feat: Bump aapt2 to build-tools 35.0.2

[Taknok]

This solve the issue of revanced crashing when rebuilding the app when it has grammatical gender string
https://developer.android.com/about/versions/14/features/grammatical-inflection

Source: aapt2 repository
Attestation: gh attestation verify

This should fix some case of #2142 as the old aapt binary crashed when gendered string are used. Example:

$ ~/libaapt2.so compile --dir ./tmp_van/patcher/apk/res --legacy -o ./tmp_van/patcher/apk/build/resources.zip
./tmp_van/patcher/apk/res/values-fr-feminine-v34/arrays.xml: error: invalid configuration 'fr-feminine-v34'.
./tmp_van/patcher/apk/res/values-fr-feminine-v34/strings.xml: error: invalid configuration 'fr-feminine-v34'.
./tmp_van/patcher/apk/res/values-fr-masculine-v34/arrays.xml: error: invalid configuration 'fr-masculine-v34'.
;/tmp_van/patcher/apk/res/values-fr-masculine-v34/strings.xml: error: invalid configuration 'fr-masculine-v34'.
./tmp_van/patcher/apk/res/values-fr-neuter-v34/arrays.xml: error: invalid configuration 'fr-neuter-v34'.

[validcube]

🔥 DO NOT SUBMIT

Hello, thanks for your PR but we would definitely not going to merge this until ReVanced themselves has generated an attestation of the prebuilt libraries.

For your PR, all of your binary is affected.

• libaapt2.so (arm64-v8a)
• libaapt2.so (armeabi-v7a)
• libaapt2.so (x86_64)

For now try to get your PR from ReVanced/aapt2#16 merged to the main branch of the repository first then wait for next release.

• Bump to build-tools 35.0.2 aapt2#16

[oSumAtrIX]

I don't know what the problem is. Do you know if the asset can be verified already as instructed in the PR OP body? I agree, that this PR should be merged once the aapt2#16 is closed.

[Taknok]

The bin are already attested and can be verified by `gh attestation verify ". But I agree that the bin pushed to main can be the one built by the aapt repo of revanced.

[validcube]

I don't know what the problem is. Do you know if the asset can be verified already as instructed in the PR OP body? I agree, that this PR should be merged once the aapt2#16 is closed.

The binaries is indeed signed, but they're not by us, the binaries need to be build by ours if we want to attest the authentically of the file.

See binaries attestation below:

PS C:\Users\havef\Downloads> gh at verify '.\libaapt2.so'
at least one of the flags in the group [owner repo] is required

PS C:\Users\havef\Downloads> gh at verify .\libaapt2.so --owner revanced
Loaded digest sha256:ca5d69aee0ed190178ab472e7ec7eacb98bbd3ef945963085a6d545e1bb3083e for file://libaapt2.so
✗ Loading attestations from GitHub API failed

Error: failed to fetch attestations from revanced: HTTP 404: Not Found (https://api.github.com/orgs/revanced/attestations/sha256:ca5d69aee0ed190178ab472e7ec7eacb98bbd3ef945963085a6d545e1bb3083e?per_page=30)
PS C:\Users\havef\Downloads> gh at verify '.\libaapt2 (1).so' --owner revanced
Loaded digest sha256:a8275554beb9e6ae77a4b8f343c0c614bf3a42253f835a59da0bd8b4e2c0ac39 for file://libaapt2 (1).so
✗ Loading attestations from GitHub API failed

Error: failed to fetch attestations from revanced: HTTP 404: Not Found (https://api.github.com/orgs/revanced/attestations/sha256:a8275554beb9e6ae77a4b8f343c0c614bf3a42253f835a59da0bd8b4e2c0ac39?per_page=30)
PS C:\Users\havef\Downloads> gh at verify '.\libaapt2 (2).so' --owner revanced
Loaded digest sha256:b6b692fc8bd5ccdac8fb0b221e42b74dd2583c7119f0d9a542a3ae9406cd9e7d for file://libaapt2 (2).so
✗ Loading attestations from GitHub API failed

