Reproducible build attestation pipeline

[truthixify]

Labels: Stellar Wave, stellar, tooling, security, drips, help-wanted
Tier: L (1–2 weeks)
Type: tooling / security

Context

When we deploy wraith-names to Stellar mainnet, users need to be able to prove that the deployed Wasm hash matches the open-source code at a specific commit. Without a reproducible build, anyone could claim the deployed contract has a backdoor and we'd have no rebuttal.

This is the standard "binary attestation" problem solved by reproducible builds + signed manifests.

Scope

Set up contracts/stellar/build/:

1. Pinned toolchain — rust-toolchain.toml pinning the exact Rust version, target, and stellar-cli version used for builds.
2. Dockerfile — a minimal container that:
   • Installs the pinned toolchain.
   • Builds each Soroban contract.
   • Optimizes via stellar contract optimize.
   • Produces a manifest attestation.json:

     {
       "commit": "<git sha>",
       "build_date": "2026-XX-XX",
       "toolchain": { "rust": "1.XX.X", "stellar-cli": "X.X.X" },
       "contracts": [
         { "name": "stealth-announcer", "wasm_sha256": "...", "wasm_size": 12345 }
       ]
     }

3. CI pipeline that:
   • Runs the Docker build on every tag.
   • Publishes the attestation alongside the GitHub release.
   • Signs the attestation with a key controlled by the maintainer team (sigstore / cosign).
4. Verification script — a one-liner anyone can run:

   pnpm verify:stellar-deployment --contract wraith-names --network mainnet --commit abc1234

   That fetches the deployed Wasm hash, fetches the published attestation for that commit, and verifies they match.

Constraints

• Build must be deterministic: same commit + same toolchain → same hash. No build-time timestamps, no system path leakage, no Cargo random.
• Verification script must work without network access to anything other than the Stellar RPC and GitHub releases.

Acceptance criteria

• Reproducible Dockerfile committed.
• CI publishing attestations.
• Verification script + documentation.
• One end-to-end demo: deploy to futurenet, publish attestation, verify offline.
• Threat model written: what guarantees does this provide, and what does it NOT? (E.g., it doesn't protect against compromised signing keys.)

Why this matters

Trust in Wraith depends on "what's deployed = what's audited = what's open source." Without attestation, that chain is rhetoric, not proof. This is also a prerequisite for any future security audit firms — they will refuse to audit code they can't bind to a specific deployment.

Resources

• Reproducible Builds project: https://reproducible-builds.org/
• Sigstore / cosign: https://www.sigstore.dev/

[supremeproton01]

@supremeproton01 has applied to work on this issue as part of the Stellar Wave Program's 5th wave.

Hi maintainer, can i be assigned to this?

ℹ️ Repo Maintainers: To accept this application, review their application or assign @supremeproton01 to this issue.

[Amarjeet325]

@Amarjeet325 has applied to work on this issue as part of the Stellar Wave Program's 5th wave.

Hey maintainer👋,

I am a software engineer and
I would love to work on this issue. Kindly assign the issue to me. Thanks

ℹ️ Repo Maintainers: To accept this application, review their application or assign @Amarjeet325 to this issue.

[drips-wave]

Congratulations, @Amarjeet325! 🎉 Your application was accepted by the repo's maintainers, and the issue is due on June 2, 2026.

🧑‍💻 @Amarjeet325: Please resolve the issue such that the repo's maintainers have enough time to review your contribution before the due date. You'll earn Points for completing the issue on-time, which will make you eligible for a share of the Stellar Wave Program's reward pool.

Warning

When opening a PR, please link it to this issue to ensure it gets tracked accurately. Points are awarded when this issue is marked as completed by the maintainer.

🤠 Repo maintainers: Please keep an eye on the contributor's progress and review their work before the due date. You can manage this issue, including adjusting its complexity and points, here.

🌊 Happy Wave 🌊

[truthixify]

Resolved by #46 (merged into develop).