ci: fix android signing

- points to `fix-android-signing` branch in status-jenkins-lib
- use gradle build flavours for PR and Release.
- signing config moved to gradle

Author: siddarthkay

ci/Jenkinsfile.android

@@ -1,5 +1,5 @@
 #!/usr/bin/env groovy
-library 'status-jenkins-lib@v1.9.31'
+library 'status-jenkins-lib@fix-android-signing'
 
 /* Options section can't access functions in objects. */
 def isPRBuild = utils.isPRBuild()
@@ -11,7 +11,7 @@ pipeline {
     /* Image with Ubuntu 22.04, QT 6.9.2, Android SDK/NDK, Go, and Nim */
     docker {
       label 'linuxcontainer'
-      image 'harbor.status.im/status-im/status-desktop-build:1.0.6-qt6.9.2-android'
+      image 'harbor.status.im/status-im/status-desktop-build:1.0.7-qt6.9.2-android'
       alwaysPull true
       args '--entrypoint="" ' +
            '--volume=/nix:/nix ' +
@@ -70,8 +70,11 @@ pipeline {
     QMAKE = "/opt/qt/${env.QT_VERSION}/android_arm64_v8a/bin/qmake"
     /* override package type if set, otherwise auto-select based on branch */
     PACKAGE_TYPE = "${params.PACKAGE_TYPE != 'auto' ? params.PACKAGE_TYPE : (isReleaseBranch ? 'aab' : 'apk')}"
+    /* BUILD_VARIANT controls package name and signing: pr = app.status.mobile.pr, release = app.status.mobile */
+    BUILD_VARIANT = "${utils.isReleaseBuild() ? 'release' : 'pr'}"
+    STATUS_ANDROID_APP_NAME = "${utils.isReleaseBuild() ? 'Status' : 'StatusPR'}"
     STATUS_ARTIFACT = "pkg/${utils.pkgFilename(ext: env.PACKAGE_TYPE, arch: 'arm64', version: env.VERSION, type: env.APP_TYPE)}"
-    STATUS_BINARY = "${WORKSPACE}/mobile/bin/android/qt6/Status.${env.PACKAGE_TYPE}"
+    STATUS_BINARY = "${WORKSPACE}/mobile/bin/android/qt6/${env.STATUS_ANDROID_APP_NAME}.${env.PACKAGE_TYPE}"
     NIM_SDS_SOURCE_DIR = "${env.WORKSPACE_TMP}/nim-sds"
   }
 

ci/README.md

@@ -26,3 +26,48 @@ It also expects the presence of the following credentials:
 * `macos-keychain-file` - Keychain file with the MacOS signing certificate.
 
 You can read about how to create such a keychain [here](https://github.com/status-im/infra-docs/blob/master/articles/macos_signing_keychain.md).
+
+## Android
+
+Android builds use separate signing configurations for PR and release builds to ensure proper app differentiation.
+
+### Bundle Identifiers (Application IDs)
+
+| Build Type | Application ID         | Output Name  |
+|------------|------------------------|--------------|
+| PR builds  | `app.status.mobile.pr` | `StatusPR`   |
+| Release    | `app.status.mobile`    | `Status`     |
+
+### Signing Configuration
+
+| Build Type | Keystore Credential               | Purpose                        |
+|------------|-----------------------------------|--------------------------------|
+| PR builds  | `status-app-pr-keystore`          | Testing on any Android device  |
+| Release    | `status-app-release-keystore`     | Google Play Store releases     |
+
+### Environment Variables
+
+The `BUILD_VARIANT` environment variable controls which Gradle product flavor is built:
+- `BUILD_VARIANT=pr` - Builds `prRelease` flavor with app name "Status PR"
+- `BUILD_VARIANT=release` (default) - Builds `productionRelease` flavor with app name "Status"
+
+Gradle reads signing credentials from these environment variables:
+
+| PR Build Variables         | Release Build Variables        |
+|----------------------------|--------------------------------|
+| `PR_KEYSTORE_PATH`         | `RELEASE_KEYSTORE_PATH`        |
+| `PR_KEYSTORE_PASSWORD`     | `RELEASE_KEYSTORE_PASSWORD`    |
+| `PR_KEY_ALIAS`             | `RELEASE_KEY_ALIAS`            |
+| `PR_KEY_PASSWORD`          | `RELEASE_KEY_PASSWORD`         |
+
+### Jenkins Credentials Required
+
+For PR builds:
+- `status-app-pr-keystore` - Keystore file for PR signing → `PR_KEYSTORE_PATH`
+- `status-app-pr-keystore-password` - Keystore password → `PR_KEYSTORE_PASSWORD`
+- `status-app-pr-keystore-key` - Key alias/password → `PR_KEY_ALIAS` / `PR_KEY_PASSWORD`
+
+For Release builds:
+- `status-app-release-keystore` - Keystore file for release signing → `RELEASE_KEYSTORE_PATH`
+- `status-app-release-keystore-password` - Keystore password → `RELEASE_KEYSTORE_PASSWORD`
+- `status-app-release-keystore-key` - Key alias/password → `RELEASE_KEY_ALIAS` / `RELEASE_KEY_PASSWORD`

