manawenuz/wz-phone
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
main
wz-phone/scripts/build-tauri-android.sh
Siavash Sameni d89376016a fix(build): sign release APKs with project keystore (wzp-release.jks) 
Release builds from cargo-tauri are unsigned. After Gradle produces the
APK, zipalign + apksigner now sign it with the release keystore
(android/keystore/wzp-release.jks). Falls back to debug keystore if
release is missing.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-12 16:21:38 +04:00

456 lines
17 KiB
Bash
Executable File
Raw Permalink Blame History

#!/usr/bin/env bash
set -euo pipefail
# =============================================================================
# WZ Phone — Tauri 2.x Mobile Android APK build
#
# Builds the desktop/ Tauri app as an Android APK via cargo-tauri inside the
# wzp-android-builder Docker image on SepehrHomeserverdk. Uploads the APK to
# rustypaste, fires ntfy.sh/wzp notifications at start + finish, and SCPs the
# APK back locally.
#
# Same pattern as build-and-notify.sh but for the Tauri mobile pipeline:
# - Source: desktop/src-tauri/ (not android/)
# - Build: cargo tauri android build (not gradlew assembleDebug)
# - Output: desktop/src-tauri/gen/android/.../*.apk
#
# Usage:
# ./scripts/build-tauri-android.sh # full pipeline (debug, arm64 only)
# ./scripts/build-tauri-android.sh --release # release APK
# ./scripts/build-tauri-android.sh --no-pull # skip git fetch
# ./scripts/build-tauri-android.sh --rust # force-clean rust target
# ./scripts/build-tauri-android.sh --init # also run `cargo tauri android init`
# ./scripts/build-tauri-android.sh --arch arm64 # arm64 only (default)
# ./scripts/build-tauri-android.sh --arch armv7 # armv7 only (smaller APK)
# ./scripts/build-tauri-android.sh --arch all # both arm64 + armv7 (separate APKs)
#
# Environment:
# WZP_BRANCH Branch to build (default: feat/desktop-audio-rewrite)
# =============================================================================
REMOTE_HOST="SepehrHomeserverdk"
BASE_DIR="/mnt/storage/manBuilder"
NTFY_TOPIC="https://ntfy.sh/wzp"
LOCAL_OUTPUT="target/tauri-android-apk"
BRANCH="${WZP_BRANCH:-$(git -C "$(dirname "$0")/.." branch --show-current 2>/dev/null || echo "")}"
SSH_OPTS="-o ConnectTimeout=15 -o ServerAliveInterval=15 -o ServerAliveCountMax=4 -o LogLevel=ERROR"
REBUILD_RUST=0
DO_PULL=1
DO_INIT=0
BUILD_RELEASE=0
BUILD_ARCH="arm64"
NEXT_IS_ARCH=0
for arg in "$@"; do
if [ "$NEXT_IS_ARCH" = "1" ]; then
BUILD_ARCH="$arg"
NEXT_IS_ARCH=0
continue
fi
case "$arg" in
--rust) REBUILD_RUST=1 ;;
--pull) DO_PULL=1 ;;
--no-pull) DO_PULL=0 ;;
--init) DO_INIT=1 ;;
--release) BUILD_RELEASE=1 ;;
--arch) NEXT_IS_ARCH=1 ;;
-h|--help)
sed -n '3,32p' "$0"
exit 0
;;
esac
done
# Validate --arch
case "$BUILD_ARCH" in
arm64|armv7|all) ;;
*) echo "ERROR: --arch must be arm64, armv7, or all (got: $BUILD_ARCH)"; exit 1 ;;
esac
if [ -z "$BRANCH" ]; then
echo "ERROR: could not determine target branch (detached HEAD?). Pass WZP_BRANCH=name."
exit 1
fi
echo "Target branch: $BRANCH arch: $BUILD_ARCH"
log() { echo -e "\033[1;36m>>> $*\033[0m"; }
ssh_cmd() { ssh -A $SSH_OPTS "$REMOTE_HOST" "$@"; }
notify_local() { curl -s -d "$1" "$NTFY_TOPIC" > /dev/null 2>&1 || true; }
mkdir -p "$LOCAL_OUTPUT"
log "Uploading remote build script..."
