In a certain way, embedding license metadata is really nice because it allows you to permanently mark the image as such. However, if someone then uploads it to another website, it is very likely the metadata is stripped with imagemagick.
Strip PNG metadata using Ubuntu: pngcrush and optipng
F-Droid verifies reproducible builds using the APKsignature (aform of embeddedsignature),which requires copying thesignature from a signed APK to an unsigned one and then checking if thelatter verifies. The old v1 (JAR) signatures only cover the contents ofthe APK (e.g. ZIP metadata and ordering are irrelevant), but v2/v3signatures cover all other bytes in the APK. Thus, the APKs must becompletely identical before and after signing (apart from the signature)in order to verify correctly.
On different build machines, different NDK paths and different paths to theproject (and thus to its jni directory) are used. This leads to differentpaths to the source files in debug symbols, causing the linker to generate adifferent build-id, which is preserved after stripping.
A standard part of the Android build process is to run some kind of PNGoptimization tool, like aapt singleCrunch, pngcrush, zopflipng oroptipng. These do not provide deterministic output, it is still an openquestion as to why. Since PNGs are normally committed to the source repo, aworkaround to this problem is to run the tool of your choice on the PNGfiles, then commit those changes to the source repo (e.g. git). Then,disable the default PNG optimization process by adding this tobuild.gradle:
2ff7e9595c
Commenti