dandri/simplex-chat
1
0
Fork 0
mirror of https://github.com/simplex-chat/simplex-chat.git synced 2026-04-01 05:16:00 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
master-android
simplex-chat/scripts/simplex-chat-reproduce-builds-android.sh
sh 32a9b29666 scripts: sysctl adjustments in reproducible-builds-android (#6583) 
* scripts: sysctl adjustments in reproducible-builds-android

* scripts/reproduce-builds-android: better errors and sudo only if sysctl

* scripts/reproduce-builds-android: set max_pid var early and fix sysctl
2026-01-19 09:33:39 +00:00

278 lines
7.5 KiB
Bash
Executable File
Raw Permalink Blame History

#!/usr/bin/env sh
set -eu
SIMPLEX_KEY='3C:52:C4:FD:3C:AD:1C:07:C9:B0:0A:70:80:E3:58:FA:B9:FE:FC:B8:AF:5A:EC:14:77:65:F1:6D:0F:21:AD:85'
REPO_NAME="simplex-chat"
REPO="https://github.com/simplex-chat/${REPO_NAME}"
IMAGE_NAME='sx-local-android'
CONTAINER_NAME='sx-builder-android'
DOCKER_PATH_PROJECT='/project'
DOCKER_PATH_VERIFY='/verify'
export DOCKER_BUILDKIT=1
SIMPLEX_REPO='simplex-chat/simplex-chat'
CMDS="curl git docker"
INIT_DIR="$PWD"
TEMPDIR="$(mktemp -d)"
PID_MAX_ORIGINAL="$(sysctl -n kernel.pid_max)"
ARCHES="${ARCHES:-aarch64 armv7a}"
COLOR_CYAN="\033[36m"
COLOR_RESET="\033[0m"
SUFFIX_BUILT='built'
SUFFIX_DOWNLOADED='downloaded'
SUFFIX_BUILT_WITH_SIGNATURE='built-with-downloaded-signature'
cleanup() {
rm -rf -- "${TEMPDIR}"
docker rm --force "${CONTAINER_NAME}" 2>/dev/null || :
docker image rm "${IMAGE_NAME}" 2>/dev/null || :
if [ "$(sysctl -n kernel.pid_max)" != "$PID_MAX_ORIGINAL" ]; then
printf 'Adjusting kernel.pid_max back to original value...\n'
if $SUDO sysctl kernel.pid_max="$PID_MAX_ORIGINAL"; then
printf 'Successfully adjusted kernel.pid_max\n'
else
printf 'Failed to adjust kernel.pid_max. Please set the value manually with: %s sysctl kernel.pid_max=%s\n' "$SUDO" "$PID_MAX_ORIGINAL"
fi
fi
}
trap 'cleanup' EXIT INT
check() {
commands="$1"
set +u
for i in $commands; do
if ! command -v "$i" > /dev/null 2>&1; then
commands_failed="$i $commands_failed"
fi
done
if [ -n "$commands_failed" ]; then
commands_failed=${commands_failed% *}
printf "%s is not found in your \$PATH. Please install them and re-run the script.\n" "$commands_failed"
exit 1
fi
if [ "$PID_MAX_ORIGINAL" -gt 65535 ]; then
SUDO=$(command -v sudo || command -v doas) || { echo "No sudo or doas"; exit 1; }
printf 'Adjusting kernel.pid_max value to 65535...\n'
if $SUDO sysctl kernel.pid_max=65535; then
printf 'Successfully adjusted kernel.pid_max\n'
else
printf 'Failed to adjust kernel.pid_max, aborting.\n'
exit 1
fi
fi
set -u
}
download_apk() {
tag="$1"
filename="$2"
file_out="$3"
curl -L "${REPO}/releases/download/${tag}/${filename}" -o "$file_out"
}
setup_git() {
workdir="$1"
name="$2"
git -C "$workdir" clone "${REPO}.git" "$name"
}
checkout_git() {
git_dir="$1"
tag="$2"
git -C "$git_dir" reset --hard
git -C "$git_dir" clean -dfx
git -C "$git_dir" checkout "$tag"
}
check_apk() {
apk_name="$1"
expected="$2"
actual=$(docker exec "${CONTAINER_NAME}" apksigner verify --print-certs "${DOCKER_PATH_VERIFY}/${apk_name}" | grep 'SHA-256' | awk '{print $NF}' | fold -w2 | paste -sd: | tr '[:lower:]' '[:upper:]')
if [ "$expected" = "$actual" ]; then
return 0
else
return 1
fi
}
verify_apk() {
apk_name="$1"
# https://github.com/obfusk/apksigcopier?tab=readme-ov-file#what-about-signatures-made-by-apksigner-from-build-tools--3500-rc1
docker exec "${CONTAINER_NAME}" repro-apk zipalign --page-size 16 --pad-like-apksigner --replace "${DOCKER_PATH_VERIFY}/${apk_name}.${SUFFIX_BUILT}" \
"${DOCKER_PATH_VERIFY}/${apk_name}.aligned"
docker exec "${CONTAINER_NAME}" mv "${DOCKER_PATH_VERIFY}/${apk_name}.aligned" \
"${DOCKER_PATH_VERIFY}/${apk_name}.${SUFFIX_BUILT}"
docker exec "${CONTAINER_NAME}" apksigcopier copy "${DOCKER_PATH_VERIFY}/${apk_name}.${SUFFIX_DOWNLOADED}" \