ssh_cmd "cat > /tmp/wzp-tauri-build.sh" <<'REMOTE_SCRIPT'
#!/usr/bin/env bash
set -euo pipefail
BASE_DIR="/mnt/storage/manBuilder"
NTFY_TOPIC="https://ntfy.sh/wzp"
BRANCH="${1:-feat/desktop-audio-rewrite}"
DO_PULL="${2:-1}"
REBUILD_RUST="${3:-0}"
DO_INIT="${4:-0}"
BUILD_RELEASE="${5:-0}"
BUILD_ARCH="${6:-arm64}"
LOG_FILE=/tmp/wzp-tauri-build.log
GIT_HASH="unknown" # populated after fetch
ENV_FILE="$BASE_DIR/.env"
notify() { curl -s -d "$1" "$NTFY_TOPIC" > /dev/null 2>&1 || true; }
# Upload a file to rustypaste; print URL on stdout (or empty on failure).
upload_to_rustypaste() {
local file="$1"
[ ! -f "$ENV_FILE" ] && { echo ""; return; }
# shellcheck disable=SC1090
source "$ENV_FILE"
if [ -n "${rusty_address:-}" ] && [ -n "${rusty_auth_token:-}" ]; then
curl -s -F "file=@$file" -H "Authorization: $rusty_auth_token" "$rusty_address" || echo ""
else
echo ""
fi
}
# On failure: upload the build log to rustypaste, then notify with hash + url.
on_error() {
local line="$1"
local log_url
log_url=$(upload_to_rustypaste "$LOG_FILE" || echo "")
if [ -n "$log_url" ]; then
notify "WZP Tauri Android build FAILED [$GIT_HASH] (line $line)
log: $log_url"
else
notify "WZP Tauri Android build FAILED [$GIT_HASH] (line $line) — log upload failed, see $LOG_FILE on remote"
fi
}
trap 'on_error $LINENO' ERR
exec > >(tee "$LOG_FILE") 2>&1
if [ "$DO_PULL" = "1" ]; then
echo ">>> git fetch + reset $BRANCH"
cd "$BASE_DIR/data/source"
git reset --hard HEAD 2>/dev/null || true
# NOTE: deliberately do NOT run `git clean -fd` here. It would wipe the
# tauri-generated `desktop/src-tauri/gen/android/` scaffold (gradlew,
# settings.gradle, etc.) which is expensive to recreate and breaks
# subsequent builds with "gradlew not found".
git gc --prune=now 2>/dev/null || true
git fetch origin "$BRANCH" 2>&1 | tail -3
git checkout "$BRANCH" 2>/dev/null || git checkout -b "$BRANCH" "origin/$BRANCH"
git reset --hard "origin/$BRANCH"
git submodule update --init || true
fi
GIT_HASH=$(cd "$BASE_DIR/data/source" && git rev-parse --short HEAD 2>/dev/null || echo unknown)
GIT_MSG=$(cd "$BASE_DIR/data/source" && git log -1 --pretty=%s 2>/dev/null | head -c 60 || echo "?")
notify "WZP Tauri Android build STARTED [$GIT_HASH] — $GIT_MSG"
# Fix perms so uid 1000 can write
find "$BASE_DIR/data/source" "$BASE_DIR/data/cache" \
! -user 1000 -o ! -group 1000 2>/dev/null | \
xargs -r chown 1000:1000 2>/dev/null || true
# Optionally clean rust target for android triples
if [ "$REBUILD_RUST" = "1" ]; then
echo ">>> Cleaning Rust android target dirs..."
rm -rf "$BASE_DIR/data/cache/target/aarch64-linux-android" \
"$BASE_DIR/data/cache/target/armv7-linux-androideabi" \
"$BASE_DIR/data/cache/target/i686-linux-android" \
"$BASE_DIR/data/cache/target/x86_64-linux-android"
fi
# Profile flag
PROFILE_FLAG="--debug"
[ "$BUILD_RELEASE" = "1" ] && PROFILE_FLAG=""
# Persist ~/.android (where the auto-generated debug.keystore lives) so every
# build is signed with the SAME key. Without this, every fresh container gets
# a new debug keystore and `adb install -r` fails with INSTALL_FAILED_UPDATE_
# INCOMPATIBLE because the signature changed.
mkdir -p "$BASE_DIR/data/cache/android-home"
