From f5731a3037e9b9bd2955c70b0a87fbe801b30c19 Mon Sep 17 00:00:00 2001 From: Xuejie Xiao Date: Mon, 8 Sep 2025 06:54:20 +0000 Subject: [PATCH 01/10] Add reproducible build setup --- .github/workflows/rust.yml | 15 +++++++ checksums.txt | 10 +++++ scripts/reproducible_build_docker | 66 +++++++++++++++++++++++++++++++ 3 files changed, 91 insertions(+) create mode 100644 checksums.txt create mode 100755 scripts/reproducible_build_docker diff --git a/.github/workflows/rust.yml b/.github/workflows/rust.yml index 65a4b91..b1f5e07 100644 --- a/.github/workflows/rust.yml +++ b/.github/workflows/rust.yml @@ -23,6 +23,21 @@ jobs: - name: git diff run: git diff --exit-code + reproducible-build: + + strategy: + matrix: + os: [ubuntu-latest, ubuntu-24.04-arm] + + runs-on: ${{ matrix.os }} + + steps: + - uses: actions/checkout@v4 + with: + submodules: "true" + - name: Reproducible build + run: ./scripts/reproducible_build_docker + macos-build: runs-on: macos-latest diff --git a/checksums.txt b/checksums.txt new file mode 100644 index 0000000..7bb58a1 --- /dev/null +++ b/checksums.txt @@ -0,0 +1,10 @@ +59a4c25e6185f906ba379db530fc08c1e1f8aa23db2bcb265a6ab321a0d5b527 build/release/c-sphincs-all-in-one-lock +55fbe64ca9dfc17335ee9af56083dde6bbdf23c79a967d37805b8467b86d458e build/release/c-sphincs-all-in-one-lock.debug +313f3122a5ad662a9f7cf81d18d3ec4fd3ba3ea5af43fb3ac405844731d6306a build/release/hybrid-sphincs-all-in-one-lock +7cfd89954d36dc22381b3d5179eb7c75556abe8c576bf3551cdda3d5d60ace0d build/release/hybrid-sphincs-all-in-one-lock.debug +67e27355b90b19e4768ef83d771d085aaee451942eb84c88f7383e23e7ec80ac build/release/nist-vector-tester +a0999aac87383e8ac3191f6d9472d2e94b61e9077b1bcd00f510d6cf67e3ab7f build/release/nist-vector-tester.debug +fb6448fc699653474620c041b0be05b0393b612a023221010f39a61c47c9102f build/release/spawn-exec-test-runner +0ceeffed81973224e315953147012c3fe6a058f0f24c605fc53deefd7564d72b build/release/spawn-exec-test-runner.debug +45946de1491b199b2975b6c7bff7a5149e384337db1ced7a366c9ef7299f0884 build/release/sphincs-all-in-one-lock +6dadb87af0433b1045a5271f1efca6420e1408df6668498043ca3e2a91c37c54 build/release/sphincs-all-in-one-lock.debug diff --git a/scripts/reproducible_build_docker b/scripts/reproducible_build_docker new file mode 100755 index 0000000..dd61351 --- /dev/null +++ b/scripts/reproducible_build_docker @@ -0,0 +1,66 @@ +#!/usr/bin/env bash +# +# An utility script helping with reproducible script builds via docker. +# Note that this utility serves only as one example, docker is not +# necessarily THE way to do reproducible build, nor is it the best way +# to do reproducible build. +set -ex + +DOCKER="${DOCKER:-docker}" +# docker pull docker.io/cryptape/llvm-n-rust:20250617 +DOCKER_IMAGE="${DOCKER_IMAGE:-docker.io/cryptape/llvm-n-rust@sha256:d6d1f9a6656039273210de91913c828f5b4aa4a3282d2c93ed19bcb7bbf728fe}" +CHECKSUM_FILE_PATH="${CHECKSUM_FILE_PATH:-checksums.txt}" + +# We are parsing command line arguments based on tips from: +# https://stackoverflow.com/a/14203146 + +while [[ $# -gt 0 ]]; do + case $1 in + -p|--proxy) + PROXY="$2" + shift # past argument + shift # past value + ;; + -u|--update) + UPDATE="yes" + shift # past argument + ;; + --no-clean) + NOCLEAN="yes" + shift # past argument + ;; + -*|--*) + echo "Unknown option $1" + exit 1 + ;; + *) + echo "Unknown argument $1" + exit 1 + ;; + esac +done + +if [[ -n "${PROXY}" ]]; then + DOCKER_RUN_ARGS="-e ALL_PROXY=${PROXY} -e HTTPS_PROXY=${PROXY} -e HTTP_PROXY=${PROXY} ${DOCKER_RUN_ARGS}" +fi + +TASKS="" +if [[ "${NOCLEAN}" != "yes" ]]; then + TASKS+=" clean " +fi + +if [[ "${UPDATE}" = "yes" ]]; then + TASKS+=" checksum