WalletScrutiny.com - Reproducibility Report for version 5.1.4 [NOT REPRODUCIBLE] #297
Description
Summary
WalletScrutiny.com
verified Blockstream Green v5.1.4 by building from source at tag release_5.1.4 (commit 673b411)
using the upstream Docker build environment (contrib/Dockerfile). The build completed successfully
but produced an APK with two non-signature binary differences compared to the official Google Play
APK. These are the same two blockers identified in #271 (v5.0.6, filed July 2025).
Verdict: Not Reproducible
Build Method
- Tag:
release_5.1.4(annotated, unsigned) - Commit:
673b411851ac52ef0d5e8671413e5e4c1ea74056 - Build image: Built from
contrib/Dockerfile(Debian Bullseye, JDK 17, SDK 36, Build Tools
35.0.0) - Build commands:
./gradlew useBlockstreamKeys
./gradlew -x test assembleProductionGoogleRelease
This matches thebuild_google_playjob in.gitlab-ci.yml.
Differences Found
Only in official/META-INF: GREENADD.RSA (expected — signing)
Only in official/META-INF: GREENADD.SF (expected — signing)
Only in official/META-INF: MANIFEST.MF (expected — signing)
Files classes3.dex differ (BLOCKING)
Files assets/dexopt/baseline.prof differ (BLOCKING)
- AndroidManifest.xml: identical (0 diff lines)
- Resources (res/): identical (0 diffs)
- stamp-cert-sha256: absent in both APKs
Root Cause Analysis
1. classes3.dex — R8 non-determinism
androidApp/build.gradle.kts line 132 enables R8 minification:
isMinifyEnabled = true
isShrinkResources = true
R8 is known to produce non-deterministic output across builds (class processing order, method
inlining thresholds, constant pool ordering). This is the most likely cause of the dex diff based on
known Android reproducibility patterns.
2. assets/dexopt/baseline.prof — ART profile generation
No baseline profile exists in the source tree. It is generated during the Gradle build by the Android
Gradle Plugin. The binary output varies between builds due to compilation order dependencies and
build-environment-specific metadata.
Comparison with v5.0.6 (#271)
┌────────────────────┬────────────────────┬───────────────────────────────────┐
│ Aspect │ v5.0.6 (July 2025) │ v5.1.4 (Feb 2026) │
├────────────────────┼────────────────────┼───────────────────────────────────┤
│ classes3.dex diff │ Yes │ Yes │
├────────────────────┼────────────────────┼───────────────────────────────────┤
│ baseline.prof diff │ Yes │ Yes │
├────────────────────┼────────────────────┼───────────────────────────────────┤
│ Manifest diffs │ Not checked │ 0 │
├────────────────────┼────────────────────┼───────────────────────────────────┤
│ Resource diffs │ Not checked │ 0 │
├────────────────────┼────────────────────┼───────────────────────────────────┤
│ Project structure │ Standard Android │ Kotlin Multiplatform (15 modules) │
└────────────────────┴────────────────────┴───────────────────────────────────┘
The project underwent a major restructuring between these versions, but the two reproducibility
blockers remain unchanged.
APK Details
┌────────────┬──────────────────────────────────────────────────────────────────┐
│ Field │ Value │
├────────────┼──────────────────────────────────────────────────────────────────┤
│ App ID │ com.greenaddress.greenbits_android_wallet │
├────────────┼──────────────────────────────────────────────────────────────────┤
│ Version │ 5.1.4 │
├────────────┼──────────────────────────────────────────────────────────────────┤
│ APK SHA256 │ 0ce11ba86bd36a3ee4f2b2a7c03a559484c702356861ce6323deccee100acf3a │
├────────────┼──────────────────────────────────────────────────────────────────┤
│ Signer │ 32f9cc00b13fbeace51e2fb51df482044e42ad34a9bd912f179fedb16a42970e │
└────────────┴──────────────────────────────────────────────────────────────────┘