Skip to content

Add reproducible build setup #15

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
xxuejie merged 10 commits into from
Sep 8, 2025
Merged

Add reproducible build setup #15

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
10 commits
Select commit Hold shift + click to select a range
f5731a3
Add reproducible build setup
xxuejie Sep 8, 2025
1d866ec
Fix CI
xxuejie Sep 8, 2025
3293e91
Skip unsupported LDFLAGS in macOS
xxuejie Sep 8, 2025
496c5c8
Restore to latest LLVM
xxuejie Sep 8, 2025
eb2fc1a
Fix typo
xxuejie Sep 8, 2025
5d9f282
Yet another fix
xxuejie Sep 8, 2025
01409c8
Try using lld on macOS
xxuejie Sep 8, 2025
3d6c77a
Use lld linker
xxuejie Sep 8, 2025
52544dd
Update rust.yml
xxuejie Sep 8, 2025
53aff57
Fix description
xxuejie Sep 8, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
17 changes: 13 additions & 4 deletions .github/workflows/rust.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -23,6 +23,17 @@ jobs:
- name: git diff
run: git diff --exit-code

reproducible-build:

runs-on: ubuntu-latest

steps:
- uses: actions/checkout@v4
with:
submodules: "true"
- name: Reproducible build
run: ./scripts/reproducible_build_docker

macos-build:

runs-on: macos-latest
Expand All @@ -34,7 +45,5 @@ jobs:
- name: Install latest llvm & lld
run: brew install llvm lld
- uses: actions-rust-lang/setup-rust-toolchain@v1
- name: Prepare, build, test, clippy, format
run: make prepare build test clippy fmt
- name: git diff
run: git diff --exit-code
- name: Prepare, build, test, clippy
run: make prepare build test clippy
10 changes: 10 additions & 0 deletions checksums.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,10 @@
59a4c25e6185f906ba379db530fc08c1e1f8aa23db2bcb265a6ab321a0d5b527 build/release/c-sphincs-all-in-one-lock
55fbe64ca9dfc17335ee9af56083dde6bbdf23c79a967d37805b8467b86d458e build/release/c-sphincs-all-in-one-lock.debug
313f3122a5ad662a9f7cf81d18d3ec4fd3ba3ea5af43fb3ac405844731d6306a build/release/hybrid-sphincs-all-in-one-lock
7cfd89954d36dc22381b3d5179eb7c75556abe8c576bf3551cdda3d5d60ace0d build/release/hybrid-sphincs-all-in-one-lock.debug
67e27355b90b19e4768ef83d771d085aaee451942eb84c88f7383e23e7ec80ac build/release/nist-vector-tester
a0999aac87383e8ac3191f6d9472d2e94b61e9077b1bcd00f510d6cf67e3ab7f build/release/nist-vector-tester.debug
fb6448fc699653474620c041b0be05b0393b612a023221010f39a61c47c9102f build/release/spawn-exec-test-runner
0ceeffed81973224e315953147012c3fe6a058f0f24c605fc53deefd7564d72b build/release/spawn-exec-test-runner.debug
45946de1491b199b2975b6c7bff7a5149e384337db1ced7a366c9ef7299f0884 build/release/sphincs-all-in-one-lock
6dadb87af0433b1045a5271f1efca6420e1408df6668498043ca3e2a91c37c54 build/release/sphincs-all-in-one-lock.debug
4 changes: 4 additions & 0 deletions contracts/c-sphincs-all-in-one-lock/Makefile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -50,7 +50,11 @@ CFLAGS += --target=riscv64 -march=rv64imc_zba_zbb_zbc_zbs \
CFLAGS += -I $(SPHINCS_PLUS_DIR) -I $(CUR_BUILD) -I $(cur_dir)/utils
# CFLAGS += -DCKB_C_STDLIB_PRINTF

OS := $(shell uname -s)
LDFLAGS := -static -Wl,--gc-sections
ifeq ($(OS),Darwin)
LDFLAGS += -fuse-ld=lld
endif

default: build

Expand Down
66 changes: 66 additions & 0 deletions scripts/reproducible_build_docker
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,66 @@
#!/usr/bin/env bash
#
# An utility script helping with reproducible script builds via docker.
# Note that this utility serves only as one example, docker is not
# necessarily THE way to do reproducible build, nor is it the best way
# to do reproducible build.
set -ex

DOCKER="${DOCKER:-docker}"
# docker pull docker.io/cryptape/llvm-n-rust:20250617
DOCKER_IMAGE="${DOCKER_IMAGE:-docker.io/cryptape/llvm-n-rust@sha256:d6d1f9a6656039273210de91913c828f5b4aa4a3282d2c93ed19bcb7bbf728fe}"
CHECKSUM_FILE_PATH="${CHECKSUM_FILE_PATH:-checksums.txt}"

# We are parsing command line arguments based on tips from:
# https://stackoverflow.com/a/14203146

while [[ $# -gt 0 ]]; do
case $1 in
-p|--proxy)
PROXY="$2"
shift # past argument
shift # past value
;;
-u|--update)
UPDATE="yes"
shift # past argument
;;
--no-clean)
NOCLEAN="yes"
shift # past argument
;;
-*|--*)
echo "Unknown option $1"
exit 1
;;
*)
echo "Unknown argument $1"
exit 1
;;
esac
done

if [[ -n "${PROXY}" ]]; then
DOCKER_RUN_ARGS="-e ALL_PROXY=${PROXY} -e HTTPS_PROXY=${PROXY} -e HTTP_PROXY=${PROXY} ${DOCKER_RUN_ARGS}"
fi

TASKS=""
if [[ "${NOCLEAN}" != "yes" ]]; then
TASKS+=" clean "
fi

if [[ "${UPDATE}" = "yes" ]]; then
TASKS+=" checksum CHECKSUM_FILE=${CHECKSUM_FILE_PATH} "
else
TASKS+=" build "
fi

$DOCKER run --rm $DOCKER_RUN_ARGS -v `pwd`:/code $DOCKER_IMAGE make $TASKS
# Reset file ownerships for all files docker might touch
$DOCKER run --rm $DOCKER_RUN_ARGS -e UID=`id -u` -e GID=`id -g` -v `pwd`:/code $DOCKER_IMAGE bash -c 'chown -R -f $UID:$GID checksums.txt build target'

if [[ "${UPDATE}" = "yes" ]]; then
echo "${CHECKSUM_FILE_PATH} file is updated with latest binary hashes!"
else
shasum -a 256 -c ${CHECKSUM_FILE_PATH}
fi