buildMetaData task doesn't generate reproducible binaries #1885
Description
Environment
Provide version numbers for the following components (information can be retrieved by running tns info in your project folder or by inspecting the package.json of the project):
- CLI: 9.0.1
- Cross-platform modules:
- Android Runtime: 8.9.2 and 9.0.0
- iOS Runtime (if applicable): -
- Plugin(s): -
Describe the bug
buildMetaData task generates metadata binaries that are not deterministic and reproducible, Even with the same --compileSdk version set and exact Java, SDK, etc.. So, security checks will fail specially in opensource app stores like IzzyOnDroid and F-Droid.
The issue might be related to using methods like listFiles() without performing a sort on files or maybe different locale properties, I'm just guessing from my researches.
I've attached a diffoscope result to see the difference.
To Reproduce
- Generate an APK locally
- Generate the same APK using a docker/podman container or Github actions
- diff the results using any tool like diffoscope
Expected behavior
The metadata binaries should be exactly same for a specific compileSdk without considering which environment its running the buildMetaData task.