Skip to content

android build: update openssl, and switch cryptography->pycryptodomex #10332

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
SomberNight wants to merge 3 commits into
base: master
Choose a base branch
from
Draft

android build: update openssl, and switch cryptography->pycryptodomex #10332

SomberNight wants to merge 3 commits into from
+29 −7

Conversation

@SomberNight
Copy link
Member

@SomberNight SomberNight commented Nov 30, 2025
edited
Loading

  • re android build:
    • bumps OpenSSL 1.1.1w -> 3.0.18
      • the 1.1.1 branch has been EOL since 2023-09
      • the 3.0 branch is supported until 2026-09
    • replaces cryptography with pycryptodomex
      • we had been using an old cryptography==2.8 in the Android build
        • newer versions require Rust to build, which is hard with p4a (though upstream p4a has some kind of solution)
        • this old version of cryptography is not compatible with new OpenSSL however
        • pycryptodomex is easy to build. it does not even depend on OpenSSL.

note: tested and builds are still reproducible

@SomberNight
FIXME android build: bump openssl (1.1.1w -> 3.0.18)
3f7c490
@SomberNight
android build: switch from "cryptography" to "pycryptodomex"
2414628 
We had been using an ancient version of "cryptography" so far in our p4a fork,
however it is not compatible with OpenSSL 3.0. (Previously we were building it with OpenSSL 1.1)

Bumping "cryptography" is difficult, as building new versions of it from source requires a full rust toolchain.

Instead, this commit switches to "pycryptodomex", as a replacement, which is much easier to build from source.
@SomberNight
android: add run-time patch to make pycryptodomex work
f52ae66 
to work around kivy/python-for-android#1866 :

> PyCryptodome >=3.6.0 crashes at runtime (since commit Legrandin/pycryptodome@f5aa2c1). So actually the currently pinned version in the recipe does not work:
> https://github.com/kivy/python-for-android/blob/80e4f059c1ee0da48a7c85167087dfe5928ac395/pythonforandroid/recipes/pycryptodome/__init__.py#L5
>
> The issue at runtime is with ctypes.
>
>
> Say I have a main script that just does the following (https://github.com/Legrandin/pycryptodome/blob/95ccce7ae82d3a36f1a8652dd2c645222d0128dd/lib/Crypto/Util/_raw_api.py#L200):
> ```
>  import ctypes
>  ctypes.pythonapi.PyObject_GetBuffer
>  ```
>
> This works with cpython on my laptop, but with the p4a-compiled python on Android it fails:
>
> ```
> 06-14 19:06:27.053 15246 15274 I python  : Android kivy bootstrap done. __name__ is __main__
> 06-14 19:06:27.053 15246 15274 I python  : AND: Ran string
> 06-14 19:06:27.053 15246 15274 I python  : Run user program, change dir and execute entrypoint
> 06-14 19:06:27.092 15246 15274 I python  : Traceback (most recent call last):
> 06-14 19:06:27.092 15246 15274 I python  :   File "/home/user/wspace/electrum/.buildozer/android/app/main.py", line 84, in <module>
> 06-14 19:06:27.093 15246 15274 I python  :   File "/home/user/wspace/electrum/.buildozer/android/platform/build/build/other_builds/python3-libffi-openssl-sqlite3/armeabi-v7a__ndk_target_21/python3/Lib/ctypes/__init__.py", line 369, in __getattr__
> 06-14 19:06:27.093 15246 15274 I python  :   File "/home/user/wspace/electrum/.buildozer/android/platform/build/build/other_builds/python3-libffi-openssl-sqlite3/armeabi-v7a__ndk_target_21/python3/Lib/ctypes/__init__.py", line 374, in __getitem__
> 06-14 19:06:27.094 15246 15274 I python  : AttributeError: undefined symbol: PyObject_GetBuffer
> ```
>
> I have also tried to access some other attributes of `ctypes.pythonapi`, such as `Py_IncRef`, which raises the same exception.

---

Unclear if the issue still affects newer p4a: upstream seems to think it's fixed, but there multiple comments in the thread saying otherwise. Anyway, rebasing p4a has other blockers atm.
@SomberNight SomberNight mentioned this pull request Nov 30, 2025
Open
@SomberNight
Copy link
Member Author

SomberNight commented Dec 2, 2025

note: I forgot about #7192

@SomberNight
Copy link
Member Author

SomberNight commented Dec 5, 2025

note: I forgot about #7192

Ok, I propose we don't care about openalias. For now we switch to using pycryptodomex instead of cryptography, on Android only. That way we can unblock upgrading OpenSSL.

Besides DNSSEC, everything else works with pycryptodomex. We only use DNSSEC for openalias atm. The switch means we break openalias on Android.
Note: a few hardware wallet plugins also require cryptography :/

In the future we might want to add support for bip-0353, which also requires DNSSEC. By then we will need to figure something out for Android.

Ideally we will rebase p4a (see #10331) and be able to build cryptography for Android. In that case we will be able to switch back.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

OS-android🤖

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@SomberNight