CHECKSUM_FILE=${CHECKSUM_FILE_PATH} " +else + TASKS+=" build " +fi + +$DOCKER run --rm $DOCKER_RUN_ARGS -v `pwd`:/code $DOCKER_IMAGE make $TASKS +# Reset file ownerships for all files docker might touch +$DOCKER run --rm $DOCKER_RUN_ARGS -e UID=`id -u` -e GID=`id -g` -v `pwd`:/code $DOCKER_IMAGE bash -c 'chown -R -f $UID:$GID checksums.txt build target' + +if [[ "${UPDATE}" = "yes" ]]; then + echo "${CHECKSUM_FILE_PATH} file is updated with latest binary hashes!" +else + shasum -a 256 -c ${CHECKSUM_FILE_PATH} +fi From 1d866ec8c1e375a1ed1ca26efa6b7dbce229ccfa Mon Sep 17 00:00:00 2001 From: Xuejie Xiao Date: Mon, 8 Sep 2025 07:03:13 +0000 Subject: [PATCH 02/10] Fix CI --- .github/workflows/rust.yml | 8 ++------ 1 file changed, 2 insertions(+), 6 deletions(-) diff --git a/.github/workflows/rust.yml b/.github/workflows/rust.yml index b1f5e07..66a9d28 100644 --- a/.github/workflows/rust.yml +++ b/.github/workflows/rust.yml @@ -25,11 +25,7 @@ jobs: reproducible-build: - strategy: - matrix: - os: [ubuntu-latest, ubuntu-24.04-arm] - - runs-on: ${{ matrix.os }} + runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 @@ -47,7 +43,7 @@ jobs: with: submodules: true - name: Install latest llvm & lld - run: brew install llvm lld + run: brew install llvm@20 lld - uses: actions-rust-lang/setup-rust-toolchain@v1 - name: Prepare, build, test, clippy, format run: make prepare build test clippy fmt From 3293e91ceef4568629603f005d70f0f80ff69cc9 Mon Sep 17 00:00:00 2001 From: Xuejie Xiao Date: Mon, 8 Sep 2025 07:11:16 +0000 Subject: [PATCH 03/10] Skip unsupported LDFLAGS in macOS --- contracts/c-sphincs-all-in-one-lock/Makefile | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/contracts/c-sphincs-all-in-one-lock/Makefile b/contracts/c-sphincs-all-in-one-lock/Makefile index 82c8a34..faf057f 100644 --- a/contracts/c-sphincs-all-in-one-lock/Makefile +++ b/contracts/c-sphincs-all-in-one-lock/Makefile @@ -50,7 +50,11 @@ CFLAGS += --target=riscv64 -march=rv64imc_zba_zbb_zbc_zbs \ CFLAGS += -I $(SPHINCS_PLUS_DIR) -I $(CUR_BUILD) -I $(cur_dir)/utils # CFLAGS += -DCKB_C_STDLIB_PRINTF -LDFLAGS := -static -Wl,--gc-sections +OS := $(shell uname -s) +LDFLAGS := +if neq($(OS),Darwin) + LDFLAGS += -static -Wl,--gc-sections +endif default: build From 496c5c8793f421312d1cab4bcdd4782929e3a66e Mon Sep 17 00:00:00 2001 From: Xuejie Xiao Date: Mon, 8 Sep 2025 07:12:57 +0000 Subject: [PATCH 04/10] Restore to latest LLVM --- .github/workflows/rust.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/rust.yml b/.github/workflows/rust.yml index 66a9d28..3364db8 100644 --- a/.github/workflows/rust.yml +++ b/.github/workflows/rust.yml @@ -43,7 +43,7 @@ jobs: with: submodules: true - name: Install latest llvm & lld - run: brew install llvm@20 lld + run: brew install llvm lld - uses: actions-rust-lang/setup-rust-toolchain@v1 - name: Prepare, build, test, clippy, format run: make prepare build test clippy fmt From eb2fc1a26d6355735caedf6190cde64637eebeeb Mon Sep 17 00:00:00 2001 From: Xuejie Xiao Date: Mon, 8 Sep 2025 07:17:09 +0000 Subject: [PATCH 05/10] Fix typo --- contracts/c-sphincs-all-in-one-lock/Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/contracts/c-sphincs-all-in-one-lock/Makefile b/contracts/c-sphincs-all-in-one-lock/Makefile index faf057f..90d122c 100644 --- a/contracts/c-sphincs-all-in-one-lock/Makefile +++ b/contracts/c-sphincs-all-in-one-lock/Makefile @@ -52,7 +52,7 @@ CFLAGS += -I $(SPHINCS_PLUS_DIR) -I $(CUR_BUILD) -I $(cur_dir)/utils OS := $(shell uname -s) LDFLAGS := -if neq($(OS),Darwin) +ifneq($(OS),Darwin) LDFLAGS += -static -Wl,--gc-sections endif From 5d9f282c92b4bfdeb326db8324c4894b0e757bbd