Status Update
Comments
ad...@google.com <ad...@google.com>
je...@google.com <je...@google.com> #2
looks like we might need to sort lists before creating the dependencies info file in PerModuleReportDependenciesTask
hu...@google.com <hu...@google.com> #3
After debugging, I've found that most of the signing pipeline is deterministic, except for the SdkDependencyDataGeneratorTask
.
Switching to a deterministic encryption algorithm is possible but will be less secure, as explained at
@Pankaj: What is your take on this issue?
le...@google.com <le...@google.com> #4
Thank you for the detailed analysis and sorry for the delayed answer!
Deterministic encryption makes sense to me, we'll run this option by the security team and see how we can make this backwards compatible.
ga...@google.com <ga...@google.com> #5
This bug is out of SLO for P1 bugs, minee@ can we please get an update on it?
Update: Reassigned based on Pierre's ask in chat.
ab...@google.com <ab...@google.com> #6
Unfortunately, we have been unable to prioritize this till now. We do have a quarterly backlog process in the team and we can aim to prioritize this one in Q1.
ga...@google.com <ga...@google.com> #7
Reducing priority to P2 as the AGP team cannot make this change on our own, and to match the priority of the team that owns this feature.
ab...@google.com <ab...@google.com>
al...@google.com <al...@google.com>
hu...@google.com <hu...@google.com> #8
@Abhijit: Could you help triage this issue / move it to the right bug component? Thanks!
ab...@google.com <ab...@google.com> #9
We have had a few re-orgs since the bug was filed. Passing it to Snezhana to triage.
Description
Fromhttps://developer.android.com/studio/build/dependencies#dependency-info-play :
The "Dependency Info Block" this adds to the APK Signing Block turns out to be different every time a signed APK is built -- even if the signature and everything else is bit-by-bit identical -- making the build not reproducible.
If I make 2 copies of an unsigned APK and sign each separately with
apksigner
(using the same RSA key) I get 2 bit-by-bit identical signed APKs.But if I use Android Studio (or a Gradle signing config) to build a signed APK (from the same commit and using the same signing key), it will add the Dependency Info Block, which is not deterministic, and thus I never get bit-by-bit identical signed APKs.
Since this block is "encrypted by a Google Play signing key", I have no way of inspecting it to find out what is different every time.