reproducible build mismatch: d34fb89f5 instead of a380cb93e

[alevchuk]

I followed the Linux Docker instructions for reproducible build https://github.com/SeedSigner/seedsigner-os/blob/main/docs/building.md#-quickstart-seedsigner-reproducible-build-

and got a different hash

build-images-1  | /opt/buildroot
build-images-1  | d34fb89f552d4aa8b4df277782ee807c9369412205bd56e9d08137eab3622089  /opt/../images/seedsigner_os.0.7.0.pi0.img

expected hash is from sig file in the release notes https://github.com/SeedSigner/seedsigner/releases/tag/0.7.0:

a380cb93eb852254863718a9c000be9ec30cee14a78fc0ec90708308c17c1b8a  seedsigner_os.0.7.0.pi0.img

attaching last 3k lines of the build log
seedsigner-os-BUILD.log

My build environment was:
seedsigner-os commit 83e8cac

cat /proc/cpuinfo | grep Model
Model           : Raspberry Pi 4 Model B Rev 1.5

docker --version
Docker version 26.0.1, build d260a54

uname -a
Linux raspberrypi 6.1.21-v8+ #1642 SMP PREEMPT Mon Apr  3 17:24:16 BST 2023 aarch64 GNU/Linux


$ file /lib/systemd/systemd
/lib/systemd/systemd: ELF 64-bit LSB pie executable, ARM aarch64, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux-aarch64.so.1, Build
ID[sha1]=33113bf93a1240aab27c7cdd73fdb9a5ba686842, for GNU/Linux 3.7.0, stripped

[alevchuk]

I'm getting the d34fb89f5 hash every time I build it, the image works for booting a pi zero. Here is the full log of the build
seedsigner-os-BUILD.log.gz

[jdlcdl]

I suspect that on the same architecture, will always get the same reproducible binary, but for the release reproducible, everyone was always running docker by preceding it with env variables that forced it to build with docker as if on amd64 (and virtualizing is known to work but also makes it very slow if not already on amd64 hardware).

Just want to confirm that you did
export DOCKER_DEFAULT_PLATFORM=linux/amd64

before the rest of the build instructions.

[alevchuk]

yes, i did

[jdlcdl]

replying late. Im rebuilding now following same instructions as you linked to. I'll reply in the morning with my results.

[newtonick]

I did a build a few days ago and got the matching a380cb93eb852254863718a9c000be9ec30cee14a78fc0ec90708308c17c1b8a hash. @alevchuk what command did you run to kick off the build? SS_ARGS="--$BOARD_TYPE --app-branch=0.7.0" docker compose up --force-recreate --build ?

[jdlcdl]

My run last night ended up building a binary w/ expected hash for pi0 and release 0.7.0.

a380cb93eb852254863718a9c000be9ec30cee14a78fc0ec90708308c17c1b8a /opt/../images/seedsigner_os.0.7.0.pi0.img

[alevchuk]

@jdlcdl

what command did you run to kick off the build? SS_ARGS="--$BOARD_TYPE --app-branch=0.7.0" docker compose up --force-recreate --build ?

yes, but with "sudo " in front of it

[alevchuk]

fwiw, sha256 sums of the contents of my image:
seedsigner-os-BUILD-image-contents.txt

i got them like this:

sudo apt-get install kpartx
sudo losetup /dev/loop6  ~/seedsigner-os/opt/../images/seedsigner_os.0.7.0.pi0.img
sudo kpartx -a /dev/loop6
sudo mkdir /mnt/tmp
sudo mount /dev/mapper/loop6p1 /mnt/tmp
find  /mnt/tmp | xargs sha256sum  > ~/seedsigner-os-BUILD-image-contents.txt

diff a.txt b.txt of two .txt files would show what's diffrent

[jdlcdl]

...would show what's diffrent

Thank you for making this easy (explaining how to set it up). The only diff I found was with zImage (but that doesn't tell us much).

mine vs yours

257c257
< 3a75a5447d0e6986e086e5f031e0e7c00d066c48a4a544f6ebcf5b5b5f93ccaa  /mnt/tmp/zImage
---
> 72bf0671363057c392391761aeafbb5bd9b222aff835e0afb6d5591af7a7a2b1  /mnt/tmp/zImage

I'm slow to reply recently while dealing w/ other busy work. I'll work in the following direction (from @newtonick's gist written during the closed pr #51) as soon as I get time and will reply here.
https://gist.github.com/newtonick/2df134a84fd04398bd925a000e979112#bonus-round

[alevchuk]

I ran thru the instructions in the gist Bonus Round and got this difference from @newtonick's rootfs.md5.chk
rootfs.md5.chk.diff.txt

for for example my controller.py difference looks like this:

1d0
< import time
3c2
<
---
> import time
5a5,6
> from embit.descriptor import Descriptor
> from embit.psbt import PSBT
7a9,12
> from seedsigner.gui.toast import BaseToastOverlayManagerThread
> from seedsigner.models.psbt_parser import PSBTParser
> from seedsigner.models.seed import Seed
> from seedsigner.models.seed_storage import SeedStorage
10a16
> from seedsigner.views.screensaver import ScreensaverScreen
100c106
<     _storage: 'SeedStorage' = None   # TODO: Rename "storage" to something more indicative of its temp, in-memory state
---
>     _storage: SeedStorage = None   # TODO: Rename "storage" to something more indicative of its temp, in-memory state
105,107c111,113
<     psbt: 'embit.psbt.PSBT' = None
<     psbt_seed: 'Seed' = None
<     psbt_parser: 'PSBTParser' = None
---
>     psbt: PSBT = None
>     psbt_seed: Seed = None
>     psbt_parser: PSBTParser = None
111c117
<     multisig_wallet_descriptor: 'embit.descriptor.Descriptor' = None
---
>     multisig_wallet_descriptor: Descriptor = None
132,133c138,139
<     screensaver: 'ScreensaverScreen' = None
<     toast_notification_thread: 'BaseToastOverlayManagerThread' = None
---
>     screensaver: ScreensaverScreen = None
>     toast_notification_thread: BaseToastOverlayManagerThread = None
208c214
<     def get_seed(self, seed_num: int) -> 'Seed':
---
>     def get_seed(self, seed_num: int) -> Seed:
397c403
<     def activate_toast(self, toast_manager_thread: 'BaseToastOverlayManagerThread'):
---
>     def activate_toast(self, toast_manager_thread: BaseToastOverlayManagerThread):

[alevchuk]

basically it's putting quotation marks around things in python files

i wonder what's doing this "pre-processing"