Skip to content

Add compatibility with rustls#6367

Merged
jmartinesp merged 5 commits intorenovate/org.matrix.rustcomponents-sdk-android-26.xfrom
fix/rustls-with-android
Mar 19, 2026
Merged

Add compatibility with rustls#6367
jmartinesp merged 5 commits intorenovate/org.matrix.rustcomponents-sdk-android-26.xfrom
fix/rustls-with-android

Conversation

@jmartinesp
Copy link
Member

@jmartinesp jmartinesp commented Mar 17, 2026
edited
Loading

Content

A new rustls-platform-verifier-android library has to be added to the project, it'll be called from Rust to get access to the certificates on Android.

Originally, this was supposed to be added as a local maven repo pointing to the rust crate that publishes the AAR, but that's just plain terrible (more details here).

Instead, what we can do is use a script that uses cargo-download to download the latest crate or a specified version, unzip it and add the aar file to the :libraries:matrix:impl module.

Motivation and context

Android counterpart of matrix-org/matrix-rust-sdk#6306.

Tests

Without any self-signed certificates - those are still failing - try a fresh login to any homeserver. When I tried this before, every request was failing because rustls couldn't fetch Android's credentials storage.

Tested devices

  • Physical
  • Emulator
  • OS version(s): 16

Checklist

  • Changes have been tested on an Android device or Android emulator with API 24
  • UI change has been tested on both light and dark themes
  • Accessibility has been taken into account. See https://github.com/element-hq/element-x-android/blob/develop/CONTRIBUTING.md#accessibility
  • Pull request is based on the develop branch
  • Pull request title will be used in the release note, it clearly define what will change for the user
  • Pull request includes screenshots or videos if containing UI changes
  • You've made a self review of your PR

@jmartinesp jmartinesp added the PR-Wip For anything that isn't ready to ship and will be enabled at a later date label Mar 17, 2026
@jmartinesp jmartinesp changed the title Add compatibility with RustTLS Add compatibility with rustls Mar 17, 2026
@github-actions
Copy link
Contributor

github-actions bot commented Mar 17, 2026
edited
Loading

📱 Scan the QR code below to install the build (arm64 only) for this PR.
QR code
If you can't scan the QR code you can install the build via this link: https://i.diawi.com/u1znJi

@codecov
Copy link

codecov bot commented Mar 17, 2026
edited
Loading

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 81.22%. Comparing base (76e1214) to head (e49a209).
⚠️ Report is 1 commits behind head on renovate/org.matrix.rustcomponents-sdk-android-26.x.

Additional details and impacted files 
@@                                   Coverage Diff                                   @@
##           renovate/org.matrix.rustcomponents-sdk-android-26.x    #6367      +/-   ##
=======================================================================================
+ Coverage                                                81.20%   81.22%   +0.02%     
=======================================================================================
  Files                                                     2580     2579       -1     
  Lines                                                    70307    70280      -27     
  Branches                                                  9031     9031              
=======================================================================================
- Hits                                                     57091    57086       -5     
+ Misses                                                    9858     9836      -22     
  Partials                                                  3358     3358

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@jmartinesp
Add compatibility with RustTLS
b716a3d 
A new `rustls-platform-verifier-android` library has to be added to the project, it'll be called from Rust to get access to the certificates on Android.

Originally, this was supposed to be added as a local maven repo pointing to the rust crate that publishes the AAR, but that's just plain terrible (more details [here](https://github.com/rustls/rustls-platform-verifier#android).

Instead, what we can do is use a script that uses `cargo-download` to download the latest crate or a specified version, unzip it and add the `aar` file to the `:libraries:matrix:impl` module.
@jmartinesp
Try fixing Sonar with local AAR files
730ef87
@jmartinesp
Enable SSL verification again
4a62aaa
@jmartinesp
Remove UserCertificatesProvider
02892a7 
This is no longer needed after integrating rustls
@jmartinesp jmartinesp force-pushed the fix/rustls-with-android branch from 0e2873c to 02892a7 Compare March 18, 2026 18:12
@jmartinesp jmartinesp changed the base branch from develop to renovate/org.matrix.rustcomponents-sdk-android-26.x March 18, 2026 18:12
@jmartinesp jmartinesp marked this pull request as ready for review March 18, 2026 18:13
@jmartinesp jmartinesp requested a review from a team as a code owner March 18, 2026 18:13
@jmartinesp jmartinesp requested review from ganfra and removed request for a team March 18, 2026 18:13
ganfra
ganfra approved these changes Mar 18, 2026
View reviewed changes
Copy link
Member

@ganfra ganfra left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM I guess, I trust you on this!

One question, when should we call the script exactly?

.github/workflows/sonar.yml
cache-read-only: ${{ github.ref != 'refs/heads/develop' }}
- name: Build debug code and test fixtures
run: ./gradlew assembleDebug createFullJarDebugTestFixtures :app:createFullJarGplayDebugTestFixtures $CI_GRADLE_ARG_PROPERTIES
run: ./gradlew assembleGplayDebug createFullJarDebugTestFixtures :app:createFullJarGplayDebugTestFixtures $CI_GRADLE_ARG_PROPERTIES
Copy link
Member

@ganfra ganfra Mar 18, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why changing this here?

Copy link
Member Author

@jmartinesp jmartinesp Mar 19, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It seems like assembleDebug causes :libraries:matrix:impl:bundleDebugAar to run, in turn causing this issue:

* What went wrong:
Execution failed for task ':libraries:matrix:impl:bundleDebugAar'.
> Error while evaluating property 'hasLocalAarDeps' of task ':libraries:matrix:impl:bundleDebugAar'.
   > Direct local .aar file dependencies are not supported when building an AAR. The resulting AAR would be broken because the classes and Android resources from any local .aar file dependencies would not be packaged in the resulting AAR. Previous versions of the Android Gradle Plugin produce broken AARs in this case too (despite not throwing this error). The following direct local .aar file dependencies of the :libraries:matrix:impl project caused this error: /Users/jorge/Developer/Element/element-x-android/libraries/matrix/impl/libs/rustls-platform-verifier-android.aar

AFAICT, assembleGplayDebug still builds the source Sonarqube needs to scan, but it won't create this 'fat AAR' file.

@jmartinesp
Copy link
Member Author

jmartinesp commented Mar 19, 2026
edited
Loading

LGTM I guess, I trust you on this!

You don't have to trust me, you can just test the branch 😅 . Without these changes and removing the ClientBuilder.disableSslVerification() call, no network requests to HTTPS homeservers will work with the latest SDK.

One question, when should we call the script exactly?

When a new rustls version is used in the Rust SDK which comes with a new platform-verifier version. They should ping us in that case (I have added some docs here).

@jmartinesp jmartinesp added PR-Bugfix For bug fix and removed PR-Wip For anything that isn't ready to ship and will be enabled at a later date labels Mar 19, 2026
@jmartinesp jmartinesp merged commit bfa898b into renovate/org.matrix.rustcomponents-sdk-android-26.x Mar 19, 2026
35 checks passed
@jmartinesp jmartinesp deleted the fix/rustls-with-android branch March 19, 2026 07:38
@sonarqubecloud
Copy link

sonarqubecloud bot commented Mar 19, 2026

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

@ElementBot
Copy link
Collaborator

ElementBot commented Mar 19, 2026

Warnings
⚠️

libraries/matrix/impl/build.gradle.kts#L44 - Use version catalog instead

Generated by 🚫 dangerJS against e49a209

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ganfra ganfra ganfra approved these changes

Assignees

No one assigned

Labels

PR-Bugfix For bug fix

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@jmartinesp @ElementBot @ganfra