fix: strip android native build ids for fdroid

[lollipopkit]

Summary by CodeRabbit

• Chores
  • Android release build now uses standard linker behavior instead of a forced override, simplifying and normalizing builds.
  • Improved APK processing and validation: native libraries are automatically sanitized, affected APKs are rebuilt, aligned and re-signed, and stricter post-build verification is performed to ensure artifacts are clean and valid.

[coderabbitai]

📝 Walkthrough

Walkthrough

This change removes the per-step LDFLAGS=-Wl,--build-id=none override from the Android build workflow and replaces the prior detection-only approach in scripts/release/verify-fdroid-native-libs.sh with a full patch-and-resign flow: it loads signing credentials from android/key.properties, auto-detects required tooling (objcopy/readelf/apksigner/zipalign), detects and removes .note.gnu.build-id sections from native .so files using objcopy, updates APKs with patched libraries, runs zipalign and apksigner sign, and re-verifies that no Build ID notes remain and that apksigner verify succeeds.

Possibly related PRs

• fix: fdroid build #1139: Previously added an LDFLAGS override and a detection-only build-ID check for Android native libs; this change removes that override and replaces detection with per-library patching, rezip, and re-signing.

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly and specifically describes the main change: stripping Android native build IDs for F-Droid distribution, which aligns with the core modifications in both the release workflow and verification script.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix-fdroid-build

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[devin-ai-integration]

✅ Devin Review: No Issues Found

Devin Review analyzed this PR and found no potential bugs to report.

View in Devin Review to see 5 additional findings.

[coderabbitai]

🧹 Nitpick comments (1)

scripts/release/verify-fdroid-native-libs.sh (1)

310-315: Consider using environment variables for password passing.

The pass: prefix exposes passwords in process listings (ps aux). While this is standard apksigner usage, consider using the env: format for slightly better security:

+  export STORE_PASS="$store_password"
+  export KEY_PASS="$key_password"
   "$APKSIGNER" sign \
     --ks "$store_file" \
     --ks-key-alias "$key_alias" \
-    --ks-pass "pass:$store_password" \
-    --key-pass "pass:$key_password" \
+    --ks-pass "env:STORE_PASS" \
+    --key-pass "env:KEY_PASS" \
     "$apk"

This prevents credentials from appearing in process command lines. The exposure window is short, but in shared CI environments this is a defense-in-depth consideration.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@scripts/release/verify-fdroid-native-libs.sh` around lines 310 - 315, Replace
the direct "pass:$store_password" / "pass:$key_password" arguments to apksigner
with environment-backed passwords to avoid exposing them in process listings:
set temporary env vars (e.g. ANDROID_KS_PASSWORD and ANDROID_KEY_PASSWORD) from
your existing variables (store_password, key_password), call the APKSIGNER
invocation using --ks-pass "env:ANDROID_KS_PASSWORD" and --key-pass
"env:ANDROID_KEY_PASSWORD", then securely unset those env vars immediately after
signing; update the shell snippet that calls "$APKSIGNER" (and references
$store_file, $key_alias, $apk) to use the env: form and ensure you export and
then unset the temporary env vars around that call.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In `@scripts/release/verify-fdroid-native-libs.sh`:
- Around line 310-315: Replace the direct "pass:$store_password" /
"pass:$key_password" arguments to apksigner with environment-backed passwords to
avoid exposing them in process listings: set temporary env vars (e.g.
ANDROID_KS_PASSWORD and ANDROID_KEY_PASSWORD) from your existing variables
(store_password, key_password), call the APKSIGNER invocation using --ks-pass
"env:ANDROID_KS_PASSWORD" and --key-pass "env:ANDROID_KEY_PASSWORD", then
securely unset those env vars immediately after signing; update the shell
snippet that calls "$APKSIGNER" (and references $store_file, $key_alias, $apk)
to use the env: form and ensure you export and then unset the temporary env vars
around that call.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

Run ID: 6efccd43-b400-4699-afc9-05aaf6d59114

📥 Commits

Reviewing files that changed from the base of the PR and between b9154d7 and 19a9d8a.

📒 Files selected for processing (1)

• scripts/release/verify-fdroid-native-libs.sh