Build Reproducibility Verification Failure – OneKey v5.11.0 (Android) #8065
Description
Summary:
Attempted to reproduce the OneKey Android app (v5.11.0) from source on Ubuntu 22.04 LTS.
While a debug build succeeded, all release build attempts failed due to Gradle daemon crashes, high memory usage, and external service authentication requirements (Sentry).\
No unsigned release APK suitable for reproducibility comparison could be generated.\
Full verification report (with asciicast and build logs) will be published on walletscrutiny.com.
(update: here)
Details:
-
Platform: Android
-
Version: 5.11.0
-
Build Environment: Ubuntu 22.04, Android SDK (API 34), JDK 17.0.10-tem, Gradle 8.13
-
Total Attempts: 10 (9 failed, 1 successful debug build)
-
Successful Build: Debug APK only --- unsuitable for verification due to signing/optimization differences
Key Issues:
-
Gradle daemon instability -- frequent crashes near build completion (
Gradle build daemon disappeared unexpectedly). -
System resource exhaustion -- freezes at 99.9% completion, >50min build times, high memory use during JS bundling.
-
Release build authentication requirements -- blocked by Sentry auth token requests.
-
Debug vs release limitations -- debug build not comparable to Google Play release.
Reproduction Barriers:
-
Proprietary build secrets (Sentry, EAS) required for production builds.
-
External service dependencies prevent offline/local reproducibility.
-
No documented process for generating unsigned release APKs.
-
CI/CD-oriented build pipeline not optimized for reproducible local builds.
Recommendation:
-
Provide documented, dependency-free process for building unsigned release APKs locally.
-
Reduce external service coupling for basic builds.
-
Improve Gradle stability and memory efficiency in local environments.
Status: ❌ Failed -- Could not generate comparable release APK from source.