
I suggest we skip this part since it's not something we promote. However we can mention our website instead.
Done.
android/BuildInstructions.md line 271 at r1 (raw file):
Previously, albin-mullvad wrote…
I believe we can use
1.for all list entries and let the markdown parser figure the index out, like we do here:mullvadvpn-app/BuildInstructions.md
Line 261 in df51289
Could be nice to do that for in the rest of the document as well
The more you know! Fixed
android/BuildInstructions.md
Outdated
| 4. Compare the checksums of the two APKs: `md5sum fdroid-container.apk app/build/outputs/apk/ossProd/fdroid/app-oss-prod-fdroid-unsigned.apk` | ||
| 4. Compare the checksums of the two APKs: `sha256sum fdroid-container.apk app/build/outputs/apk/ossProd/fdroid/app-oss-prod-fdroid-unsigned.apk` | ||
|
|
||
| ## Verifying that an official release is reproducible: |
android/BuildInstructions.md
Outdated
Comment on lines
270
to
276
| 1. Obtain the release APK (2025.2-beta1 or newer) from [GitHub releases](https://github.com/mullvad/mullvadvpn-app/releases) or [releases.mullvad.net](https://releases.mullvad.net/android/) | ||
| 2. Setup your environment so that you can build a [release build ](#release-build) of the app. | ||
| 3. Make sure you have fetched all tags: `git fetch --tags` | ||
| 4. Checkout the release tag: `git checkout android/<version>` | ||
| 5. Build the APK using the containerized script: `../building/containerized-build.sh android`, alternatively build without the container: `./build.sh`. The resuling file is located at `app/build/outputs/apk/ossProd/release/app-oss-prod-release.apk`. | ||
| 6. Delete the signatures from the two APKs by running `zip -d app-oss-prod-release.apk "META-INF/*"` and `new zip -d MullvadVPN-<version>.apk "META-INF/*"` | ||
| 7. Compare the checksums of the two APKs: `sha256sum app-oss-prod-release.apk MullvadVPN-<version>.apk`. If the checksums are equal the build is reproducible. |
android/BuildInstructions.md
Outdated
|
|
||
| ### Troubleshooting reproducibility | ||
|
|
||
| If two APKs built from the same commit have different checksums the build is not reproducible. This could be because of either: | ||
|
|
||
| 1. A build dependency on the local system has the wrong version. | ||
| 2. There is a bug that breaks the build reproducibility. | ||
| 3. The APK built is a version prior to 2025.2-beta1, which is the first version that supports reproducible builds. |
albin-mullvad
approved these changes
Mar 27, 2025
There was a problem hiding this comment.
Reviewed 1 of 1 files at r2, all commit messages.
Reviewable status: all files reviewed, 3 unresolved discussions (waiting on @MrChocolatine)
Pururun
approved these changes
Mar 27, 2025
There was a problem hiding this comment.
Reviewed all commit messages.
Reviewable status: all files reviewed, 3 unresolved discussions (waiting on @MrChocolatine)
albin-mullvad
force-pushed
the
document-how-to-verify-that-a-release-apk-is-reproducible-droid-1847
branch
from
d3b8482 to
216e599
Compare
albin-mullvad
deleted the
document-how-to-verify-that-a-release-apk-is-reproducible-droid-1847
branch
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This change is