Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Reproducible Builds #4027

Closed
jackzampolin opened this issue Apr 2, 2019 · 0 comments · Fixed by #4262
Closed

Reproducible Builds #4027

jackzampolin opened this issue Apr 2, 2019 · 0 comments · Fixed by #4262
Assignees
@alessio

Comments

@jackzampolin
Copy link
Member

jackzampolin commented Apr 2, 2019
edited by alessio
Loading

Description

As A user of Gaia
I Want to produce a build artifact whose hash matches the official release artifact's
So that I can guarantee that the binary was not compromised

Acceptance Criteria

Given When Then
a git commit C1 I run the build script S1 from the given git commit C1 Build artifact B2 is created
a binary artifact B1 built by CI for the commit C1   Hashums of B2 and B1 are equal
a build script S1 used to produce that CI build    

Technical Details
@alessio alessio changed the title Reproducible Builds US01 - Reproducible Builds Apr 8, 2019
@alessio alessio changed the title US01 - Reproducible Builds Reproducible Builds May 2, 2019
@alessio alessio mentioned this issue May 2, 2019
Closed
4 tasks
@alessio alessio self-assigned this May 3, 2019
@alessio alessio mentioned this issue May 3, 2019
Merged
alessio pushed a commit that referenced this issue May 13, 2019
R4R: Infrastructure for reproducible builds (#4262)
c0486aa 
This change set introduces support for building gaia with gitian
on the following GOOS/GOARCH pairs:

- darwin/386
- darwin/amd64
- linux/386
- linux/amd64
- linux/arm
- linux/arm64
- windows/386
- windows/amd64

cmd/gaia/contrib/gitian-descriptors/ contains gitian descriptor files.

cmd/gaia/contrib/gitian-keys/ contains:
- a keys.txt file that is meant to list core developers and gitian
  builders PGP keys. 
- README.me to provide instructions on how to import the keys
  into one's personal GPG keyring.

The gosum utility is removed, so is the go.sum hashsum bit from
gaiacli/gaiad version string. It was meant to be a provisional
mitigation to the lack of a reproducible build process.

GOBIN is removed from all Makefiles. When GOBIN is set, go
refuses to cross-compiles binaries for foreign architectures.
export GOBIN=$GOPATH/bin is unnecessary anyway as by
default go install places built binaries in $GOPATH/bin.
Developers are required to update their enviornment files and
replace $GOBIN with $GOPATH/bin in PATH.

circleci configuration file is amended accordingly.

Closes: #4027
Closes: #4280
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@alessio alessio

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

R4R: Infrastructure for reproducible builds cosmos/cosmos-sdk
2 participants
@alessio @jackzampolin