Reproducible builds: APKs don't match!

[tibequadorian]

Is there an existing issue for this?

• I have searched the existing issues

Bug description

Tested reproducible builds -- APKs don't match!

Steps to reproduce

$ export VERSION=v7.8.1-1

...

$ python apkdiff/apkdiff.py Molly-$VERSION.apk outputs/apk/prodGmsWebsite/release/Molly-unsigned-$VERSION.apk
APKs differ on file assets/dexopt/baseline.prof! Files extracted to the mismatches/ directory.
APKs differ on file classes.dex! Files extracted to the mismatches/ directory.
APKs differ on file classes2.dex! Files extracted to the mismatches/ directory.
APKs differ on file classes3.dex! Files extracted to the mismatches/ directory.
APKs differ on file classes4.dex! Files extracted to the mismatches/ directory.
APKs differ on file classes5.dex! Files extracted to the mismatches/ directory.
APKs don't match!

$ python apkdiff/apkdiff.py Molly-$VERSION-FOSS.apk outputs/apk/prodFossWebsite/release/Molly-unsigned-$VERSION-FOSS.apk
APKs differ on file assets/dexopt/baseline.prof! Files extracted to the mismatches/ directory.
APKs differ on file classes.dex! Files extracted to the mismatches/ directory.
APKs differ on file classes2.dex! Files extracted to the mismatches/ directory.
APKs differ on file classes3.dex! Files extracted to the mismatches/ directory.
APKs differ on file classes4.dex! Files extracted to the mismatches/ directory.
APKs differ on file classes5.dex! Files extracted to the mismatches/ directory.
APKs don't match!

Molly version

v7.8.1-1

Android version

No response

Device

No response

Link to debug log

No response

[valldrac]

I believe the issue is with the navigation component, as the Signal team commented here.

Can you install diffuse and compare your APKs by running:

diffuse diff Molly-v7.8.1-1.apk outputs/apk/prodGmsWebsite/release/Molly-unsigned-v7.8.1-1.apk

[tibequadorian]

Yes, the output involves actionRestartToWelcomeFragment() as mentioned in the comment.
But how did it get through the reproducible GitHub action?

$ java -jar diffuse.jar diff Molly-v7.8.1-1.apk outputs/apk/prodGmsWebsite/release/Molly-unsigned-v7.8.1-1.apk
OLD: Molly-v7.8.1-1.apk (signature: V2, V3)
NEW: Molly-unsigned-v7.8.1-1.apk (signature: none)

          │            compressed            │            uncompressed            
          ├──────────┬──────────┬────────────┼───────────┬───────────┬────────────
 APK      │ old      │ new      │ diff       │ old       │ new       │ diff       
──────────┼──────────┼──────────┼────────────┼───────────┼───────────┼────────────
      dex │   14 MiB │   14 MiB │      +48 B │    36 MiB │    36 MiB │     -260 B 
     arsc │ 21.7 MiB │ 21.7 MiB │        0 B │  21.7 MiB │  21.7 MiB │        0 B 
 manifest │ 14.3 KiB │ 14.3 KiB │        0 B │  86.7 KiB │  86.7 KiB │        0 B 
      res │  3.1 MiB │  3.1 MiB │        0 B │   5.6 MiB │   5.6 MiB │        0 B 
   native │ 28.1 MiB │ 28.1 MiB │        0 B │  60.3 MiB │  60.3 MiB │        0 B 
    asset │  3.4 MiB │  3.4 MiB │      +86 B │   4.2 MiB │   4.2 MiB │      +82 B 
    other │  1.4 MiB │  1.1 MiB │ -304.5 KiB │   2.9 MiB │   2.2 MiB │ -740.8 KiB 
──────────┼──────────┼──────────┼────────────┼───────────┼───────────┼────────────
    total │ 71.7 MiB │ 71.4 MiB │ -304.4 KiB │ 130.8 MiB │ 130.1 MiB │ -740.9 KiB 


         │          raw           │            unique            
         ├────────┬────────┬──────┼────────┬────────┬────────────
 DEX     │ old    │ new    │ diff │ old    │ new    │ diff       
─────────┼────────┼────────┼──────┼────────┼────────┼────────────
   files │      5 │      5 │    0 │        │        │            
 strings │ 274756 │ 274756 │    0 │ 234394 │ 234394 │  0 (+1 -1) 
   types │  52826 │  52826 │    0 │  45009 │  45009 │  0 (+0 -0) 
 classes │  41625 │  41625 │    0 │  41625 │  41625 │  0 (+0 -0) 
 methods │ 269966 │ 269961 │   -5 │ 249923 │ 249918 │ -5 (+0 -5) 
  fields │ 124961 │ 124961 │    0 │ 122170 │ 122170 │  0 (+0 -0) 


