synonymdev · ovitrif · Jun 15, 2026
diff --git a/.github/workflows/reproducible-release.yml b/.github/workflows/reproducible-release.yml
@@ -0,0 +1,117 @@
+name: Reproducible Release
+
+on:
+  workflow_dispatch:
+    inputs:
+      comparison_artifact_name:
+        description: Optional artifact name to compare against with diffoscope
+        required: false
+        default: ''
+      comparison_run_id:
+        description: Workflow run id that produced the comparison artifact
+        required: false
+        default: ''
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: false
+
+env:
+  TERM: xterm-256color
+  FORCE_COLOR: 1
+
+jobs:
+  reproduce-mainnet:
+    runs-on: ubuntu-latest
+    timeout-minutes: 60
+    environment: release
+
+    permissions:
+      actions: read
+      contents: read
+      packages: read
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v6
+
+      - name: Setup Java
+        uses: actions/setup-java@v5
+        with:
+          java-version: '17'
+          distribution: 'adopt'
+
+      - name: Setup Gradle
+        uses: gradle/actions/setup-gradle@v5
+
+      - name: Decode mainnet release google-services.json
+        env:
+          MAINNET_RELEASE_GOOGLE_SERVICES_JSON_BASE64: ${{ secrets.MAINNET_RELEASE_GOOGLE_SERVICES_JSON_BASE64 }}
+        run: |
+          set -euo pipefail
+          test -n "$MAINNET_RELEASE_GOOGLE_SERVICES_JSON_BASE64"
+          mkdir -p app/src/mainnetRelease
+          printf '%s' "$MAINNET_RELEASE_GOOGLE_SERVICES_JSON_BASE64" | base64 --decode > app/src/mainnetRelease/google-services.json
+
+      - name: Decode release keystore
+        env:
+          BITKIT_KEYSTORE_BASE64: ${{ secrets.BITKIT_KEYSTORE_BASE64 }}
+        run: |
+          set -euo pipefail
+          test -n "$BITKIT_KEYSTORE_BASE64"
+          umask 077
+          keystore_path="$RUNNER_TEMP/bitkit.keystore"
+          printf '%s' "$BITKIT_KEYSTORE_BASE64" | base64 --decode > "$keystore_path"
+          echo "KEYSTORE_FILE=$keystore_path" >> "$GITHUB_ENV"
+
+      - name: Validate comparison inputs
+        if: ${{ github.event_name == 'workflow_dispatch' && inputs.comparison_artifact_name != '' }}
+        env:
+          COMPARISON_RUN_ID: ${{ inputs.comparison_run_id }}
+        run: |
+          set -euo pipefail
+          test -n "$COMPARISON_RUN_ID"
+
+      - name: Download comparison artifact
+        if: ${{ github.event_name == 'workflow_dispatch' && inputs.comparison_artifact_name != '' }}
+        uses: actions/download-artifact@v6
+        with:
+          name: ${{ inputs.comparison_artifact_name }}
+          path: ${{ runner.temp }}/comparison
+          github-token: ${{ github.token }}
+          repository: ${{ github.repository }}
+          run-id: ${{ inputs.comparison_run_id }}
+
+      - name: Install diffoscope
+        if: ${{ github.event_name == 'workflow_dispatch' && inputs.comparison_artifact_name != '' }}
+        run: |
+          set -euo pipefail
+          sudo apt-get update
+          sudo apt-get install -y diffoscope
+
+      - name: Build reproducibility artifacts
+        env:
+          GPR_USER: ${{ secrets.GPR_USER || github.actor }}
+          GPR_TOKEN: ${{ secrets.GPR_TOKEN || github.token }}
+          GITHUB_ACTOR: ${{ secrets.GPR_USER || github.actor }}
+          GITHUB_TOKEN: ${{ secrets.GPR_TOKEN || github.token }}
+          KEYSTORE_PASSWORD: ${{ secrets.BITKIT_KEYSTORE_PASSWORD }}
+          KEY_ALIAS: ${{ secrets.BITKIT_KEY_ALIAS }}
+          KEY_PASSWORD: ${{ secrets.BITKIT_KEY_PASSWORD }}
+          OUTPUT_DIR: ${{ runner.temp }}/reproducible-release
+        run: |
+          set -euo pipefail
+          if [ -d "$RUNNER_TEMP/comparison/extracted-apks" ]; then
+            export DIFFOSCOPE_COMPARE_DIR="$RUNNER_TEMP/comparison/extracted-apks"
+          elif [ -d "$RUNNER_TEMP/comparison" ]; then
+            export DIFFOSCOPE_COMPARE_DIR="$RUNNER_TEMP/comparison"
+          fi
+          scripts/reproduce-release.sh
+
+      - name: Upload reproducibility artifacts
+        if: ${{ always() }}
+        uses: actions/upload-artifact@v6
+        with:
+          name: bitkit-reproducible-release-${{ github.run_number }}
+          path: ${{ runner.temp }}/reproducible-release
+          retention-days: 30
diff --git a/README.md b/README.md
@@ -180,6 +180,8 @@ just release
 
 `just release` builds both the mainnet APK and Play Store AAB. AAB is generated in `app/build/outputs/bundle/mainnetRelease/`.
 
