corona-contact-tracing-germany
/
cwa-android
Archived
28
137
Fork 10
Code Issues 36 Pull Requests Releases Activity
You cannot select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
This repo is archived. You can view files and clone it, but cannot push or open issues/pull-requests.
main
fdroid_build
debug_reproducible_builds
v3.1.1.0
v2.28.3.1
v2.28.3.0
v2.26.0.0
v2.25.0.0
v2.24.2.1
v2.21.1.2
v2.21.1.1
v2.14.1.4-dev
v2.14.1.3
v2.14.1.2
v2.14.1.1
v2.14.1.0
v2.6.1.0
v2.5.1.0
v2.4.3.0
v2.3.4.1
v2.2.1.1
v2.2.1.0
v2.1.2.2
v2.0.5.0
v2.0.3.0
v2.0.2.0-rc1
v1.15.1.0
v1.14.3.0
v1.13.2.3
v1.13.2.2
v1.13.2.1
v1.13.2.0
v1.12.0.0
v1.11.0.8
v1.10.1.1
v1.10.1.0-beta
v1.9.1.6
v1.9.1.5
v1.9.1.4
v1.9.1.3
v1.7.1.2
v1.7.1.1
temp1
v1.9.1.2
v2.10.1.0
v2.11.2.0
v2.18.1.0
v2.21.1.0
v2.23.2.0
v2.24.2.0
v2.27.2.0
v2.8.0.0
v2.8.0.4
v2.9.0.0
v3.0.1.0
v3.1.1.1
vTest-Screenshots
vTest-Screenshots-250
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'main'
${ noResults }
cwa-android/docs/rebuilding.md

2.5 KiB
Raw Permalink Blame History

How to rebuild Corona Contact Tracing Germany

The CCTG app can be built reproducibly. This means that you can re-run the build instructions and arrive at the very same binary that we publish[1].

The upstream CWA build was not reproducible before cwa-app-android/#2800 was merged due to a non-deterministic android vector graphics → png generation. To workaround this, we pre-generated all PNG graphics for CCTG and included them in the source tree, but this is now no longer necessary.

We found and reported a bug in the desugaring tool in the android toolchain, which was subsequently fixed by google. Additionally the navigation-safe-args toolchain doesn't always produce deterministic navigation classes, this is tracked at google here, meanwhile our workaround for this has been to replace all top-level (outside a fragment) navigation actions with fragment level actions.

You can recreate the build by using the following docker container. The docker build system is mostly provided for convenience. Rebuilds should work with fdroid build -l de.corona.tracing on any properly configured build system[2].

cd docs
docker build --no-cache -t cctg-builder .
docker run -it --volume ${PWD}/repo:/repo cctg-builder

After that you should have the latest apk in ./repo

[1] Android apks are signed with an embedded signature. This means the final apk has to be reproduced with some trickery as a rebuilder is not in possession of the private key to re-generate the signature. Currently this works by recreating an unsigned build, transplanting signature of the apk to-rebuild and then verifying this signature on the newly assembled apk. If this passes, the apk is identical and we can publish it.

[2] The docker build uses an experimental fdroidserver version which is able to automatically download the Android NDK dependency as well as generally having better defaults. In general you'll need: