Another bit for the annals of #ReproducibleBuilds: the new TorServices app is reproducible across a couple machines. It uses a reproducible libtor.so binary from a Maven Central artifact, which is pinned by SHA-256 using Gradle Dependency Verification. I built TorServices on yet another box, and this time, it had diffs in the libtor.so. WTF, how is that possible? It just had to copy the libtor.so from AAR to APK. I guess it could have been a glitch in that computer, or hacked test build box.
I think I found the answer in this error message:
Unable to strip library '/builds/eighthave/torservices/app/build/intermediates/merged_native_libs/release/out/lib/x86/libtor.so' due to missing strip tool for ABI 'X86'. Packaging it as is.
If the binaries on Maven Central include debug symbols, then stripping them while assembling the APK will change them. I wonder what the right thing to do is here? Ship stripped binaries? Require stripping in the APK build? Disable stripping?