 ARSC    │ old   │ new   │ diff 
─────────┼───────┼───────┼──────
 configs │   360 │   360 │  0   
 entries │ 15277 │ 15277 │  0   


=================
====   APK   ====
=================

       compressed       │     uncompressed      │                                
───────────┬────────────┼──────────┬────────────┤                                
 size      │ diff       │ size     │ diff       │ path                           
───────────┼────────────┼──────────┼────────────┼────────────────────────────────
           │ -153.4 KiB │          │ -369.8 KiB │ - META-INF/KEY0.SF             
           │ -149.9 KiB │          │ -369.7 KiB │ - META-INF/MANIFEST.MF         
           │   -1.2 KiB │          │   -1.3 KiB │ - META-INF/KEY0.RSA            
    50 KiB │      +82 B │ 49.9 KiB │      +82 B │ ∆ assets/dexopt/baseline.prof  
   3.2 MiB │      +38 B │  8.6 MiB │     -168 B │ ∆ classes4.dex                 
   3.1 MiB │      +10 B │  8.8 MiB │      -92 B │ ∆ classes3.dex                 
   3.3 MiB │       -5 B │    8 MiB │        0 B │ ∆ classes2.dex                 
   4.2 KiB │       +4 B │  4.1 KiB │        0 B │ ∆ assets/dexopt/baseline.profm 
   3.7 MiB │       +3 B │    9 MiB │        0 B │ ∆ classes.dex                  
 594.3 KiB │       +2 B │  1.6 MiB │        0 B │ ∆ classes5.dex                 
───────────┼────────────┼──────────┼────────────┼────────────────────────────────
  14.1 MiB │ -304.4 KiB │ 36.1 MiB │ -740.9 KiB │ (total)                        



 SIGNATURES │ old                                      │ new 
────────────┼──────────────────────────────────────────┼─────
         V2 │ 49ce310cdd0c09c8c34eb31a8005c6bf13f5a4f1 │     
         V3 │ 49ce310cdd0c09c8c34eb31a8005c6bf13f5a4f1 │     



=================
====   DEX   ====
=================

STRINGS:

   old    │ new    │ diff      
  ────────┼────────┼───────────
   234394 │ 234394 │ 0 (+1 -1) 
  
  + ~~R8{"backend":"dex","compilation-mode":"release","has-checksums":false,"min-api":26,"pg-map-id":"6f76764","r8-mode":"full","version":"8.0.46"}
  
  - ~~R8{"backend":"dex","compilation-mode":"release","has-checksums":false,"min-api":26,"pg-map-id":"8d60fee","r8-mode":"full","version":"8.0.46"}
  

METHODS:

   old    │ new    │ diff       
  ────────┼────────┼────────────
   249923 │ 249918 │ -5 (+0 -5) 
  
  - org.thoughtcrime.securesms.backup.v2.ui.restore.RestoreFromBackupFragmentDirections actionRestartToWelcomeFragment() → NavDirections
  - org.thoughtcrime.securesms.devicetransfer.newdevice.NewDeviceTransferCompleteFragmentDirections actionRestartToWelcomeFragment() → NavDirections
  - org.thoughtcrime.securesms.devicetransfer.newdevice.NewDeviceTransferFragmentDirections actionRestartToWelcomeFragment() → NavDirections
  - org.thoughtcrime.securesms.devicetransfer.newdevice.NewDeviceTransferInstructionsFragmentDirections actionRestartToWelcomeFragment() → NavDirections
  - org.thoughtcrime.securesms.devicetransfer.newdevice.NewDeviceTransferSetupFragmentDirections actionRestartToWelcomeFragment() → NavDirections
  

[valldrac]

But how did it get through the reproducible GitHub action?

This component adds a non-deterministic element to the build. Basically, it means the compiler arranges a list differently each time, likely based on the CPU's scheduling and RAM size. It just happens that this list was ordered the same way during the original APK build and the reproducibility test. I guess it's a 50/50 chance when the computers are different.