Skip to content

[Build] Reproducible build differences between EAS cloud and local Docker environment #350

New issue
New issue
Open
Open
[Build] Reproducible build differences between EAS cloud and local Docker environment#350
@xrviv

Description

@xrviv
xrviv
opened on Sep 9, 2025

Summary

We've been working on reproducible build verification for Alby Go v1.14.1 as part of WalletScrutiny.com's process, and discovered some interesting differences between EAS cloud builds and local Docker reproduction attempts. Hoping to get your insights on the expected behavior.

Build Environment

Local Setup:

  • Docker container: Ubuntu 22.04, Node.js 22.x, Java 17, Android SDK API 34
  • Build method: npx expo prebuild./gradlew bundleRelease
  • Source: GitHub tag v1.14.1 (commit 34316fb)

Key Differences Found

Assets & Resources

  • Missing fonts: Official APK includes 4 .otf font files in res/raw/, local build
    doesn't
  • Missing navigation icons: 4 React Navigation PNG assets missing in local build
  • JavaScript bundling: Official has index.android.bundle, local uses runtime bundling

Build Structure

  • DEX files: Official has 9 DEX files, local build generates 21
  • Native libraries: Different binary output for all .so files (expected)
  • APK sizes: Notable difference in armeabi_v7a component (16MB official vs 34MB local)

Configuration

  • Firebase config: Had to use placeholder, official uses EAS secrets path
  • Sentry integration: Had to exclude upload tasks due to authentication

Questions

  1. Font embedding: Should fonts be automatically embedded during the build, or is this an
    EAS-specific optimization?

  2. Asset processing: Are the missing navigation icons typically handled by EAS asset
    pipeline vs local builds?

  3. DEX optimization: Is the different DEX file count expected when building locally vs EAS
    cloud?

  4. Recommended approach: What would be the best way to achieve a local build that more
    closely matches the EAS cloud output?

Context

This is for WalletScrutiny.com reproducible build verification. The app's NWC architecture and
security model look solid - just trying to understand the build environment differences for
documentation purposes.

Thanks for any insights! Happy to provide more details or testing if helpful.

Build Logs

WalletScrutiny.com verification for Alby Go Mobile (android)

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions