From 9b45f449d4aef9d353814f2dc24c2f4e576e7d92 Mon Sep 17 00:00:00 2001 From: shum Date: Wed, 3 Dec 2025 08:10:55 +0000 Subject: [PATCH] nix: make android library reproducible --- flake.nix | 51 ++++++++++++++++++++++++++++++++++----------------- 1 file changed, 34 insertions(+), 17 deletions(-) diff --git a/flake.nix b/flake.nix index 49fbd5143c..9a3ae7e1b2 100644 --- a/flake.nix +++ b/flake.nix @@ -41,14 +41,29 @@ }; sha256map = import ./scripts/nix/sha256map.nix; modules = [ - ({ pkgs, lib, ...}: lib.mkIf (!pkgs.stdenv.hostPlatform.isWindows) { - # This patch adds `dl` as an extra-library to direct-sqlciper, which is needed - # on pretty much all unix platforms, but then blows up on windows m( - packages.direct-sqlcipher.patches = [ ./scripts/nix/direct-sqlcipher-2.3.27.patch ]; - }) - ({ pkgs,lib, ... }: lib.mkIf (pkgs.stdenv.hostPlatform.isAndroid) { - packages.simplex-chat.components.library.ghcOptions = [ "-pie" ]; - })] ++ extra-modules; + ({ pkgs, lib, config, ... }: + { + # Override ghcOptions for ALL packages + ghcOptions = lib.mkDefault [ + "-optl-Wl,--build-id=none" + "-optl-Wl,--sort-common" + "-optc-fdebug-prefix-map=/=." + "-j1" + "-dinitial-unique=8388608" + "-dunique-increment=-1" + ]; + } + ) + + ({ pkgs, lib, ...}: lib.mkIf (!pkgs.stdenv.hostPlatform.isWindows) { + # This patch adds `dl` as an extra-library to direct-sqlciper, which is needed + # on pretty much all unix platforms, but then blows up on windows m( + packages.direct-sqlcipher.patches = [ ./scripts/nix/direct-sqlcipher-2.3.27.patch ]; + }) + + ({ pkgs,lib, ... }: lib.mkIf (pkgs.stdenv.hostPlatform.isAndroid) { + packages.simplex-chat.components.library.ghcOptions = [ "-pie" ]; + })] ++ extra-modules; }; in # by defualt we don't need to pass extra-modules. let drv = pkgs': drv' { extra-modules = []; inherit pkgs'; }; in @@ -452,12 +467,6 @@ ./scripts/nix/direct-sqlcipher-android-log.patch ]; packages.simplex-chat.flags.client_library = true; - # Determenistic builds - packages.simplex-chat.components.library.ghcOptions = [ - "-j1" - "-dinitial-unique=0" - "-dunique-increment=1" - ]; packages.simplexmq.flags.client_library = true; packages.simplexmq.components.library.libs = pkgs.lib.mkForce [ (androidPkgs.openssl.override { static = true; }) @@ -483,6 +492,12 @@ # "-debug" "-optl-lffi" "-optl-Wl,-z,max-page-size=16384" + "-optl-Wl,--build-id=none" + "-optl-Wl,--sort-common" + "-optc-fdebug-prefix-map=/=." + "-j1" + "-dinitial-unique=8388608" + "-dunique-increment=-1" ] # This is fairly idiotic. LLD will strip out foreign exported # symbols (a GHC bug? Codegen bug?). So we need to pass `-u ` @@ -549,10 +564,12 @@ ${pkgs.tree}/bin/tree $out/_pkg - # Set all files to init timestamp for determenistic zip archive - find $out/_pkg -type f -exec touch -d "1970-01-01 00:00:00 UTC" {} + + # Normalize permissions + timestamps + find "$out/_pkg" -type f -exec chmod 644 {} + + find "$out/_pkg" -type d -exec chmod 755 {} + + find "$out/_pkg" -exec touch -h -d '@0' {} + - (cd $out/_pkg; ${pkgs.zip}/bin/zip -r -9 $out/pkg-aarch64-android-libsimplex.zip *) + (cd $out/_pkg; ${pkgs.zip}/bin/zip -r -9 -X $out/pkg-aarch64-android-libsimplex.zip *) rm -fR $out/_pkg mkdir -p $out/nix-support echo "file binary-dist \"$(echo $out/*.zip)\"" \