wip

Author: kariy

.cargo/config.toml

@@ -74,6 +74,7 @@ jobs:
           docker build \
             -f reproducible.Dockerfile \
             -t katana-reproducible:${{ needs.prepare.outputs.tag_name }} \
+            --build-arg SOURCE_DATE_EPOCH=$(git log -1 --format=%ct) \
             --no-cache \
             .
 

.github/workflows/release-tee.yml

@@ -41,3 +41,4 @@ crates/contracts/build/
 **/.claude/settings.local.json
 
 vendor
+katana-tee

.gitignore

@@ -26,13 +26,14 @@ SCARB_VERSION := 2.8.4
 
 .DEFAULT_GOAL := usage
 .SILENT: clean
-.PHONY: usage help check-llvm native-deps native-deps-macos native-deps-linux native-deps-windows build-explorer contracts clean deps install-scarb test-artifacts snos-artifacts db-compat-artifacts install-pyenv
+.PHONY: usage help check-llvm native-deps native-deps-macos native-deps-linux native-deps-windows build-explorer contracts clean deps install-scarb test-artifacts snos-artifacts db-compat-artifacts install-pyenv build-tee
 
 usage help:
 	@echo "Usage:"
 	@echo "    deps:                      Install all required dependencies for building Katana with all features (incl. tests)."
 	@echo "    snos-deps:                 Install SNOS test dependencies (pyenv, Python 3.9.15)."
 	@echo "    build-explorer:            Build the explorer."
+	@echo "    build-tee:                 Build reproducible TEE binary (requires Docker)."
 	@echo "    contracts:                 Build the contracts."
 	@echo "    test-artifacts:            Prepare tests artifacts (including test database)."
 	@echo "    snos-artifacts:            Prepare SNOS tests artifacts."
@@ -71,6 +72,21 @@ build-explorer:
 
 contracts: $(CONTRACTS_BUILD_DIR)
 
+build-tee: contracts
+	@which docker >/dev/null 2>&1 || { echo "Error: docker is required but not installed."; exit 1; }
+	@echo "Building reproducible TEE binary..."
+	@docker build \
+		-f reproducible.Dockerfile \
+		--build-arg SOURCE_DATE_EPOCH=$$(git log -1 --format=%ct) \
+		-t katana-reproducible \
+		.
+	@echo "Extracting binary..."
+	@docker create --name katana-tee-extract katana-reproducible >/dev/null
+	@docker cp katana-tee-extract:/katana ./katana-tee
+	@docker rm katana-tee-extract >/dev/null
+	@echo "Reproducible TEE binary built: ./katana-tee"
+	@echo "SHA-384: $$(sha384sum ./katana-tee | cut -d ' ' -f 1)"
+
 # Generate the list of sources dynamically to make sure Make can track all files in all nested subdirs
 $(CONTRACTS_BUILD_DIR): $(shell find $(CONTRACTS_DIR) -type f)
 	@echo "Building contracts..."
@@ -180,5 +196,5 @@ snos-deps-macos: install-pyenv
 
 clean:
 	echo "Cleaning up generated files..."
-	-rm -rf $(SNOS_DB_DIR) $(COMPATIBILITY_DB_DIR) $(SNOS_OUTPUT) $(EXPLORER_UI_DIST) $(CONTRACTS_BUILD_DIR)
+	-rm -rf $(SNOS_DB_DIR) $(COMPATIBILITY_DB_DIR) $(SNOS_OUTPUT) $(EXPLORER_UI_DIST) $(CONTRACTS_BUILD_DIR) katana-tee
 	echo "Clean complete."

Makefile

@@ -1,14 +1,29 @@
 # Reproducible build Dockerfile for Katana TEE
 #
 # Produces bit-for-bit identical builds across different machines.
+# Uses a two-stage build: first stage vendors dependencies, second builds offline.
 #
 # Usage:
-#   docker build -f reproducible.Dockerfile -t katana-reproducible .
+#   docker build -f reproducible.Dockerfile \
+#     --build-arg SOURCE_DATE_EPOCH=$(git log -1 --format=%ct) \
+#     -t katana-reproducible .
 #   docker create --name extract katana-reproducible
 #   docker cp extract:/katana ./katana-reproducible
 #   docker rm extract
 
+# Stage 1: Vendor dependencies
 # Pin Rust image by digest (rust:1.86.0-slim-bookworm for amd64)
+FROM rust@sha256:a044f7ab9a762f95be2ee7eb2c49e4d4a4ec60011210de9f7da01d552cae3a55 AS vendorer
+
+WORKDIR /src
+
+# Copy everything needed for vendoring
+COPY . .
+
+# Generate vendor directory and cargo config
+RUN mkdir -p .cargo && cargo vendor vendor/ > .cargo/config.toml
+
+# Stage 2: Build
 FROM rust@sha256:a044f7ab9a762f95be2ee7eb2c49e4d4a4ec60011210de9f7da01d552cae3a55 AS builder
 
 # Install musl toolchain for static linking
@@ -21,17 +36,22 @@ RUN rustup target add x86_64-unknown-linux-musl
 
 WORKDIR /build
 
+# SOURCE_DATE_EPOCH should be passed as build arg (e.g., git commit timestamp)
+# Use: docker build --build-arg SOURCE_DATE_EPOCH=$(git log -1 --format=%ct) ...
+ARG SOURCE_DATE_EPOCH
+RUN test -n "$SOURCE_DATE_EPOCH" || (echo "ERROR: SOURCE_DATE_EPOCH build arg is required" && exit 1)
+
 # Reproducibility environment variables
 # Added -C link-arg=-s to strip symbols for bit-for-bit identity
-ENV SOURCE_DATE_EPOCH=1735689600 \
+ENV SOURCE_DATE_EPOCH=${SOURCE_DATE_EPOCH} \
 	RUSTFLAGS="--remap-path-prefix=/build=/build --remap-path-prefix=/cargo=/cargo -C target-feature=+crt-static -C link-arg=-s" \
 	CARGO_HOME=/cargo \
 	LANG=C.UTF-8 \
 	LC_ALL=C.UTF-8 \
 	TZ=UTC
 
-# Copy everything (including the 'vendor' folder and '.cargo/config.toml')
-COPY . .
+# Copy source and vendored deps from stage 1
+COPY --from=vendorer /src .
 
 # Build using the vendored dependencies (--offline)
 # and your custom performance profile