mirror of
https://github.com/edgelesssys/constellation.git
synced 2025-02-08 19:08:40 -05:00
64 lines
2.9 KiB
Markdown
64 lines
2.9 KiB
Markdown
|
# Reproduce released artifacts
|
||
|
|
|
||
|
|
Constellation has first-class support for [reproducible builds](https://reproducible-builds.org).
|
||
|
|
Reproducing the released artifacts is an alternative to [signature verification](verify-cli.md) that doesn't require trusting Edgeless Systems' release process.
|
||
|
|
The following sections describe how to rebuild an artifact and how Constellation ensures that the rebuild reproduces the artifacts bit-by-bit.
|
||
|
|
|
||
|
|
## Build environment prerequisites
|
||
|
|
|
||
|
|
The build systems used by Constellation - [Bazel](https://bazel.build/) and [Nix](https://nixos.org) - are designed for deterministic, reproducible builds.
|
||
|
|
These two dependencies should be the only prerequisites for a successful build.
|
||
|
|
However, it can't be ruled out completely that peculiarities of the host affect the build result.
|
||
|
|
Thus, we recommend the following host setup for best results:
|
||
|
|
|
||
|
|
1. A Linux operating system not older than v5.4.
|
||
|
|
2. The GNU C library not older than v2.31 (avoid `musl`).
|
||
|
|
3. GNU `coreutils` not older than v8.30 (avoid `busybox`).
|
||
|
|
4. An `ext4` filesystem for building.
|
||
|
|
5. AppArmor turned off.
|
||
|
|
|
||
|
|
This is given, for example, on an Ubuntu 22.04 system, which is also used for reproducibility tests.
|
||
|
|
|
||
|
|
:::note
|
||
|
|
|
||
|
|
To avoid any backwards-compatibility issues, the host software versions should also not be much newer than the Constellation release.
|
||
|
|
|
||
|
|
:::
|
||
|
|
|
||
|
|
## Run the build
|
||
|
|
|
||
|
|
The following instructions outline qualitatively how to reproduce a build.
|
||
|
|
Constellation implements these instructions in the [Reproducible Builds workflow](https://github.com/edgelesssys/constellation/actions/workflows/reproducible-builds.yml), which continuously tests for reproducibility.
|
||
|
|
The workflow is a good place to look up specific version numbers and build steps.
|
||
|
|
|
||
|
|
1. Check out the Constellation repository at the tag corresponding to the release.
|
||
|
|
|
||
|
|
```bash
|
||
|
|
git clone https://github.com/edgelesssys/constellation.git
|
||
|
|
cd constellation
|
||
|
|
git checkout v2.20.0
|
||
|
|
```
|
||
|
|
|
||
|
|
2. [Install the Bazel release](https://bazel.build/install) specified in `.bazelversion`.
|
||
|
|
3. [Install Nix](https://nixos.org/download/) (any recent version should do).
|
||
|
|
4. Run the build with `bazel build $target` for one of the following targets of interest:
|
||
|
|
|
||
|
|
```data
|
||
|
|
//cli:cli_enterprise_darwin_amd64
|
||
|
|
//cli:cli_enterprise_darwin_arm64
|
||
|
|
//cli:cli_enterprise_linux_amd64
|
||
|
|
//cli:cli_enterprise_linux_arm64
|
||
|
|
//cli:cli_enterprise_windows_amd64
|
||
|
|
```
|
||
|
|
|
||
|
|
5. Compare the build result with the downloaded release artifact.
|
||
|
|
|
||
|
|
<!-- TODO(burgerdev): document reproducing images -->
|
||
|
|
|
||
|
|
## Feedback
|
||
|
|
|
||
|
|
Reproduction failures often indicate a bug in the build system or in the build definitions.
|
||
|
|
Therefore, we're interested in any reproducibility issues you might encounter.
|
||
|
|
[Start a bug report](https://github.com/edgelesssys/constellation/issues/new/choose) and describe the details of your build environment.
|
||
|
|
Make sure to include your result binary or a [`diffoscope`](https://diffoscope.org/) report, if possible.
|