Mon Sep 17 00:00:00 2001 From: Xuejie Xiao Date: Mon, 8 Sep 2025 07:29:00 +0000 Subject: [PATCH 06/10] Yet another fix --- contracts/c-sphincs-all-in-one-lock/Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/contracts/c-sphincs-all-in-one-lock/Makefile b/contracts/c-sphincs-all-in-one-lock/Makefile index 90d122c..6038feb 100644 --- a/contracts/c-sphincs-all-in-one-lock/Makefile +++ b/contracts/c-sphincs-all-in-one-lock/Makefile @@ -52,7 +52,7 @@ CFLAGS += -I $(SPHINCS_PLUS_DIR) -I $(CUR_BUILD) -I $(cur_dir)/utils OS := $(shell uname -s) LDFLAGS := -ifneq($(OS),Darwin) +ifneq ($(OS),Darwin) LDFLAGS += -static -Wl,--gc-sections endif From 01409c8f34e7bc70d57fa33806c219e7e0aa1f8a Mon Sep 17 00:00:00 2001 From: Xuejie Xiao Date: Mon, 8 Sep 2025 07:33:56 +0000 Subject: [PATCH 07/10] Try using lld on macOS --- contracts/c-sphincs-all-in-one-lock/Makefile | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/contracts/c-sphincs-all-in-one-lock/Makefile b/contracts/c-sphincs-all-in-one-lock/Makefile index 6038feb..1cba53c 100644 --- a/contracts/c-sphincs-all-in-one-lock/Makefile +++ b/contracts/c-sphincs-all-in-one-lock/Makefile @@ -51,9 +51,9 @@ CFLAGS += -I $(SPHINCS_PLUS_DIR) -I $(CUR_BUILD) -I $(cur_dir)/utils # CFLAGS += -DCKB_C_STDLIB_PRINTF OS := $(shell uname -s) -LDFLAGS := -ifneq ($(OS),Darwin) - LDFLAGS += -static -Wl,--gc-sections +LDFLAGS := -static -Wl,--gc-sections +ifeq ($(OS),Darwin) + LDFLAGS += -fuse-ld=ld.lld endif default: build From 3d6c77a4aa8f5ba4d804e3e63387225d4fad1b80 Mon Sep 17 00:00:00 2001 From: Xuejie Xiao Date: Mon, 8 Sep 2025 07:37:00 +0000 Subject: [PATCH 08/10] Use lld linker --- contracts/c-sphincs-all-in-one-lock/Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/contracts/c-sphincs-all-in-one-lock/Makefile b/contracts/c-sphincs-all-in-one-lock/Makefile index 1cba53c..5ca315d 100644 --- a/contracts/c-sphincs-all-in-one-lock/Makefile +++ b/contracts/c-sphincs-all-in-one-lock/Makefile @@ -53,7 +53,7 @@ CFLAGS += -I $(SPHINCS_PLUS_DIR) -I $(CUR_BUILD) -I $(cur_dir)/utils OS := $(shell uname -s) LDFLAGS := -static -Wl,--gc-sections ifeq ($(OS),Darwin) - LDFLAGS += -fuse-ld=ld.lld + LDFLAGS += -fuse-ld=lld endif default: build From 52544dd5c293eeecd40d912496397be90defef17 Mon Sep 17 00:00:00 2001 From: Xuejie Xiao Date: Mon, 8 Sep 2025 17:16:08 +0800 Subject: [PATCH 09/10] Update rust.yml macOS uses a different LLVM version, so we will skip the fmt part since different clang version might format the code differently --- .github/workflows/rust.yml | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/.github/workflows/rust.yml b/.github/workflows/rust.yml index 3364db8..e0811c1 100644 --- a/.github/workflows/rust.yml +++ b/.github/workflows/rust.yml @@ -46,6 +46,4 @@ jobs: run: brew install llvm lld - uses: actions-rust-lang/setup-rust-toolchain@v1 - name: Prepare, build, test, clippy, format - run: make prepare build test clippy fmt - - name: git diff - run: git diff --exit-code + run: make prepare build test clippy From 53aff5707d3bc952678a30094146091bcc29219f Mon Sep 17 00:00:00 2001 From: Xuejie Xiao Date: Mon, 8 Sep 2025 17:17:03 +0800 Subject: [PATCH 10/10] Fix description --- .github/workflows/rust.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/rust.yml b/.github/workflows/rust.yml index e0811c1..abad3de 100644 --- a/.github/workflows/rust.yml +++ b/.github/workflows/rust.yml @@ -45,5 +45,5 @@ jobs: - name: Install latest llvm & lld run: brew install llvm lld - uses: actions-rust-lang/setup-rust-toolchain@v1 - - name: Prepare, build, test, clippy, format + - name: Prepare, build, test, clippy run: make prepare build test clippy