chown 1000:1000 "$BASE_DIR/data/cache/android-home" 2>/dev/null || true
# ─── Determine target architectures ──────────────────────────────────────
# Maps BUILD_ARCH to cargo-ndk ABI names and cargo-tauri target names.
# BUILD_ARCH=arm64 → one APK; BUILD_ARCH=armv7 → one APK; BUILD_ARCH=all → two APKs.
case "$BUILD_ARCH" in
arm64) ARCH_LIST="arm64" ;;
armv7) ARCH_LIST="armv7" ;;
all) ARCH_LIST="arm64 armv7" ;;
esac
# Mapping functions (used inside docker via env vars)
# cargo-ndk ABI: arm64-v8a | armeabi-v7a
# cargo-tauri: aarch64 | armv7
# NDK sysroot: aarch64-linux-android | arm-linux-androideabi
docker run --rm \
--user 1000:1000 \
-e DO_INIT="$DO_INIT" \
-e PROFILE_FLAG="$PROFILE_FLAG" \
-e BUILD_ARCH="$BUILD_ARCH" \
-v "$BASE_DIR/data/source:/build/source" \
-v "$BASE_DIR/data/cache/cargo-registry:/home/builder/.cargo/registry" \
-v "$BASE_DIR/data/cache/cargo-git:/home/builder/.cargo/git" \
-v "$BASE_DIR/data/cache/target:/build/source/target" \
-v "$BASE_DIR/data/cache/gradle:/home/builder/.gradle" \
-v "$BASE_DIR/data/cache/android-home:/home/builder/.android" \
wzp-android-builder \
bash -c '
set -euo pipefail
cd /build/source/desktop
echo ">>> npm install"
npm install --silent 2>&1 | tail -5 || npm install 2>&1 | tail -20
cd src-tauri
# Run init if forced, OR if the gradle wrapper is missing. Just checking
# for `gen/android` is not enough — Tauri creates a few subdirectories
# during build (app/, buildSrc/, .gradle/) that survive a partial wipe and
# would make a naive `[ ! -d gen/android ]` check return false even though
# the build wrapper itself is gone.
if [ "${DO_INIT}" = "1" ] || [ ! -x gen/android/gradlew ]; then
echo ">>> cargo tauri android init"
cargo tauri android init 2>&1 | tail -20
fi
# ─── Arch list from BUILD_ARCH env var ───────────────────────────────────
case "${BUILD_ARCH}" in
arm64) ARCHS="arm64" ;;
armv7) ARCHS="armv7" ;;
all) ARCHS="arm64 armv7" ;;
*) ARCHS="arm64" ;;
esac
ndk_abi() {
case "$1" in
arm64) echo "arm64-v8a" ;;
armv7) echo "armeabi-v7a" ;;
esac
}
tauri_target() {
case "$1" in
arm64) echo "aarch64" ;;
armv7) echo "armv7" ;;
esac
}
ndk_sysroot_dir() {
case "$1" in
arm64) echo "aarch64-linux-android" ;;
armv7) echo "arm-linux-androideabi" ;;
esac
}
# ─── wzp-native standalone cdylib (built with cargo-ndk, not cargo-tauri) ──
# Produces libwzp_native.so which wzp-desktop dlopens at runtime via
# libloading. Split exists because cargo-tauri linker wiring pulls
# bionic private symbols into any cdylib with cc::Build C++, causing
# __init_tcb+4 SIGSEGV. cargo-ndk uses the same linker path as the
# legacy wzp-android crate which works.
JNILIBS_BASE=gen/android/app/src/main/jniLibs
for ARCH in $ARCHS; do
ABI=$(ndk_abi "$ARCH")
SYSROOT_DIR=$(ndk_sysroot_dir "$ARCH")
JNI_ABI_DIR="$JNILIBS_BASE/$ABI"
mkdir -p "$JNI_ABI_DIR"
echo ">>> cargo ndk build -p wzp-native --release -t $ABI"
(
cd /build/source
cargo ndk -t "$ABI" -o "desktop/src-tauri/$JNILIBS_BASE" \
build --release -p wzp-native 2>&1 | tail -10
)
if [ -f "$JNI_ABI_DIR/libwzp_native.so" ]; then
ls -lh "$JNI_ABI_DIR/libwzp_native.so"
else
echo ">>> WARNING: libwzp_native.so not produced for $ABI"
fi
# ─── libc++_shared.so — required by wzp-native at runtime ────────────
# wzp-native/build.rs uses cpp_link_stdlib(Some("c++_shared")) which adds
# a NEEDED entry for libc++_shared.so to libwzp_native.so. cargo-ndk does
# NOT copy the actual libc++_shared.so into jniLibs, so unless we copy it
# explicitly, the APK ships without it and the Android dynamic linker
# fails the dlopen with "library libc++_shared.so not found" at runtime.
if [ ! -f "$JNI_ABI_DIR/libc++_shared.so" ]; then
echo ">>> libc++_shared.so missing for $ABI, copying from NDK..."