mobile/android/qt6/AndroidManifest.xml

@@ -1,9 +1,7 @@
 <?xml version="1.0"?>
 <manifest xmlns:android="http://schemas.android.com/apk/res/android"
     package="app.status.mobile"
-    android:installLocation="auto"
-    android:versionCode="-- %%INSERT_VERSION_CODE%% --"
-    android:versionName="-- %%INSERT_VERSION_NAME%% --">
+    android:installLocation="auto">
     <!-- non-dangerous permissions -->
     <uses-permission android:name="android.permission.INTERNET"/>
     <uses-permission android:name="android.permission.NFC"/>
@@ -60,6 +58,19 @@
           <meta-data
                 android:name="android.app.arguments"
                 android:value="" />
+
+          <!-- Required for Qt6 to properly detect and load native libraries -->
+          <meta-data
+                android:name="android.app.system_libs_prefix"
+                android:value="/system/lib64/" />
+
+          <meta-data
+                android:name="android.app.use_local_qt_libs"
+                android:value="1" />
+
+          <meta-data
+                android:name="android.app.bundle_local_qt_libs"
+                android:value="1" />
         </activity>
 
         <provider

mobile/android/qt6/build.gradle

@@ -91,6 +91,42 @@ android {
         versionCode = (System.currentTimeMillis() / 60000).toInteger()
     }
 
+    signingConfigs {
+        pr {
+            storeFile file(System.getenv("PR_KEYSTORE_PATH") ?: "/dev/null")
+            storePassword System.getenv("PR_KEYSTORE_PASSWORD") ?: ""
+            keyAlias System.getenv("PR_KEY_ALIAS") ?: ""
+            keyPassword System.getenv("PR_KEY_PASSWORD") ?: ""
+        }
+        production {
+            storeFile file(System.getenv("RELEASE_KEYSTORE_PATH") ?: "/dev/null")
+            storePassword System.getenv("RELEASE_KEYSTORE_PASSWORD") ?: ""
+            keyAlias System.getenv("RELEASE_KEY_ALIAS") ?: ""
+            keyPassword System.getenv("RELEASE_KEY_PASSWORD") ?: ""
+        }
+    }
+
+    flavorDimensions "variant"
+
+    productFlavors {
+        pr {
+            dimension "variant"
+            applicationId "app.status.mobile.pr"
+            resValue "string", "app_name", "StatusPR"
+            if (System.getenv("PR_KEYSTORE_PATH") && file(System.getenv("PR_KEYSTORE_PATH")).exists()) {
+                signingConfig signingConfigs.pr
+            }
+        }
+        production {
+            dimension "variant"
+            applicationId "app.status.mobile"
+            resValue "string", "app_name", "Status"
+            if (System.getenv("RELEASE_KEYSTORE_PATH") && file(System.getenv("RELEASE_KEYSTORE_PATH")).exists()) {
+                signingConfig signingConfigs.production
+            }
+        }
+    }
+
     buildTypes {
         release {
             debuggable = false

mobile/android/qt6/gradle.properties

@@ -0,0 +1,11 @@
+android.useAndroidX=true
+qtGradlePluginType=com.android.application
+androidPackageName=app.status.mobile
+androidBuildToolsVersion=35.0.0
+androidCompileSdkVersion=android-35
+androidNdkVersion=27.2.12479018
+qtAndroidDir=/opt/qt/6.9.2/android_arm64_v8a/src/android/java
+qtMinSdkVersion=28
+qtTargetSdkVersion=35
+qtTargetAbiList=arm64-v8a
+org.gradle.jvmargs=-Xmx8704M -XX:+UseParallelGC