Attestation logs (if we use Taknok as the owner)

```ps PS C:\Users\havef\Downloads> gh at verify '.\libaapt2 (2).so' --owner Taknok Loaded digest sha256:b6b692fc8bd5ccdac8fb0b221e42b74dd2583c7119f0d9a542a3ae9406cd9e7d for file://libaapt2 (2).so Loaded 2 attestations from GitHub API

The following policy criteria will be enforced:

• Predicate type must match:................ https://slsa.dev/provenance/v1
• Source Repository Owner URI must match:... https://github.com/Taknok
• Subject Alternative Name must match regex: (?i)^https://github.com/Taknok/
• OIDC Issuer must match:................... https://token.actions.githubusercontent.com

✓ Verification succeeded!

The following 2 attestations matched the policy criteria

• Attestation New Crowdin updates #1

  • Build repo:..... Taknok/aapt2
  • Build workflow:. .github/workflows/build.yml@refs/heads/main
  • Signer repo:.... Taknok/aapt2
  • Signer workflow: .github/workflows/build.yml@refs/heads/main

• Attestation Revert "New Crowdin updates" #2

  • Build repo:..... Taknok/aapt2
  • Build workflow:. .github/workflows/build.yml@refs/heads/main
  • Signer repo:.... Taknok/aapt2
  • Signer workflow: .github/workflows/build.yml@refs/heads/main

PS C:\Users\havef\Downloads> gh at verify '.\libaapt2 (1).so' --owner Taknok
Loaded digest sha256:a8275554beb9e6ae77a4b8f343c0c614bf3a42253f835a59da0bd8b4e2c0ac39 for file://libaapt2 (1).so
Loaded 2 attestations from GitHub API

The following policy criteria will be enforced:

• Predicate type must match:................ https://slsa.dev/provenance/v1
• Source Repository Owner URI must match:... https://github.com/Taknok
• Subject Alternative Name must match regex: (?i)^https://github.com/Taknok/
• OIDC Issuer must match:................... https://token.actions.githubusercontent.com

✓ Verification succeeded!

The following 2 attestations matched the policy criteria

• Attestation New Crowdin updates #1

  • Build repo:..... Taknok/aapt2
  • Build workflow:. .github/workflows/build.yml@refs/heads/main
  • Signer repo:.... Taknok/aapt2
  • Signer workflow: .github/workflows/build.yml@refs/heads/main

• Attestation Revert "New Crowdin updates" #2

  • Build repo:..... Taknok/aapt2
  • Build workflow:. .github/workflows/build.yml@refs/heads/main
  • Signer repo:.... Taknok/aapt2
  • Signer workflow: .github/workflows/build.yml@refs/heads/main

PS C:\Users\havef\Downloads> gh at verify '.\libaapt2.so' --owner Taknok
Loaded digest sha256:ca5d69aee0ed190178ab472e7ec7eacb98bbd3ef945963085a6d545e1bb3083e for file://libaapt2.so
Loaded 2 attestations from GitHub API

The following policy criteria will be enforced:

• Predicate type must match:................ https://slsa.dev/provenance/v1
• Source Repository Owner URI must match:... https://github.com/Taknok
• Subject Alternative Name must match regex: (?i)^https://github.com/Taknok/
• OIDC Issuer must match:................... https://token.actions.githubusercontent.com

✓ Verification succeeded!

The following 2 attestations matched the policy criteria

• Attestation New Crowdin updates #1

  • Build repo:..... Taknok/aapt2
  • Build workflow:. .github/workflows/build.yml@refs/heads/main
  • Signer repo:.... Taknok/aapt2
  • Signer workflow: .github/workflows/build.yml@refs/heads/main

• Attestation Revert "New Crowdin updates" #2

  • Build repo:..... Taknok/aapt2
  • Build workflow:. .github/workflows/build.yml@refs/heads/main
  • Signer repo:.... Taknok/aapt2
  • Signer workflow: .github/workflows/build.yml@refs/heads/main

</details>

[oSumAtrIX]

The binaries is indeed signed, but they're not by us, the binaries need to be build by ours if we want to attest the authentically of the file.

The attestation links the binaries to a source. If the source is good, so is the binary. It's not a matter of that, but rather that we may want the source to be different, hence the binaries, so we should wait for the PR to be merged. If technically no changes are needed, the binaries here can technically be merged as is thanks to the attestation.