NDK_LIBCXX=$(find "$ANDROID_NDK_HOME" -name "libc++_shared.so" -path "*/${SYSROOT_DIR}/*" | head -1)
if [ -n "$NDK_LIBCXX" ]; then
cp "$NDK_LIBCXX" "$JNI_ABI_DIR/"
ls -lh "$JNI_ABI_DIR/libc++_shared.so"
else
echo ">>> ERROR: libc++_shared.so not found in NDK for $ABI — APK will crash at dlopen time"
exit 1
fi
fi
done
# ─── Build per-arch APKs ────────────────────────────────────────────────
# When building for a single arch, only that arch jniLibs dir exists so
# the APK is naturally single-arch and smaller.
# When building --arch all, we produce SEPARATE per-arch APKs by:
# 1. Building each target individually with cargo tauri android build
# 2. Temporarily hiding the other arch jniLibs so the APK only contains one
# This keeps APKs small (~15-20MB instead of ~30-40MB for universal).
APK_OUTPUT_DIR="/build/source/target/apk-output"
mkdir -p "$APK_OUTPUT_DIR"
for ARCH in $ARCHS; do
TARGET=$(tauri_target "$ARCH")
ABI=$(ndk_abi "$ARCH")
# If building all, temporarily hide other arches to get single-arch APK
if [ "${BUILD_ARCH}" = "all" ]; then
for OTHER_ARCH in $ARCHS; do
OTHER_ABI=$(ndk_abi "$OTHER_ARCH")
if [ "$OTHER_ABI" != "$ABI" ] && [ -d "$JNILIBS_BASE/$OTHER_ABI" ]; then
mv "$JNILIBS_BASE/$OTHER_ABI" "$JNILIBS_BASE/_hide_$OTHER_ABI"
fi
done
fi
echo ""
echo ">>> cargo tauri android build ${PROFILE_FLAG} --target $TARGET --apk"
cargo tauri android build ${PROFILE_FLAG} --target "$TARGET" --apk
# Copy produced APK with arch suffix
BUILT_APK=$(find gen/android -name "*.apk" -newer "$APK_OUTPUT_DIR" -type f 2>/dev/null | head -1)
if [ -z "$BUILT_APK" ]; then
BUILT_APK=$(find gen/android -name "*.apk" -type f 2>/dev/null | sort -t/ -k1 | tail -1)
fi
if [ -n "$BUILT_APK" ]; then
OUT_APK="$APK_OUTPUT_DIR/wzp-tauri-${ARCH}.apk"
cp "$BUILT_APK" "$OUT_APK"
# ─── Sign release APKs with the project keystore ─────────────
# Release builds are unsigned by default. Sign with the release
# keystore (checked into the repo at android/keystore/) so the
# APK can be installed on real devices.
# Pick keystore + credentials (release preferred, debug fallback)
KS_RELEASE="/build/source/android/keystore/wzp-release.jks"
KS_DEBUG="/build/source/android/keystore/wzp-debug.jks"
if [ -f "$KS_RELEASE" ]; then
KEYSTORE="$KS_RELEASE"; KS_PASS="wzphone2024"; KS_ALIAS="wzp-release"
elif [ -f "$KS_DEBUG" ]; then
KEYSTORE="$KS_DEBUG"; KS_PASS="android"; KS_ALIAS="wzp-debug"
else
KEYSTORE=""
fi
if [ -n "$KEYSTORE" ]; then
ZIPALIGN=$(find "$ANDROID_HOME" -name zipalign -type f 2>/dev/null | head -1)
APKSIGNER=$(find "$ANDROID_HOME" -name apksigner -type f 2>/dev/null | head -1)
if [ -n "$ZIPALIGN" ] && [ -n "$APKSIGNER" ]; then
echo ">>> Signing $ARCH APK with $(basename "$KEYSTORE")..."
