Open
Conversation
BarbossHack
force-pushed
the
reproducible-builds-1
branch
2 times, most recently
from
450ad01 to
87a1cf6
Compare
BarbossHack
force-pushed
the
reproducible-builds-1
branch
from
87a1cf6 to
daef4d1
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Hi 👋
Thank you @AsamK for all your work, especially will all the recent breaking changes that came with Signal 8.0.0
Purpose of this MR
Make signal-cli builds reproducible.
source: https://reproducible-builds.org/
So far, I have managed to make only the following binaries reproducible:
signal-cli-XXX.tar.gz)signal-cli-XXX-Linux-native.tar.gz)signal-cli-XXX-Linux-client.tar.gz)The Native binary built using GraalVM is not reproducible yet and will require significantly more work (I’m working on it). However, I think we should merge this MR first so that people can quickly start verifying the reproducibility of signal-cli.jar in upcoming releases. I will work on making the Native binary reproducible in a follow-up MR, if that’s okay with you.
Once this has been merged, I will of course remain available to maintain and support this part of the codebase going forward.
Description of the changes
./reproducible-builds/folder containing all the build and verification scripts and Dockerfiles (similar to how Signal-Android does it).build.sh: builds all the required artifacts: JAR, Native binary, and Rust client.verify.sh: downloads releases from Github Releases, runsbuild.sh, and verifies whether they match the locally built ones (reproducibility check).*.Containerfile: Dockerfiles for reproducible build, using specific tags pinned to their manifest digest hash, with pinned repository snapshot and a fixed build datetime.README.md: contains all the reproducible build instructions for users. You will need to update the example version (0.14.0) since it is currently not reproducible.manMakefile to avoid adding original timestamp, which breaks reproducibility.build.yml, usereproducible-buidls/build.shto build artifacts.release.yml, use the artifacts frombuild.yml's reproducible builds to create the release and containers.Example
For this example, I created a new tag
v0.14.0on my fork, triggered a new workflow (see #22589216762), and verified the reproducibility like this: