nix: make android library reproducible (#6486)

* nix: make android aarch64 library reproducible * src/Operators: embed PRIVACY.md without full paths * nix: make android library reproducible * Update src/Simplex/Chat/Operators.hs Co-authored-by: Evgeny <evgeny@poberezkin.com> * nix: remove unnecessary flags and apply changes to armv7a * nix: strip libraries from debug symbols * nix: strip before timestamp normalization * nix: set epoch to 1764547200 --------- Co-authored-by: Evgeny <evgeny@poberezkin.com>
2026-03-30 05:40:00 +00:00 · 2025-12-10 09:50:26 +00:00
parent c5a69a4950
commit 267e680698
2 changed files with 41 additions and 11 deletions
--- a/flake.nix
+++ b/flake.nix
@@ -41,14 +41,24 @@
        };
        sha256map = import ./scripts/nix/sha256map.nix;
        modules = [
-        ({ pkgs, lib, ...}: lib.mkIf (!pkgs.stdenv.hostPlatform.isWindows) {
-          # This patch adds `dl` as an extra-library to direct-sqlciper, which is needed
-          # on pretty much all unix platforms, but then blows up on windows m(
-          packages.direct-sqlcipher.patches = [ ./scripts/nix/direct-sqlcipher-2.3.27.patch ];
-        })
-        ({ pkgs,lib, ... }: lib.mkIf (pkgs.stdenv.hostPlatform.isAndroid) {
-          packages.simplex-chat.components.library.ghcOptions = [ "-pie" ];
-        })] ++ extra-modules;
+          ({ pkgs, lib, config, ... }:
+            {
+              # Override ghcOptions for ALL packages
+              ghcOptions = lib.mkDefault [
+                "-j1"
+              ];
+            }
+          )
+
+          ({ pkgs, lib, ...}: lib.mkIf (!pkgs.stdenv.hostPlatform.isWindows) {
+            # This patch adds `dl` as an extra-library to direct-sqlciper, which is needed
+            # on pretty much all unix platforms, but then blows up on windows m(
+            packages.direct-sqlcipher.patches = [ ./scripts/nix/direct-sqlcipher-2.3.27.patch ];
+          })
+
+          ({ pkgs,lib, ... }: lib.mkIf (pkgs.stdenv.hostPlatform.isAndroid) {
+            packages.simplex-chat.components.library.ghcOptions = [ "-pie" ];
+          })] ++ extra-modules;
      }; in
      # by defualt we don't need to pass extra-modules.
      let drv = pkgs': drv' { extra-modules = []; inherit pkgs'; }; in
@@ -368,6 +378,7 @@
                  "-threaded"
                  # "-debug"
                  "-optl-lffi"
+                  "-j1"
                ]
                # This is fairly idiotic. LLD will strip out foreign exported
                # symbols (a GHC bug? Codegen bug?). So we need to pass `-u <sym>`
@@ -433,7 +444,16 @@
                  done

                  ${pkgs.tree}/bin/tree $out/_pkg
-                  (cd $out/_pkg; ${pkgs.zip}/bin/zip -r -9 $out/pkg-armv7a-android-libsimplex.zip *)
+
+                  # Strip from debug symbols
+                  find "$out/_pkg" -type f -name "*.so" -exec ${android32Pkgs.stdenv.cc.targetPrefix}strip --strip-unneeded {} +
+
+                  # Normalize permissions + timestamps
+                  find "$out/_pkg" -type f -exec chmod 644 {} +
+                  find "$out/_pkg" -type d -exec chmod 755 {} +
+                  find "$out/_pkg" -exec touch -h -d '@1764547200' {} +
+
+                  (cd $out/_pkg; ${pkgs.zip}/bin/zip -r -9 -X $out/pkg-armv7a-android-libsimplex.zip *)
                  rm -fR $out/_pkg
                  mkdir -p $out/nix-support
                  echo "file binary-dist \"$(echo $out/*.zip)\"" \
@@ -477,6 +497,7 @@
                  # "-debug"
                  "-optl-lffi"
                  "-optl-Wl,-z,max-page-size=16384"
+                  "-j1"
                ]
                # This is fairly idiotic. LLD will strip out foreign exported
                # symbols (a GHC bug? Codegen bug?). So we need to pass `-u <sym>`
@@ -542,7 +563,16 @@
                  done

                  ${pkgs.tree}/bin/tree $out/_pkg
-                  (cd $out/_pkg; ${pkgs.zip}/bin/zip -r -9 $out/pkg-aarch64-android-libsimplex.zip *)
+
+                  # Strip from debug symbols
+                  find "$out/_pkg" -type f -name "*.so" -exec ${androidPkgs.stdenv.cc.targetPrefix}strip --strip-unneeded {} +
+
+                  # Normalize permissions + timestamps
+                  find "$out/_pkg" -type f -exec chmod 644 {} +
+                  find "$out/_pkg" -type d -exec chmod 755 {} +
+                  find "$out/_pkg" -exec touch -h -d '@1764547200' {} +
+
+                  (cd $out/_pkg; ${pkgs.zip}/bin/zip -r -9 -X $out/pkg-aarch64-android-libsimplex.zip *)
                  rm -fR $out/_pkg
                  mkdir -p $out/nix-support
                  echo "file binary-dist \"$(echo $out/*.zip)\"" \
--- a/src/Simplex/Chat/Operators.hs
+++ b/src/Simplex/Chat/Operators.hs
@@ -63,7 +63,7 @@ previousConditionsCommit = "a5061f3147165a05979d6ace33960aced2d6ac03"

 usageConditionsText :: Text
 usageConditionsText =
-  $( let s = $(embedFile =<< makeRelativeToProject "PRIVACY.md")
+  $( let s = $(embedFile "PRIVACY.md")
      in [|stripFrontMatter $(lift (safeDecodeUtf8 s))|]
   )