mobile/android/qt6/res/xml/qtprovider_paths.xml

@@ -0,0 +1,6 @@
+<?xml version="1.0" encoding="utf-8"?>
+<paths>
+    <external-path name="external_files" path="." />
+    <cache-path name="cache" path="." />
+    <files-path name="files" path="." />
+</paths>

mobile/android/qt6/settings.gradle

@@ -0,0 +1,9 @@
+pluginManagement {
+    repositories {
+        google()
+        mavenCentral()
+        gradlePluginPortal()
+    }
+}
+
+rootProject.name = 'android-build'

mobile/docker/Dockerfile

@@ -394,6 +394,13 @@ RUN apt update -yq && apt install -yq software-properties-common \
     --slave /usr/bin/g++ g++ /usr/bin/g++-9 \
  && apt-get -qq clean
 
-ENV PATH="/root/go/bin:${PATH}"
+ARG GRADLE_VERSION=8.11.1
+RUN wget -q https://services.gradle.org/distributions/gradle-${GRADLE_VERSION}-bin.zip -O /tmp/gradle.zip \
+ && unzip -q /tmp/gradle.zip -d /opt \
+ && ln -s /opt/gradle-${GRADLE_VERSION} /opt/gradle \
+ && rm /tmp/gradle.zip
+
+ENV GRADLE_HOME=/opt/gradle
+ENV PATH="/opt/gradle/bin:/root/go/bin:${PATH}"
 
 LABEL description="Build image for the Status Android APK."

mobile/scripts/buildApp.sh

@@ -12,10 +12,17 @@ ANDROID_ABI=${ANDROID_ABI:-"arm64-v8a"}
 BUILD_TYPE=${BUILD_TYPE:-"apk"}
 SIGN_IOS=${SIGN_IOS:-"false"}
 
+# BUILD_VARIANT controls package name and signing:
+# - "pr" = app.status.mobile.pr with PR keystore
+# - "release" or unset = app.status.mobile with release keystore
+BUILD_VARIANT=${BUILD_VARIANT:-"release"}
+export BUILD_VARIANT
+
 QMAKE_BIN="${QMAKE:-qmake}"
 QMAKE_CONFIG="CONFIG+=device CONFIG+=release"
 
 echo "Building wrapperApp for ${OS}, ${ANDROID_ABI}"
+echo "Build variant: ${BUILD_VARIANT}"
 
 mkdir -p "${BUILD_DIR}"
 cd "${BUILD_DIR}"
@@ -26,9 +33,9 @@ DESKTOP_VERSION=$(eval cd "$STATUS_DESKTOP" && git describe --tags --dirty="-dir
 TIMESTAMP=$(($(date +%s) * 1000 / 60000))
 
 if [[ -n "${CHANGE_ID:-}" ]]; then
-    BUILD_VERSION="${CHANGE_ID}.${TIMESTAMP}"
+  BUILD_VERSION="${CHANGE_ID}.${TIMESTAMP}"
 else
-    BUILD_VERSION="${TIMESTAMP}"
+  BUILD_VERSION="${TIMESTAMP}"
 fi
 
 echo "Using version: $DESKTOP_VERSION; build version: $BUILD_VERSION"
@@ -42,84 +49,102 @@ if [[ "${OS}" == "android" ]]; then
   echo "Building for Android 35"
   ANDROID_PLATFORM=android-35
 
+  # Map BUILD_VARIANT to gradle flavor
+  if [[ "$BUILD_VARIANT" == "pr" ]]; then
+    GRADLE_FLAVOR="pr"
+    OUTPUT_NAME="StatusPR"
+  else
+    GRADLE_FLAVOR="production"
+    OUTPUT_NAME="Status"
+  fi
+
+  echo "Using Gradle flavor: $GRADLE_FLAVOR"
+  echo "Target name: $OUTPUT_NAME"
+
   "$QMAKE_BIN" "$CWD/../wrapperApp/Status.pro" "$QMAKE_CONFIG" -spec android-clang ANDROID_ABIS="$ANDROID_ABI" APP_VARIANT="${APP_VARIANT}" VERSION="$DESKTOP_VERSION" -after
 
