diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index eab6deb28..98e8f6692 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -30,13 +30,17 @@ jobs: - uses: actions/setup-java@v4 with: distribution: "zulu" - java-version: "17" + java-version: "21" - name: Fetch secrets run: | curl -u ${{ secrets.BASIC_AUTH }} -o android/app/app.key ${{ secrets.URL_PREFIX }}app.key curl -u ${{ secrets.BASIC_AUTH }} -o android/key.properties ${{ secrets.URL_PREFIX }}key.properties - name: Build + env: + LDFLAGS: -Wl,--build-id=none run: dart run fl_build -p android + - name: Verify F-Droid native libraries + run: scripts/release/verify-fdroid-native-libs.sh - name: Rename for fdroid shell: bash run: | diff --git a/pubspec.lock b/pubspec.lock index 601888f9c..ec7f8e189 100644 --- a/pubspec.lock +++ b/pubspec.lock @@ -918,10 +918,10 @@ packages: dependency: transitive description: name: matcher - sha256: "12956d0ad8390bbcc63ca2e1469c0619946ccb52809807067a7020d57e647aa6" + sha256: dc0b7dc7651697ea4ff3e69ef44b0407ea32c487a39fff6a4004fa585e901861 url: "https://pub.dev" source: hosted - version: "0.12.18" + version: "0.12.19" material_color_utilities: dependency: transitive description: @@ -1506,26 +1506,26 @@ packages: dependency: "direct dev" description: name: test - sha256: "54c516bbb7cee2754d327ad4fca637f78abfc3cbcc5ace83b3eda117e42cd71a" + sha256: "280d6d890011ca966ad08df7e8a4ddfab0fb3aa49f96ed6de56e3521347a9ae7" url: "https://pub.dev" source: hosted - version: "1.29.0" + version: "1.30.0" test_api: dependency: transitive description: name: test_api - sha256: "93167629bfc610f71560ab9312acdda4959de4df6fac7492c89ff0d3886f6636" + sha256: "8161c84903fd860b26bfdefb7963b3f0b68fee7adea0f59ef805ecca346f0c7a" url: "https://pub.dev" source: hosted - version: "0.7.9" + version: "0.7.10" test_core: dependency: transitive description: name: test_core - sha256: "394f07d21f0f2255ec9e3989f21e54d3c7dc0e6e9dbce160e5a9c1a6be0e2943" + sha256: "0381bd1585d1a924763c308100f2138205252fb90c9d4eeaf28489ee65ccde51" url: "https://pub.dev" source: hosted - version: "0.6.15" + version: "0.6.16" tuple: dependency: transitive description: diff --git a/scripts/release/verify-fdroid-native-libs.sh b/scripts/release/verify-fdroid-native-libs.sh new file mode 100755 index 000000000..b9084d23f --- /dev/null +++ b/scripts/release/verify-fdroid-native-libs.sh @@ -0,0 +1,69 @@ +#!/bin/bash +set -euo pipefail + +SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)" +REPO_ROOT="$(cd "$SCRIPT_DIR/../.." && pwd)" +APK_DIR="${APK_DIR:-$REPO_ROOT/build/app/outputs/flutter-apk}" +APP_NAME="${APP_NAME:-ServerBox}" + +require_cmd() { + local name="$1" + if ! command -v "$name" >/dev/null 2>&1; then + echo "command not found: $name" >&2 + exit 1 + fi +} + +require_cmd find +require_cmd readelf +require_cmd unzip + +shopt -s nullglob + +tmp_dir="$(mktemp -d)" +trap 'rm -rf "$tmp_dir"' EXIT + +failures=() +apks=() +patterns=( + "${APP_NAME}_*_arm64.apk" + "${APP_NAME}_*_arm.apk" + "${APP_NAME}_*_amd64.apk" +) + +for pattern in "${patterns[@]}"; do + matches=("$APK_DIR"/$pattern) + if [[ ${#matches[@]} -ne 1 ]]; then + echo "expected exactly 1 APK for pattern: $pattern" >&2 + echo "found ${#matches[@]} matches" >&2 + echo "APK_DIR: $APK_DIR" >&2 + if [[ ${#matches[@]} -gt 0 ]]; then + printf ' %s\n' "${matches[@]}" >&2 + else + ls -la "$APK_DIR" || true + fi + exit 1 + fi + apks+=("${matches[0]}") +done + +for apk in "${apks[@]}"; do + apk_name="$(basename "$apk")" + extract_dir="$tmp_dir/$apk_name" + mkdir -p "$extract_dir" + unzip -qq "$apk" "lib/*/*.so" -d "$extract_dir" + + while IFS= read -r so_file; do + if readelf -n "$so_file" | grep -q 'Build ID'; then + failures+=("$apk_name:${so_file#$extract_dir/}") + fi + done < <(find "$extract_dir" -type f -name '*.so' | sort) +done + +if [[ ${#failures[@]} -ne 0 ]]; then + echo 'native libraries still contain ELF build-id notes:' >&2 + printf ' %s\n' "${failures[@]}" >&2 + exit 1 +fi + +echo 'F-Droid native library verification passed.'