android icon indicating copy to clipboard operation
android copied to clipboard
verified publisher icon NativeScript

buildMetaData task doesn't generate reproducible binaries

Open mohammadrafigh opened this issue 1 month ago • 0 comments

Environment Provide version numbers for the following components (information can be retrieved by running tns info in your project folder or by inspecting the package.json of the project):

  • CLI: 9.0.1
  • Cross-platform modules:
  • Android Runtime: 8.9.2 and 9.0.0
  • iOS Runtime (if applicable): -
  • Plugin(s): -

Describe the bug buildMetaData task generates metadata binaries that are not deterministic and reproducible, Even with the same --compileSdk version set and exact Java, SDK, etc.. So, security checks will fail specially in opensource app stores like IzzyOnDroid and F-Droid. The issue might be related to using methods like listFiles() without performing a sort on files or maybe different locale properties, I'm just guessing from my researches. I've attached a diffoscope result to see the difference.

diff-with-upstream.html

To Reproduce

  • Generate an APK locally
  • Generate the same APK using a docker/podman container or Github actions
  • diff the results using any tool like diffoscope

Expected behavior The metadata binaries should be exactly same for a specific compileSdk without considering which environment its running the buildMetaData task.

mohammadrafigh avatar Nov 27 '25 12:11 mohammadrafigh