   # Build the app
   make -j"$(nproc)" apk_install_target
 
-  if [[ "$BUILD_TYPE" == "aab" ]]; then
-    if [[ -z "$KEYSTORE_PATH" || -z "$KEYSTORE_PASSWORD" || -z "$KEY_ALIAS" || -z "$KEY_PASSWORD" ]]; then
-      echo "Error: AAB builds require signing credentials"
-      echo "Required: KEYSTORE_PATH, KEYSTORE_PASSWORD, KEY_ALIAS, KEY_PASSWORD"
-      exit 1
-    fi
+  # aux-mode copies dependencies AND generates libs.xml
+  echo "Preparing Android build..."
+  androiddeployqt \
+    --input "$BUILD_DIR/android-${OUTPUT_NAME}-deployment-settings.json" \
+    --output "$BUILD_DIR/android-build" \
+    --android-platform "$ANDROID_PLATFORM" \
+    --verbose \
+    --aux-mode
+
+  # Build with gradle directly to use product flavors
+  CUSTOM_ANDROID="$CWD/../android/qt${QT_MAJOR}"
+  ANDROID_BUILD="$BUILD_DIR/android-build"
+
+  # Override with custom Android files (manifest, gradle for flavors, src)
+  # Keep Qt-generated res/ (including libs.xml) but add our custom resources
+  cp "$CUSTOM_ANDROID/AndroidManifest.xml" "$ANDROID_BUILD/"
+  cp "$CUSTOM_ANDROID/build.gradle" "$ANDROID_BUILD/"
+  cp "$CUSTOM_ANDROID/settings.gradle" "$ANDROID_BUILD/"
+  cp "$CUSTOM_ANDROID/gradle.properties" "$ANDROID_BUILD/"
+
+  # Copy custom res files (icons, styles, etc.) but preserve Qt-generated libs.xml
+  if [[ -d "$CUSTOM_ANDROID/res" ]]; then
+    # Copy everything except values/libs.xml (Qt generates that)
+    find "$CUSTOM_ANDROID/res" -type f ! -name "libs.xml" -exec sh -c '
+      src="$1"
+      rel="${src#'"$CUSTOM_ANDROID/res/"'}"
+      dest="'"$ANDROID_BUILD/res/"'$rel"
+      mkdir -p "$(dirname "$dest")"
+      cp "$src" "$dest"
+    ' _ {} \;
+  fi
 
-    if [[ ! -f "$KEYSTORE_PATH" ]]; then
-      echo "Error: Keystore file not found at $KEYSTORE_PATH"
-      exit 1
-    fi
+  if [[ -d "$CUSTOM_ANDROID/src" ]]; then
+    mkdir -p "$ANDROID_BUILD/src"
+    cp -r "$CUSTOM_ANDROID/src/"* "$ANDROID_BUILD/src/"
+  fi
+
+  cd "$BUILD_DIR/android-build"
 
-    echo "Building AAB..."
-    androiddeployqt \
-      --input "$BUILD_DIR/android-Status-deployment-settings.json" \
-      --output "$BUILD_DIR/android-build" \
-      --aab \
-      --release \
-      --android-platform "$ANDROID_PLATFORM"
+  if [[ "$BUILD_TYPE" == "aab" ]]; then
+    echo "Building AAB with flavor: $GRADLE_FLAVOR..."
+    gradle "bundle${GRADLE_FLAVOR^}Release" --no-daemon
 
-    OUTPUT_FILE="$BUILD_DIR/android-build/build/outputs/bundle/release/android-build-release.aab"
+    OUTPUT_FILE="$BUILD_DIR/android-build/build/outputs/bundle/${GRADLE_FLAVOR}Release/android-build-${GRADLE_FLAVOR}-release.aab"
     if [[ ! -f "$OUTPUT_FILE" ]]; then
       echo "Error: Could not find generated AAB file at $OUTPUT_FILE"
+      echo "Looking for AAB files..."
+      find "$BUILD_DIR/android-build/build/outputs" -name "*.aab" 2>/dev/null
       exit 1
     fi
 
