Meshtastic-Android/scripts/verify-flatpak

Local Flatpak Verification

Replicates vid's org.meshtastic.desktop GHA flatpak build on your machine so you can validate flatpak-sources.json end-to-end without round-tripping through his repo.

What it tests that our CI doesn't

Our CI (:desktopApp:packageUberJarForCurrentOS :captureFlatpakSources) only proves the manifest can be generated. Vid's CI is where the manifest actually gets consumed by flatpak-builder. This script runs that step locally:

1. Clones vidplace7/org.meshtastic.desktop.
2. Overlays a patched manifest that:
   • Swaps the meshtastic/Meshtastic-Android.git source for a type: dir pointing at your local checkout (so you can test uncommitted changes).
   • Uncomments - flatpak-sources.json.
   • Drops --share=network from the build-args (true offline — what Flathub requires).
   • Adds --offline to the Gradle invocation (belt + suspenders).
3. Runs flatpak-builder in a Docker container with the same Freedesktop 25.08 SDK vid's GHA image uses.

If your flatpak-sources.json has the wrong URL, wrong sha256, or a missing entry, the build fails with the same error vid would see. You can iterate in ~5–15 min loops instead of waiting on cross-repo CI.

Prerequisites

• Docker (Docker Desktop on macOS works — the container needs --privileged to use bubblewrap; that's enabled by default).
• ~10 GB free disk for the SDK + Gradle cache.
• A populated Gradle cache (./gradlew :desktopApp:packageUberJarForCurrentOS must have run; the script does this implicitly via :captureFlatpakSources).

Usage

# Full offline build — Linux host required (~15–30 min first time)
scripts/verify-flatpak/verify.sh

# URLs + sha256 verification only; skips the Gradle build phase.
# Works on macOS where nested bwrap fails under Docker Desktop's seccomp.
scripts/verify-flatpak/verify.sh --download-only

# Reuse an already-generated flatpak-sources.json (don't re-run Gradle)
scripts/verify-flatpak/verify.sh --skip-regen

# Tight iteration loop after a failed run: refresh overlay yaml + manifest
# only, then re-run flatpak-builder. Skips Gradle regen, vid-repo fetch,
# and Meshtastic-Android rsync. Use when you've just patched the YAML
# overlay or regenerated flatpak-sources.json by hand.
scripts/verify-flatpak/verify.sh --rebuild-only

# Cross-arch test via QEMU emulation (slower)
scripts/verify-flatpak/verify.sh --arch aarch64

# Drop into the builder container shell to poke at things
scripts/verify-flatpak/verify.sh --shell

macOS limitation

flatpak-builder runs the build phase inside bwrap (bubblewrap). Nested bwrap fails inside Docker Desktop on macOS with prctl(PR_SET_SECCOMP) EINVAL. The script refuses to run a full build on macOS by default — pass --download-only to validate URLs + sha256s without executing the Gradle build, or run the full script on a Linux host.

Interpreting failures

Symptom	Likely cause
Error downloading mirror: ... 404 on repo.maven.apache.org	URL captured by the listener was wrong or artifact moved. Check the source repo hosting it.
sha256 mismatch	Stale flatpak-sources.json; re-run :desktopApp:packageUberJarForCurrentOS :captureFlatpakSources.
Gradle: Could not resolve all artifacts ... offline mode	Missing dep in the manifest — usually a compiler plugin or BOM that wasn't downloaded during capture.

Files

• verify.sh — entry point. Idempotent: re-running just re-syncs the overlay and re-runs flatpak-builder.
• desktop-offline.yaml — patched manifest. Kept in sync manually with vid's upstream; diff against https://raw.githubusercontent.com/vidplace7/org.meshtastic.desktop/main/org.meshtastic.desktop.yaml if vid changes something material.