+See [reproducible builds](docs/reproducible-builds.md) for the WalletScrutiny-oriented release reproduction flow.
+
 ### Build for E2E Testing
 
 Pass `E2E=true` and build any flavor. By default, E2E uses a local Electrum override.

diff --git a/app/build.gradle.kts b/app/build.gradle.kts
@@ -25,8 +25,14 @@ plugins {
 val keystoreProperties by lazy {
     val keystorePropertiesFile = rootProject.file("keystore.properties")
     val keystoreProperties = Properties()
+    val envStoreFile = System.getenv("KEYSTORE_FILE")?.takeIf { it.isNotBlank() }
 
-    if (keystorePropertiesFile.exists()) {
+    if (envStoreFile != null) {
+        keystoreProperties["storeFile"] = envStoreFile
+        keystoreProperties["storePassword"] = System.getenv("KEYSTORE_PASSWORD") ?: ""
+        keystoreProperties["keyAlias"] = System.getenv("KEY_ALIAS") ?: ""
+        keystoreProperties["keyPassword"] = System.getenv("KEY_PASSWORD") ?: ""
+    } else if (keystorePropertiesFile.exists()) {
         keystoreProperties.load(FileInputStream(keystorePropertiesFile))
     } else {
         keystoreProperties["storeFile"] = System.getenv("KEYSTORE_FILE") ?: ""

diff --git a/docs/reproducible-builds.md b/docs/reproducible-builds.md
@@ -0,0 +1,105 @@
+# Reproducible builds
+
+This document captures the current Bitkit Android release reproduction flow for WalletScrutiny-style review.
+
+## Current release target
+
+- Flavor/build type: `mainnetRelease`
+- Gradle wrapper: `8.13`
+- Android Gradle Plugin: `8.13.2`
+- Java: `17`
+- Compile SDK: `36`
+- Bundletool: `1.18.1`
+- AAB output: `app/build/outputs/bundle/mainnetRelease/`
+- APK output: `app/build/outputs/apk/mainnet/release/`
+
+The release build needs the private mainnet Firebase config at `app/src/mainnetRelease/google-services.json` and release signing material. CI writes those files from protected GitHub environment secrets; external verifiers need an equivalent file from the project or an agreed public/non-secret release config strategy.
+
+## Local reproduction
+
+Configure GitHub Packages credentials without committing secrets:
+
+```sh
+export GITHUB_ACTOR=YOUR_GITHUB_USERNAME
+export GITHUB_TOKEN=YOUR_READ_PACKAGES_TOKEN
+```
+
+Configure release signing without `keystore.properties`:
+
+```sh
+export KEYSTORE_FILE=/absolute/path/to/bitkit.keystore
+export KEYSTORE_PASSWORD=...
+export KEY_ALIAS=...
+export KEY_PASSWORD=...
+```
+
+Build the mainnet release bundle and recreate APK splits:
+
+```sh
+scripts/reproduce-release.sh
+```
+
+The script writes artifacts under `.ai/reproducible-release/` by default:
+
+- `artifacts/*.aab`
+- `artifacts/*.apks`
+- `extracted-apks/`
+- `checksums/release-artifacts.sha256`
+- `checksums/extracted-apks.sha256`
+- `checksums/arm64-native-libs.sha256`
+- `arm64-apks.txt`
+- `arm64-native-libs.txt`
+
+To reuse an existing AAB:
+
+```sh
+SKIP_GRADLE_BUILD=true AAB_PATH=/path/to/bitkit-mainnet-release-181.aab scripts/reproduce-release.sh
+```
+
+## GitHub workflow
+
+The manual `Reproducible Release` workflow builds `bundleMainnetRelease`, recreates APK splits with bundletool, extracts the `arm64-v8a` native libraries, and uploads checksums plus reproduction artifacts. Workflow behavior can only be fully verified after merge because GitHub Actions workflow changes are only active for PRs opened after the workflow change is merged.
+
+If a comparison artifact from this repository is available in GitHub Actions, pass its artifact name and source workflow run id to the manual workflow inputs. The workflow installs `diffoscope`, writes `diffoscope.html` and `diffoscope.txt`, and fails when the generated APK split tree differs from the comparison artifact.
+
+## Manual diffoscope checks
+
+Compare generated APK splits against a downloaded or previously generated APK set:
+
+```sh
+diffoscope path/to/reference-apks .ai/reproducible-release/extracted-apks \
+  --html .ai/reproducible-release/diffoscope.html
+```
+
+Compare only the arm64 native libraries:
+
+```sh
+diffoscope path/to/reference-native-libs .ai/reproducible-release/native-libs \
+  --html .ai/reproducible-release/native-libs-diffoscope.html
+```
+
+## Known WalletScrutiny issue
+
+WalletScrutiny issue `synonymdev/bitkit-android#953` previously reported that most release APK contents reproduced, with remaining differences in native libraries inside the `arm64-v8a` split.
+
+Known mappings:
+
+- `libbitkitcore.so` and `libpubky_app_specs...so` come from `com.synonym:bitkit-core-android:0.1.58`
+- `libdatastore_shared_counter.so` comes from `androidx.datastore:datastore-core:1.2.0`
+- `libjnidispatch.so` comes from `net.java.dev.jna:jna:5.18.1`
+
+The app repository can provide a stable release recipe and artifact checksums. The remaining native reproducibility work is upstream artifact provenance, especially for Rust-produced Android libraries.
+
+## Upstream native follow-ups
+
+For Rust/native Android artifacts, the upstream repositories should publish reproducible AAR/native library builds with:
+
+- pinned Rust toolchain
+- pinned Android NDK
+- committed `Cargo.lock`
+- stable build paths
+- `SOURCE_DATE_EPOCH`
+- `codegen-units = 1`
+- path remapping
+- deterministic stripping
+- published AAR and native `.so` checksums