-    # Sign the AAB file (androiddeployqt --sign does not work for AAB files)
-    "$CWD/android/sign.sh" "$OUTPUT_FILE"
-
     ANDROID_OUTPUT_DIR="bin/android/qt6"
     BIN_DIR_ANDROID=${BIN_DIR:-"$CWD/$ANDROID_OUTPUT_DIR"}
     mkdir -p "$BIN_DIR_ANDROID"
-    cp "$OUTPUT_FILE" "$BIN_DIR_ANDROID/Status.aab"
-    echo "Build succeeded. Signed AAB is available at $BIN_DIR_ANDROID/Status.aab"
+    cp "$OUTPUT_FILE" "$BIN_DIR_ANDROID/${OUTPUT_NAME}.aab"
+    echo "Build succeeded. AAB is available at $BIN_DIR_ANDROID/${OUTPUT_NAME}.aab"
   else
-    # APK build
-    NEEDS_SIGNING="false"
-    if [[ -n "$KEYSTORE_PATH" && -n "$KEYSTORE_PASSWORD" && -n "$KEY_ALIAS" && -n "$KEY_PASSWORD" ]]; then
-      if [[ -f "$KEYSTORE_PATH" ]]; then
-        NEEDS_SIGNING="true"
-      fi
-    fi
+    echo "Building APK with flavor: $GRADLE_FLAVOR..."
+    echo "Contents of android-build directory:"
+    ls -la
+    gradle "assemble${GRADLE_FLAVOR^}Release" --no-daemon --info --stacktrace
 
-    if [[ "$NEEDS_SIGNING" == "true" ]]; then
-      echo "Building signed APK..."
-      androiddeployqt \
-        --input "$BUILD_DIR/android-Status-deployment-settings.json" \
-        --output "$BUILD_DIR/android-build" \
-        --apk "$BUILD_DIR/android-build/Status.apk" \
-        --release \
-        --android-platform "$ANDROID_PLATFORM" \
-        --sign "$KEYSTORE_PATH" "$KEY_ALIAS" \
-        --storepass "$KEYSTORE_PASSWORD" \
-        --keypass "$KEY_PASSWORD"
-    else
-      echo "Building unsigned APK..."
-      androiddeployqt \
-        --input "$BUILD_DIR/android-Status-deployment-settings.json" \
-        --output "$BUILD_DIR/android-build" \
-        --apk "$BUILD_DIR/android-build/Status.apk" \
-        --android-platform "$ANDROID_PLATFORM"
+    OUTPUT_FILE="$BUILD_DIR/android-build/build/outputs/apk/${GRADLE_FLAVOR}/release/android-build-${GRADLE_FLAVOR}-release.apk"
+    if [[ ! -f "$OUTPUT_FILE" ]]; then
+      # Try alternative path
+      OUTPUT_FILE="$BUILD_DIR/android-build/build/outputs/apk/${GRADLE_FLAVOR}/release/android-build-${GRADLE_FLAVOR}-release-unsigned.apk"
+    fi
+    if [[ ! -f "$OUTPUT_FILE" ]]; then
+      echo "Error: Could not find generated APK file"
+      echo "Looking for APK files..."
+      find "$BUILD_DIR/android-build/build/outputs" -name "*.apk" 2>/dev/null
+      exit 1
     fi
 
     ANDROID_OUTPUT_DIR="bin/android/qt6"
     BIN_DIR_ANDROID=${BIN_DIR:-"$CWD/$ANDROID_OUTPUT_DIR"}
     mkdir -p "$BIN_DIR_ANDROID"
-    cp ./android-build/Status.apk "$BIN_DIR_ANDROID/Status.apk"
-
-    if [[ "$NEEDS_SIGNING" == "true" ]]; then
-      echo "Build succeeded. Signed APK is available at $BIN_DIR_ANDROID/Status.apk"
-    else
-      echo "Build succeeded. Unsigned APK is available at $BIN_DIR_ANDROID/Status.apk"
-    fi
+    cp "$OUTPUT_FILE" "$BIN_DIR_ANDROID/${OUTPUT_NAME}.apk"
+    echo "Build succeeded. APK is available at $BIN_DIR_ANDROID/${OUTPUT_NAME}.apk"
   fi
 else
   "$QMAKE_BIN" "$CWD/../wrapperApp/Status.pro" "$QMAKE_CONFIG" -spec macx-ios-clang CONFIG+="$SDK" VERSION="$DESKTOP_VERSION" -after

mobile/wrapperApp/Status.pro

@@ -2,6 +2,15 @@ TEMPLATE = app
 
 QT += quick gui qml webview svg widgets multimedia
 
+BUILD_VARIANT = $$(BUILD_VARIANT)
+equals(BUILD_VARIANT, "pr") {
+    TARGET = StatusPR
+    message("Building PR variant: TARGET = StatusPR")
+} else {
+    TARGET = Status
+    message("Building production variant: TARGET = Status")
+}
+
 equals(QT_MAJOR_VERSION, 6) {
     message("qt 6 config!!")
     QT += core5compat core