diff --git a/.github/workflows/rust.yml b/.github/workflows/rust.yml index 65a4b91..abad3de 100644 --- a/.github/workflows/rust.yml +++ b/.github/workflows/rust.yml @@ -23,6 +23,17 @@ jobs: - name: git diff run: git diff --exit-code + reproducible-build: + + runs-on: ubuntu-latest + + steps: + - uses: actions/checkout@v4 + with: + submodules: "true" + - name: Reproducible build + run: ./scripts/reproducible_build_docker + macos-build: runs-on: macos-latest @@ -34,7 +45,5 @@ jobs: - name: Install latest llvm & lld run: brew install llvm lld - uses: actions-rust-lang/setup-rust-toolchain@v1 - - name: Prepare, build, test, clippy, format - run: make prepare build test clippy fmt - - name: git diff - run: git diff --exit-code + - name: Prepare, build, test, clippy + run: make prepare build test clippy diff --git a/checksums.txt b/checksums.txt new file mode 100644 index 0000000..7bb58a1 --- /dev/null +++ b/checksums.txt @@ -0,0 +1,10 @@ +59a4c25e6185f906ba379db530fc08c1e1f8aa23db2bcb265a6ab321a0d5b527 build/release/c-sphincs-all-in-one-lock +55fbe64ca9dfc17335ee9af56083dde6bbdf23c79a967d37805b8467b86d458e build/release/c-sphincs-all-in-one-lock.debug +313f3122a5ad662a9f7cf81d18d3ec4fd3ba3ea5af43fb3ac405844731d6306a build/release/hybrid-sphincs-all-in-one-lock +7cfd89954d36dc22381b3d5179eb7c75556abe8c576bf3551cdda3d5d60ace0d build/release/hybrid-sphincs-all-in-one-lock.debug +67e27355b90b19e4768ef83d771d085aaee451942eb84c88f7383e23e7ec80ac build/release/nist-vector-tester +a0999aac87383e8ac3191f6d9472d2e94b61e9077b1bcd00f510d6cf67e3ab7f build/release/nist-vector-tester.debug +fb6448fc699653474620c041b0be05b0393b612a023221010f39a61c47c9102f build/release/spawn-exec-test-runner +0ceeffed81973224e315953147012c3fe6a058f0f24c605fc53deefd7564d72b build/release/spawn-exec-test-runner.debug +45946de1491b199b2975b6c7bff7a5149e384337db1ced7a366c9ef7299f0884 build/release/sphincs-all-in-one-lock +6dadb87af0433b1045a5271f1efca6420e1408df6668498043ca3e2a91c37c54 build/release/sphincs-all-in-one-lock.debug diff --git a/contracts/c-sphincs-all-in-one-lock/Makefile b/contracts/c-sphincs-all-in-one-lock/Makefile index 82c8a34..5ca315d 100644 --- a/contracts/c-sphincs-all-in-one-lock/Makefile +++ b/contracts/c-sphincs-all-in-one-lock/Makefile @@ -50,7 +50,11 @@ CFLAGS += --target=riscv64 -march=rv64imc_zba_zbb_zbc_zbs \ CFLAGS += -I $(SPHINCS_PLUS_DIR) -I $(CUR_BUILD) -I $(cur_dir)/utils # CFLAGS += -DCKB_C_STDLIB_PRINTF +OS := $(shell uname -s) LDFLAGS := -static -Wl,--gc-sections +ifeq ($(OS),Darwin) + LDFLAGS += -fuse-ld=lld +endif default: build diff --git a/scripts/reproducible_build_docker b/scripts/reproducible_build_docker new file mode 100755 index 0000000..dd61351 --- /dev/null +++ b/scripts/reproducible_build_docker @@ -0,0 +1,66 @@ +#!/usr/bin/env bash +# +# An utility script helping with reproducible script builds via docker. +# Note that this utility serves only as one example, docker is not +# necessarily THE way to do reproducible build, nor is it the best way +# to do reproducible build. +set -ex + +DOCKER="${DOCKER:-docker}" +# docker pull docker.io/cryptape/llvm-n-rust:20250617 +DOCKER_IMAGE="${DOCKER_IMAGE:-docker.io/cryptape/llvm-n-rust@sha256:d6d1f9a6656039273210de91913c828f5b4aa4a3282d2c93ed19bcb7bbf728fe}" +CHECKSUM_FILE_PATH="${CHECKSUM_FILE_PATH:-checksums.txt}" + +# We are parsing command line arguments based on tips from: +# https://stackoverflow.com/a/14203146 + +while [[ $# -gt 0 ]]; do + case $1 in + -p|--proxy) + PROXY="$2" + shift # past argument + shift # past value + ;; + -u|--update) + UPDATE="yes" + shift # past argument + ;; + --no-clean) + NOCLEAN="yes" + shift # past argument + ;; + -*|--*) + echo "Unknown option $1" + exit 1 + ;; + *) + echo "Unknown argument $1" + exit 1 + ;; + esac +done + +if [[ -n "${PROXY}" ]]; then + DOCKER_RUN_ARGS="-e ALL_PROXY=${PROXY} -e HTTPS_PROXY=${PROXY} -e HTTP_PROXY=${PROXY} ${DOCKER_RUN_ARGS}" +fi + +TASKS="" +if [[ "${NOCLEAN}" != "yes" ]]; then + TASKS+=" clean " +fi + +if [[ "${UPDATE}" = "yes" ]]; then + TASKS+=" checksum CHECKSUM_FILE=${CHECKSUM_FILE_PATH} " +else + TASKS+=" build " +fi + +$DOCKER run --rm $DOCKER_RUN_ARGS -v `pwd`:/code $DOCKER_IMAGE make $TASKS +# Reset file ownerships for all files docker might touch +$DOCKER run --rm $DOCKER_RUN_ARGS -e UID=`id -u` -e GID=`id -g` -v `pwd`:/code $DOCKER_IMAGE bash -c 'chown -R -f $UID:$GID checksums.txt build target' + +if [[ "${UPDATE}" = "yes" ]]; then + echo "${CHECKSUM_FILE_PATH} file is updated with latest binary hashes!" +else + shasum -a 256 -c ${CHECKSUM_FILE_PATH} +fi