Due to the move of Bitcoin Core to Guix, this repository is switching to maintenance mode. Only serious bugs (including security issues) will be considered going forward.
This package can do a deterministic build of a package inside a VM.
Deterministic build inside a VM
This performs a build inside a VM, with deterministic inputs and outputs. If the build script takes care of all sources of non-determinism (mostly caused by timestamps), the result will always be the same. This allows multiple independent verifiers to sign a binary with the assurance that it really came from the source they reviewed.
Also, I had to modify the default /etc/sudoers file to uncomment the secure_path line, because vmbuilder isn't found otherwise when the env -i ... sudo vmbuilder ... line is executed (because the i flag resets the environment variables including the PATH).
Gentoo:
layman -a luke-jr # needed for vmbuilder
sudo emerge dev-vcs/git net-misc/apt-cacher-ng app-emulation/vmbuilder dev-lang/ruby
sudo emerge app-emulation/qemu
export KVM=qemu-system-x86_64
Ubuntu:
This pulls in all pre-requisites for KVM building on Ubuntu:
Gitian supports Debian guests in addition to Ubuntu guests. Note that this doesn't mean you can allow the builders to choose to use either Debian or Ubuntu guests. The person creating the Gitian descriptor will need to choose a particular distro and suite for the guest and all builders must use that particular distro and suite, otherwise the software won't reproduce for everyone.
To create a Debian guest:
bin/make-base-vm --distro debian --suite jessie
There is currently no support for LXC Debian guests. There is just KVM support. LXC support for Debian guests is planned to be added soon.
Only Debian Jessie guests have been tested with Gitian. If you have success (or trouble) with other versions of Debian, please let us know.
If you are creating a Gitian descriptor, you can now specify a distro. If no distro is provided, the default is to assume Ubuntu. Since Ubuntu is assumed, older Gitian descriptors that don't specify a distro will still work as they always have.
Set the USE_DOCKER environment variable to use DOCKER instead of KVM:
export USE_DOCKER=1
VirtualBox
Command-line VBoxManage must be in your $PATH.
Setup:
make-base-vm cannot yet make VirtualBox virtual machines ( patches welcome, it should be possible to use VBoxManage, boot-from-network Linux images and PXE booting to do it). So you must either get or manually create VirtualBox machines that:
Are named Gitian-<suite>-<arch> -- e.g. Gitian-xenial-i386 for a 32-bit, Ubuntu 16 machine.
Have a booted-up snapshot named Gitian-Clean . The build script resets the VM to that snapshot to get reproducible builds.
Has the VM's NAT networking setup to forward port localhost:2223 on the host machine to port 22 of the VM; e.g.:
Then log into the vm and copy the ssh keys to root's authorized_keys file.
ssh -p 2223 ubuntu@localhost
# Now in the vm
sudo bash
mkdir -p .ssh && chmod 700 .ssh && cat ~ubuntu/.ssh/authorized_keys >> .ssh/authorized_keys
Set the USE_VBOX environment variable to use VBOX instead of KVM:
export USE_VBOX=1
Sanity-testing
If you have everything set-up properly, you should be able to:
PATH=$PATH:$(pwd)/libexec
make-clean-vm --suite xenial --arch i386
# on-target needs $DISTRO to be set to debian if using a Debian guest
# (when running gbuild, $DISTRO is set based on the descriptor, so this line isn't needed)
DISTRO=debian
# For LXC:
LXC_ARCH=i386 LXC_SUITE=xenial on-target ls -la
# For KVM:
start-target 32 xenial-i386 &
# wait a few seconds for VM to start
on-target ls -la
stop-target
Building
Copy any additional build inputs into a directory named inputs.
Then execute the build using a YAML description file (can be run as non-root):
export USE_LXC=1 # LXC only
bin/gbuild <package>.yml
or if you need to specify a commit for one of the git remotes:
bin/gbuild --commit <dir>=<hash> <package>.yml
The resulting report will appear in result/<package>-res.yml
Where <signer> is your signing PGP key ID and <release-name> is the name for the current release. This will put the result and signature in the sigs/<package>/<release-name>. The sigs/<package> directory can be managed through git to coordinate multiple signers.
After you've merged everybody's signatures, verify them:
You can run the utilities in libexec by running PATH="libexec:$PATH"
To start the target VM run start-target 32 xenial-i386 or start-target 64 xenial-amd64
To ssh into the target run on-target (after setting $DISTRO to debian if using a Debian guest) or on-target -u root
On the target, the build directory contains the code as it is compiled and install contains intermediate libraries
By convention, the script in <package>.yml starts with any environment setup you would need to manually compile things on the target
TODO:
disable sudo in target, just in case of a hypervisor exploit
tar and other archive timestamp setter
LXC tips
bin/gbuild runs lxc-execute or lxc-start, which may require root. If you are in the admin group, you can add the following sudoers line to prevent asking for the password every time:
请发表评论