Add proguard optimization to the Android release build

complexspaces · complexspaces · commit 0ffaf4a91d53 · 2023-09-02T14:05:37.000-05:00
This allows us to reliably remove all `*mock*` references from the Kotlin
verifier code in production builds. By doing so, it is statically provable
that test-only code can't be called despite Java/Kotlin not supporting
true compile-time guards like Rust's `cfg!`.

By ensuring branches which access `mock` functionality are removed at
compile-time by `java`, `proguard` is able to delete the class parts
natually because they are not referenced anywhere.

Additionally, this has postiive size/performance impacts as it performs
optimizationson the bytecode.
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -159,3 +159,14 @@ jobs:
         run: |
           cd ./android
           ./gradlew ktlint
+
+  verify_android:
+    name: Verify Android artifacts
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+        with:
+          persist-credentials: false
+      
+      - name: Verify release artifact
+        run: ./ci/verify_android_release.sh
diff --git a/.gitignore b/.gitignore
@@ -1,3 +1,5 @@
 /target
 .DS_Store
 /.idea
+
+/android/verification/
diff --git a/android/rustls-platform-verifier/build.gradle b/android/rustls-platform-verifier/build.gradle
@@ -39,7 +39,8 @@ android {
 
     buildTypes {
         release {
-            minifyEnabled false
+            minifyEnabled true
+            proguardFiles "proguard-rules.pro"
         }
 
         debug {
diff --git a/android/rustls-platform-verifier/proguard-rules.pro b/android/rustls-platform-verifier/proguard-rules.pro
@@ -0,0 +1,41 @@
+# Add project specific ProGuard rules here.
+# You can control the set of applied configuration files using the
+# proguardFiles setting in build.gradle.
+#
+# For more details, see
+#   http://developer.android.com/guide/developing/tools/proguard.html
+
+-keepattributes SourceFile,LineNumberTable,MethodAttributes
+# Everything is called via the JNI, so code must not be removed or renamed
+# in a way Rust can't see.
+-dontobfuscate
+
+# We need this function (and class) in all builds for Rust to call because its the JNI entrypoint
+# for the verifier functionality.
+-keep class org.rustls.platformverifier.CertificateVerifier {
+    verifyCertificateChain(
+        android.content.Context,
+        java.lang.String,
+        java.lang.String,
+        java.lang.String[],
+        byte[],
+        long,
+        byte[][]
+    );
+}
+
+# We need these classes so Rust can load their class definitions at runtime
+# and access their fields at runtime.
+-keep class org.rustls.platformverifier.StatusCode { *; }
+-keep class org.rustls.platformverifier.VerificationResult { *; }
+
+# Note: We don't explicitly tell Proguard to remove test-only methods. They are instead
+# removed as dead code because `javac` removes all references to them when not building
+# in a test configuration.
+
+# This can be uncommented during development if needed to quickly check if
+# a few test-only methods/fields are being removed by build time.
+# -whyareyoukeeping class org.rustls.platformverifier.CertificateVerifier {
+#   private java.security.KeyStore mockKeystore;
+#    addMockRoot(byte[]);
+#}
diff --git a/ci/verify_android_release.sh b/ci/verify_android_release.sh
@@ -0,0 +1,41 @@
+#!/usr/bin/env bash
+
+# This script's purpose is to verify that no test-only code is present inside of the release-mode Android artifact.
+# It is validating that `javac` is performing the dead-code elimiation we expect and that `proguard` is deleting the
+# unreferenced test code. This can be ran both locally and in CI.
+#
+# It accomplishes this goal by building the artifact and then running a decompiler on it to look for names we expect or do not.
+
+set -euo pipefail
+
+mkdir -p ./android/verification
+
+pushd ./android/
+
+./gradlew clean
+./gradlew assembleRelease
+
+pushd ./verification
+
+if [ ! -f "./bin/jadx" ]; then
+    echo "Decompiler not yet installed, downloading jadx"
+    curl -L https://github.com/skylot/jadx/releases/download/v1.4.7/jadx-1.4.7.zip --output jadx.zip
+    unzip jadx.zip
+    echo "jadx downloaded"
+fi
+
+./bin/jadx -d decompiled ../rustls-platform-verifier/build/outputs/aar/rustls-platform-verifier-release.aar
+
+if grep -r -q "mock" ./decompiled; then
+    echo "❌ Test-only code exists in release artifact! Please review changes made to locate the cause".
+    exit 1
+else 
+    echo "✅ No test-only code found in release artifact"
+fi
+
+if grep -r -q "verifyCertificateChain" ./decompiled; then
+    echo "✅ JNI entrypoint present in release artifact"
+else 
+    echo "❌ JNI entrypoint not found in release artifact! Please review changes made to optimization rules which might cause this"
+    exit 1
+fi

-Original file line number
+Diff line change
@@ @@ -1,3 +1,5 @@ @@
 /target
 .DS_Store
 /.idea
++
 +/android/verification/
Original file line number	Diff line number	Diff line change
`@@ -39,7 +39,8 @@ android {`
`39`	`39`
`40`	`40`	`buildTypes {`
`41`	`41`	`release {`
`42`		`- minifyEnabled false`
	`42`	`+ minifyEnabled true`
	`43`	`+ proguardFiles "proguard-rules.pro"`
`43`	`44`	`}`
`44`	`45`
`45`	`46`	`debug {`