"${DOCKER_PATH_VERIFY}/${apk_name}.${SUFFIX_BUILT}" \
"${DOCKER_PATH_VERIFY}/${apk_name}.${SUFFIX_BUILT_WITH_SIGNATURE}"
downloaded_apk_hash=$(docker exec "${CONTAINER_NAME}" sha256sum "${DOCKER_PATH_VERIFY}/${apk_name}.${SUFFIX_DOWNLOADED}" | awk '{print $1}')
built_apk_hash=$(docker exec "${CONTAINER_NAME}" sha256sum "${DOCKER_PATH_VERIFY}/${apk_name}.${SUFFIX_BUILT_WITH_SIGNATURE}" | awk '{print $1}')
if [ "$downloaded_apk_hash" = "$built_apk_hash" ]; then
return 0
else
return 1
fi
}
print_vercode() {
build_dir="$1"
awk -F'=' '/android.version_code=/ {print $2}' "${build_dir}/apps/multiplatform/gradle.properties"
}
setup_container() {
dir_git="$1"
dir_apk="$2"
docker build \
--no-cache \
-f "${dir_git}/Dockerfile.build" \
-t "${IMAGE_NAME}" \
--build-arg=USER_UID="$(id -u)" \
--build-arg=USER_GID="$(id -g)" \
.
# Run container in background
docker run -t -d \
--name "${CONTAINER_NAME}" \
--device /dev/fuse \
--cap-add SYS_ADMIN \
--security-opt apparmor:unconfined \
--security-opt seccomp:unconfined \
-v "${dir_git}:${DOCKER_PATH_PROJECT}" \
-v "${dir_apk}:${DOCKER_PATH_VERIFY}" \
"${IMAGE_NAME}"
}
build_apk() {
arch="$1"
vercode="$2"
apk_out="simplex-${arch}.apk.${SUFFIX_BUILT}"
# Gradle setup
docker exec -i "${CONTAINER_NAME}" sh << EOF
cd $DOCKER_PATH_PROJECT/apps/multiplatform
./gradlew
EOF
docker exec -i "${CONTAINER_NAME}" sh << EOF
GRADLE_BIN=\$(find \$HOME/.gradle/wrapper/dists -name "gradle" -type f -executable 2>/dev/null | head -1)
GRADLE_DIR=\$(dirname "\$GRADLE_BIN")
export PATH="\$GRADLE_DIR:\$PATH"
ARCHES="$arch" ./scripts/android/build-android.sh -gs "$vercode" || ARCHES="$arch" ./scripts/android/build-android.sh -gs "$vercode"
APK_FILE=\$(find . -maxdepth 1 -type f -name '*.apk')
mv "\$APK_FILE" $DOCKER_PATH_VERIFY/$apk_out
EOF
}
main() {
tag="$1"
build_directory="${TEMPDIR}/${REPO_NAME}"
final_directory="$INIT_DIR/${tag}-${REPO_NAME}"
apk_directory="${final_directory}/android"
printf 'This script will:
1) build docker container.
2) download APK from GitHub and validate signatures.
3) build core library with nix (12-24 hours).
4) build APK and compare with downloaded one
The script will ask for sudo password to adjust kernel.pid_max (needed for armv7a build)
and set it back to otiginal value when the build is done.
Continue?'
read _
check "$CMDS"
mkdir -p "${apk_directory}"
# Setup initial git for Dockerfile.build
setup_git "$TEMPDIR" "$REPO_NAME"
checkout_git "$build_directory" "$tag"
printf "${COLOR_CYAN}Building Docker container...${COLOR_RESET}\n"
setup_container "$build_directory" "$apk_directory"
# Check phase
for arch in $ARCHES; do
filename="simplex-${arch}.apk"
download_apk "$tag" "$filename" "${apk_directory}/${filename}.${SUFFIX_DOWNLOADED}"
if check_apk "${filename}.${SUFFIX_DOWNLOADED}" "$SIMPLEX_KEY"; then
printf "${COLOR_CYAN}APK for %s is signed by valid key.${COLOR_RESET}\n" "$arch"
else
printf "${COLOR_CYAN}Signature of APK for %s is invalid., aborting the script.${COLOR_RESET}\n" "$arch"
exit 1
fi
done
# Build phase
for arch in $ARCHES; do
case "$arch" in
armv7a)
build_tag="${tag}-armv7a"
;;
aarch64)
build_tag="${tag}"
;;
*)
printf "${COLOR_CYAN}Unknown architecture: %s! Skipping the build...${COLOR_RESET}\n" "$arch"
continue
esac
# Setup the code
checkout_git "$build_directory" "$build_tag"
vercode=$(print_vercode "$build_directory")
printf "${COLOR_CYAN}Building APK for for %s...${COLOR_RESET}\n" "$arch"
build_apk "$arch" "$vercode"
done
# Verification phase
for arch in $ARCHES; do
filename="simplex-${arch}.apk"
if ! verify_apk "$filename"; then
printf "${COLOR_CYAN}Failed to verify %s! Aborting.\n${COLOR_RESET}" "$filename"
exit 1
fi
done
printf "${COLOR_CYAN}%s is reproducible.${COLOR_RESET}\n" "$tag"
cleanup
}
main "$@"
Reference in New Issue View Git Blame Copy Permalink