24 Sep 2020 |
_hc | started as a simple whitelabel idea but as I told about all our offerings, they were quite interested | 17:06:40 |
_hc | cdesai: do you know if apps an get CAP_NET_ADMIN on Android? https://gitlab.torproject.org/tpo/core/tor/-/issues/32091#note_2709550 | 17:12:29 |
cdesai | _hc: doesn't look like it. I see that it's explicitly set for some system/vendor processes, which would mean it isn't obtainable by normal means | 17:19:08 |
cdesai | example: https://source.android.com/devices/tech/config/ambient | 17:19:44 |
25 Sep 2020 |
kitsunyan | I just tried to rebuild the APK using a simple python script (+ zipalign after rebuild) | 09:16:01 |
kitsunyan | And of course I got different APKs because python script compresses the files differently | 09:17:18 |
kitsunyan | But at least it was easy to preserve the order | 09:17:51 |
kitsunyan | Oh, nice. | 10:01:06 |
kitsunyan | It seem I got the same APK file | 10:01:17 |
wb9688 | kitsunyan: With v2? If so, nice! | 11:31:10 |
kitsunyan | No, I didn't try to extract v2 keys. | 11:32:08 |
kitsunyan | I just wanted to unpack the apk and then pack it back. It was signed with v1 key only. | 11:32:54 |
wb9688 | Ah, v1-only | 11:33:19 |
kitsunyan | This is still important. | 11:33:43 |
kitsunyan | It means it's possible to unpack a built on buildserver apk which may contain entries in different order. | 11:35:10 |
kitsunyan | And then pack it in the same order as in provided apk (or as in MANIFEST.MF, I suppose) | 11:35:50 |
kitsunyan | And it should be the same apk (without v2 key, which can be extracted and appended to the end of the apk) | 11:36:37 |
kitsunyan | The only problem is that MANIFEST.MF doesn't contain all files. | 11:37:15 |
kitsunyan | I'll make some tests later | 11:37:31 |
_hc | for reproducible builds using v2/v3 sigs, I think the approach that will work will be reproducing the build environment, e.g. a ".buildinfo" file to describe all the important bits | 11:37:57 |
_hc | Google has already been moving the gradle tools in that direction, so there isn't so much that needs to be controlled. | 11:38:37 |
_hc | probably the Java version really | 11:38:44 |
_hc | for example, the standard build env generally declares which versions of Gradle, Gradle Android Plugin, build-tools, and NDK | 11:39:51 |
kitsunyan | In this case it would make sense to use .buildinfo for all reproducible builds, not only v2/v3 | 11:40:30 |
kitsunyan | It's also not clear how build results depend on environment | 11:40:58 |
_hc | yes sure, but its much easier to reproduce APKs when the standard is the v1 sig | 11:41:03 |
kitsunyan | I still don't know why resource shrinker failed on buildserver, it was the same java version, the same build tools version, etc | 11:41:46 |
_hc | with a buildserver instance, its pretty easy to run controlled build variants to see what differs | 11:41:50 |
_hc | that's the idea of the jobs on jenkins.debian.net | 11:42:00 |
_hc | PNG crunching is non-deterministic | 11:42:11 |