ALIGNED="$APK_OUTPUT_DIR/wzp-tauri-${ARCH}-aligned.apk"
"$ZIPALIGN" -f 4 "$OUT_APK" "$ALIGNED"
"$APKSIGNER" sign \
--ks "$KEYSTORE" \
--ks-pass "pass:$KS_PASS" \
--ks-key-alias "$KS_ALIAS" \
--key-pass "pass:$KS_PASS" \
"$ALIGNED"
mv "$ALIGNED" "$OUT_APK"
echo ">>> Signed: $(ls -lh "$OUT_APK" | awk "{print \$5}")"
else
echo ">>> WARNING: zipalign/apksigner not found — APK is unsigned"
fi
else
echo ">>> WARNING: no keystore found — APK is unsigned"
fi
echo ">>> $ARCH APK: $(ls -lh "$OUT_APK" | awk "{print \$5}")"
fi
# Restore hidden arches
if [ "${BUILD_ARCH}" = "all" ]; then
for OTHER_ARCH in $ARCHS; do
OTHER_ABI=$(ndk_abi "$OTHER_ARCH")
if [ "$OTHER_ABI" != "$ABI" ] && [ -d "$JNILIBS_BASE/_hide_$OTHER_ABI" ]; then
mv "$JNILIBS_BASE/_hide_$OTHER_ABI" "$JNILIBS_BASE/$OTHER_ABI"
fi
done
fi
done
echo ""
echo ">>> Build artifacts:"
ls -lh "$APK_OUTPUT_DIR/"*.apk 2>/dev/null || echo " (none)"
'
# ─── Collect and upload APKs ────────────────────────────────────────────
# target/ is mounted from cache, not source
APK_OUTPUT="$BASE_DIR/data/cache/target/apk-output"
APK_LIST=$(find "$APK_OUTPUT" -name "wzp-tauri-*.apk" -type f 2>/dev/null | sort)
if [ -z "$APK_LIST" ]; then
LOG_URL=$(upload_to_rustypaste "$LOG_FILE" || echo "")
if [ -n "$LOG_URL" ]; then
notify "WZP Tauri Android build [$GIT_HASH]: no APK produced
log: $LOG_URL"
else
notify "WZP Tauri Android build [$GIT_HASH]: no APK produced — log upload failed"
fi
exit 1
fi
# Upload each APK and collect URLs
NOTIFY_MSG="WZP Tauri Android build OK [$GIT_HASH] ($BUILD_ARCH)"
APK_PATHS=""
for APK in $APK_LIST; do
APK_NAME=$(basename "$APK")
APK_SIZE=$(du -h "$APK" | cut -f1)
RUSTY_URL=$(upload_to_rustypaste "$APK" || echo "")
if [ -n "$RUSTY_URL" ]; then
NOTIFY_MSG="$NOTIFY_MSG
$APK_NAME ($APK_SIZE): $RUSTY_URL"
else
NOTIFY_MSG="$NOTIFY_MSG
$APK_NAME ($APK_SIZE) — upload skipped"
fi
APK_PATHS="$APK_PATHS $APK"
done
notify "$NOTIFY_MSG"
# Print paths so the local script can grab them
for APK in $APK_LIST; do
echo "APK_REMOTE_PATH=$APK"
done
REMOTE_SCRIPT
ssh_cmd "chmod +x /tmp/wzp-tauri-build.sh"
notify_local "WZP Tauri Android build dispatched (branch=$BRANCH, arch=$BUILD_ARCH, release=$BUILD_RELEASE)"
log "Triggering remote build (branch=$BRANCH, arch=$BUILD_ARCH)..."
# Run; last lines are APK_REMOTE_PATH=... (one per arch)
REMOTE_OUTPUT=$(ssh_cmd "/tmp/wzp-tauri-build.sh '$BRANCH' '$DO_PULL' '$REBUILD_RUST' '$DO_INIT' '$BUILD_RELEASE' '$BUILD_ARCH'" || true)
echo "$REMOTE_OUTPUT" | tail -60
# Download all produced APKs
APK_REMOTES=$(echo "$REMOTE_OUTPUT" | grep '^APK_REMOTE_PATH=' | cut -d= -f2-)
if [ -z "$APK_REMOTES" ]; then
log "No APK produced — see ntfy / remote log /tmp/wzp-tauri-build.log"
exit 1
fi
DOWNLOADED=0
echo "$APK_REMOTES" | while IFS= read -r APK_REMOTE; do
[ -z "$APK_REMOTE" ] && continue
APK_NAME=$(basename "$APK_REMOTE")
log "Downloading $APK_NAME..."
scp $SSH_OPTS "$REMOTE_HOST:$APK_REMOTE" "$LOCAL_OUTPUT/$APK_NAME"
echo " $LOCAL_OUTPUT/$APK_NAME ($(du -h "$LOCAL_OUTPUT/$APK_NAME" | cut -f1))"
DOWNLOADED=$((DOWNLOADED + 1))
done
log "Done! APKs in $LOCAL_OUTPUT/"
ls -lh "$LOCAL_OUTPUT"/wzp-tauri-*.apk 2>/dev/null || true
Reference in New Issue View Git Blame Copy Permalink