Reproducible build of 1.4.3 did not match

[achow101]

I attempted to perform a reproducible build of Sparrow 1.4.3 but my build results did not match the published released. The build was deterministic in that repeated attempts to build it resulted in the same binary, but the build results did not match the published binaries.

It seems like the problem is that the Java runtime is bundled with Sparrow, and this runtime is pulled from the system doing the build itself. So I likely have a different runtime installed and this causes the non-reproducibility.

Additionally, the deb and rpm files are not reproducible. Diffoscope tells me that this is partially timestamp based, but also more complicated than just that.

[craigraw]

Thanks for the investigation into this. Reproducibility is very much a goal for this project.

As you note, v1.4.3 is not reproducible across different machines. Versions earlier than this were in fact not even reproducible on the same machine, but the upgrade to Java 16 (which was largely done to resolve this reproducibility related bug: https://bugs.java.com/bugdatabase/view_bug.do?bug_id=JDK-8252730) resolved this.

The runtime bundled with Sparrow can be problem in achieving reproducibility, but this can be resolved by specifying the same Java release by the same vendor. For Sparrow, this is currently AdoptOpenJdk jdk-16.0.1+9 Hotspot (available for all supported platforms from this page: https://adoptopenjdk.net/archive.html?variant=openjdk16&jvmVariant=hotspot). For future reference, they are:

• Linux x64
• MacOS x64
• Windows x64

When ./gradlew jpackage is executed running on this release (use ./gradlew -v to check) then the included Java runtime will be identical.

The v1.5.0 release will continue the journey to full reproducibility. The binaries for this release should be reproducible across machines. By that I mean the binaries themselves, not the installer packages (so the contents of the tar.gz or .zip files). There is now a v1.5.0-beta1 release on which I've tested this across different Linux and Windows machines. Further testing of this beta would be much appreciated!

The next steps are the installer packages, and the signatures for the MacOS release DMG. I don't have deep experience in either the different packaging formats or on how best to solve the problem of verifying a signed binary (I note there are different approaches here). That said, I'm confident these challenges can be overcome (and would welcome any assistance!).

[craigraw]

First draft of reproducible build instructions: https://github.com/sparrowwallet/sparrow/blob/master/docs/reproducible.md

[6102bitcoin]

To summarise for those reading: 1.5.0+ has reproducible .tar.gz and .zip. Installer packages are not (yet). Assistance wanted.