apksigner wrapper for Yubikey signatures #101
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Reproducibility | |
| on: | |
| push: | |
| branches: [ main ] | |
| pull_request: | |
| workflow_dispatch: {} | |
| jobs: | |
| build: | |
| uses: ./.github/workflows/build.yml | |
| with: | |
| ref_sha: ${{ github.event_name == 'pull_request' | |
| && github.event.pull_request.head.sha || github.sha }} | |
| repo_full_name: ${{ github.event_name == 'pull_request' | |
| && github.event.pull_request.head.repo.full_name || github.repository }} | |
| fdroid: | |
| uses: ./.github/workflows/fdroid.yml | |
| with: | |
| ref_sha: ${{ github.event_name == 'pull_request' | |
| && github.event.pull_request.head.sha || github.sha }} | |
| repo_full_name: ${{ github.event_name == 'pull_request' | |
| && github.event.pull_request.head.repo.full_name || github.repository }} | |
| repro: | |
| name: Reproducibility Check | |
| needs: [build, fdroid] | |
| runs-on: ubuntu-24.04 | |
| steps: | |
| - name: Download Build artifact (ubuntu-22.04) | |
| uses: actions/download-artifact@v4 | |
| with: | |
| name: app-release-ubuntu-22.04 | |
| path: artifacts/ubuntu-22.04 | |
| - name: Download Build artifact (ubuntu-24.04) | |
| uses: actions/download-artifact@v4 | |
| with: | |
| name: app-release-ubuntu-24.04 | |
| path: artifacts/ubuntu-24.04 | |
| - name: Download F-Droid artifact | |
| uses: actions/download-artifact@v4 | |
| with: | |
| name: fdroids | |
| path: artifacts/fdroid | |
| - name: Show artifact tree | |
| run: | | |
| set -euo pipefail | |
| find artifacts -maxdepth 4 -type f -print | |
| - name: Install tools | |
| run: | | |
| set -euxo pipefail | |
| sudo apt-get update | |
| sudo apt-get install -y --no-install-recommends \ | |
| apksigner apksigcopier androguard apktool diffoscope \ | |
| libarchive-tools default-jre-headless | |
| - name: Compare 22.04 vs 24.04 | |
| run: | | |
| set -euo pipefail | |
| A=./artifacts/ubuntu-22.04/app-release.apk | |
| B=./artifacts/ubuntu-24.04/app-release.apk | |
| test -f "$A" && test -f "$B" | |
| # apksigcopier compares APK contents ignoring signatures | |
| apksigcopier compare "$A" "$B" | |
| - name: Compare vs F-Droid repo APK | |
| run: | | |
| set -euo pipefail | |
| A=./artifacts/ubuntu-22.04/app-release.apk | |
| B=./artifacts/ubuntu-24.04/app-release.apk | |
| # F-Droid puts signed APKs in repo/, pick the newest one | |
| F=$(ls -t ./artifacts/fdroid/repo/*.apk | head -n1) | |
| echo "Comparing against F-Droid APK: $F" | |
| apksigcopier compare "$A" "$F" | |
| apksigcopier compare "$B" "$F" | |
| - name: diffoscope (22.04 vs 24.04) | |
| if: always() | |
| continue-on-error: true | |
| run: | | |
| set -euo pipefail | |
| A=artifacts/ubuntu-22.04/app-release.apk | |
| B=artifacts/ubuntu-24.04/app-release.apk | |
| diffoscope "$A" "$B" > diffoscope-22-vs-24.txt || true | |
| - name: diffoscope (22.04 vs F-Droid) | |
| if: always() | |
| continue-on-error: true | |
| run: | | |
| set -euo pipefail | |
| A=artifacts/ubuntu-22.04/app-release.apk | |
| F=$(ls -t artifacts/fdroid/repo/*.apk | head -n1) | |
| diffoscope "$A" "$F" > diffoscope-22-vs-fdroid.txt || true | |
| - name: diffoscope (24.04 vs F-Droid) | |
| if: always() | |
| continue-on-error: true | |
| run: | | |
| set -euo pipefail | |
| B=artifacts/ubuntu-24.04/app-release.apk | |
| F=$(ls -t artifacts/fdroid/repo/*.apk | head -n1) | |
| diffoscope "$B" "$F" > diffoscope-24-vs-fdroid.txt || true | |
| - name: Upload reports | |
| if: always() | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: reproducibility-reports | |
| path: | | |
| diffoscope-22-vs-24.txt | |
| diffoscope-22-vs-fdroid.txt | |
| diffoscope-24-vs-fdroid.txt | |
| retention-days: 7 |