diffs in verification attempt

[xrviv]

Thanks to your latest update, we were able to build version 2.1.1 and conduct verification on the reproducibility of the app.

We integrated the dockerfile contents with walletscrutiny's scripts and managed to find diffs:

===== Begin Results =====
appId:          ch.swissbitcoinpay.checkout
signer:         17d9c0bf025008da16d5a146e1beaca6ddcfe3cb0cf063da23c847d3007eb621
apkVersionName: 2.1.1
apkVersionCode: 381
verdict:        
appHash:        62df7d225d6178688f451604552fb5d79525a257ac59e281f0c02f4c96e4d343
commit:         b350085a6f30027a83a8fdb18b73c5aed073cc97

Diff:
Files /tmp/fromPlay_ch.swissbitcoinpay.checkout_381/AndroidManifest.xml and /tmp/fromBuild_ch.swissbitcoinpay.checkout_381/AndroidManifest.xml differ
Files /tmp/fromPlay_ch.swissbitcoinpay.checkout_381/assets/index.android.bundle and /tmp/fromBuild_ch.swissbitcoinpay.checkout_381/assets/index.android.bundle differ
Files /tmp/fromPlay_ch.swissbitcoinpay.checkout_381/res/drawable-mdpi-v4/src_assets_images_bitcoinwhiteborder.png and /tmp/fromBuild_ch.swissbitcoinpay.checkout_381/res/drawable-mdpi-v4/src_assets_images_bitcoinwhiteborder.png differ
Files /tmp/fromPlay_ch.swissbitcoinpay.checkout_381/res/drawable-mdpi-v4/src_assets_images_boltcardblack.png and /tmp/fromBuild_ch.swissbitcoinpay.checkout_381/res/drawable-mdpi-v4/src_assets_images_boltcardblack.png differ
Files /tmp/fromPlay_ch.swissbitcoinpay.checkout_381/res/drawable-mdpi-v4/src_assets_images_boltcard.png and /tmp/fromBuild_ch.swissbitcoinpay.checkout_381/res/drawable-mdpi-v4/src_assets_images_boltcard.png differ
Files /tmp/fromPlay_ch.swissbitcoinpay.checkout_381/res/drawable-mdpi-v4/src_assets_images_logosquarerounded.png and /tmp/fromBuild_ch.swissbitcoinpay.checkout_381/res/drawable-mdpi-v4/src_assets_images_logosquarerounded.png differ
Files /tmp/fromPlay_ch.swissbitcoinpay.checkout_381/res/mipmap-hdpi-v4/ic_launcher_adaptive_fore.png and /tmp/fromBuild_ch.swissbitcoinpay.checkout_381/res/mipmap-hdpi-v4/ic_launcher_adaptive_fore.png differ
Files /tmp/fromPlay_ch.swissbitcoinpay.checkout_381/resources.arsc and /tmp/fromBuild_ch.swissbitcoinpay.checkout_381/resources.arsc differ
Only in /tmp/fromPlay_ch.swissbitcoinpay.checkout_381: stamp-cert-sha256

Revision, tag (and its signature):

===== End Results =====

I have yet to perform an analysis on these results.
Here is the related merge request on walletscrutiny's gitlab.
Next, I will try to do the same for split apks.

[xrviv]

This is the analysis for the split apks:

https://gitlab.com/walletscrutiny/walletScrutinyCom/-/blob/5264d394f4f411271b808f0f553c12c6c94f94da/_android/ch.swissbitcoinpay.checkout.md

[xrviv]

Hello again,

We attempted v2.3.7 and here are our findings:

Steps to verify the reproducibility of the app:

1. Extract the split apks using the apkextractor_sync.sh script.
2. We then uploaded the split apks to /var/shared/apk/ch.swissbitcoinpay.checkout/2.3.7 on our build server
3. The device-spec.json for our specific device already exists in the server
4. We proceed to run testAAB.sh for split apks.

$ ./testAAB.sh -d /var/shared/apk/ch.swissbitcoinpay.checkout/2.3.7 -s /var/shared/device-spec/a11/device-spec.json

4. After several errors and attempts we modified the app-specific script. We were able to reach the verification step where we try to build the dockerfile. The build fails with this error:

FAILURE: Build failed with an exception.

* Where:
Build file '/app/android/app/build.gradle' line: 95

* What went wrong:
A problem occurred evaluating project ':app'.
> Could not read script '/' as it is a directory.

* Try:
> Run with --stacktrace option to get the stack trace.
> Run with --info or --debug option to get more log output.
> Run with --scan to get full insights.
> Get more help at https://help.gradle.org.

BUILD FAILED in 1m 49s

5. We investigated line 95 of the build.gradle file in /app/android/app/build.gradle

apply from: new File(["node", "--print", "require.resolve('@sentry/react-native/package.json')"].execute().text.trim(), "../sentry.gradle")

The error indicates that Gradle is trying to load a script from the root directory ("/") because the dynamic resolution of the Sentry Gradle script’s path is failing.

The quoted line above from line 95 is supposed to locate the Sentry Gradle script relative to the location of @sentry/react-native/package.json. However, the node command is returning "/" (or something that normalizes to "/") instead of a valid path to the package. This usually happens because:

• The @sentry/react-native package isn’t installed in the expected location (or at all), so require.resolve('@sentry/react-native/package.json') fails to return the correct path.
• The working directory for the node command isn’t what’s expected, causing the resolution to fall back to "/" (the root).

Because the computed path ends up being "/" (a directory), Gradle complains that it “Could not read script '/' as it is a directory.”

In summary: The problem is that the dynamic path resolution for Sentry’s Gradle script is failing (likely due to a missing package or an unexpected working directory), resulting in a path of "/" rather than a valid file path.

Further delving into a fix for this build with an existing Dockerfile for the build, would entail modifying files within the repository that would be equivalent to modifying the build context. This would defeat the purpose of verification and cause the build to be nonverifiable.

We attempted to manually build this as well which resulted in the same error.

For this reason we are giving this a verdict of failed to build from source.

We would appreciate some assistance regarding this. Thank you.

The asciicast for this build can be found here: https://asciinema.org/a/701833

[SwissBitcoinPay]

Hello @xrviv,

We have published an update (2.5.6) with an updated Sentry library and Gradle configurations, which should fixes your build issues.

Please try again with main branch, you can simply build with :
docker build . -o sbp-output