Reproducible build of Freenet do-it-yourself: verify-build demystified

You might know the reproducible-builds project, which tries to allow users to verify that what they install actually corresponds to the released source. Or GNU Guix, which provides transparent reproducible binaries — along with a challenge-function.

Given that Freenet is made for people with high expectations for integrity, it might not surprise you that Freenet has been providing a verifyable1 build and a verification script since 2012. However until release 1481, it was a hassle to set up, and few people used it.

But now that we’re on gradle, verifying that what I release is actually what’s tagged in the source is much easier than before.

The following instructions are for GNU/Linux, and maybe other *nixes, allowing you to verify the test release of 1482. You can easily adapt them for future releases.

preparation

Firstoff: to verify 1482 you NEED Java 7 - in general you need the Java version I release with. I hope that starting with 1483 it will be Java 8.

get the release

Start by downloading the jar: SSK@…/jar-1482 (needs a running Freenet)

Copy it to /tmp/freenet-1482.jar

verify it

Then run the following:

failureWarning="FAILED TO VERIFY.
If you determine that this failure is not due to build environent differences,
then the source files used to build the published version of Freenet are 
different from the published source files. The build has been compromised.
Take care to only run version of Freenet with published, reviewable source code, 
as compromised versions of Freenet could easily contain back doors."

cd /tmp/
git clone git@github.com:freenet/fred.git
cd fred
git checkout build01482
./gradlew jar
mv build/libs/freenet.jar ../freenet-built.jar
cd ..

mkdir unpacked-built
unzip freenet-built.jar -d unpacked-built
(cd unpacked-built; find -type f) | sort > unpacked-built.list

mkdir unpacked-official
unzip freenet-1482.jar -d unpacked-official
(cd unpacked-official; find -type f) | sort > unpacked-official.list

if ! cmp unpacked-official.list unpacked-built.list; then
    echo FAILED TO VERIFY: Different files in official vs built
    echo Files in official but not in built are marked as +
    echo Files in built but not in official are marked with -
    diff -u unpacked-built.list unpacked-official.list
    echo ""
    echo "$failureWarning"
fi

while read x; do
    if ! cmp "unpacked-official/$x" "unpacked-built/$x"; then
        if [[ "$x" = "./META-INF/MANIFEST.MF" ]]; then
            echo "Manifest file is different; this is expected."
            echo "Please review the differences:"
            diff "unpacked-official/$x" "unpacked-built/$x"
        else
            echo "File is different: $x"
            echo "$x" >> "differences"
        fi
    fi
done < unpacked-official.list

if [[ -s "differences" ]]; then
    echo VERIFY FAILED: FILES ARE DIFFERENT:
    cat differences
    echo ""
    echo "$failureWarning"
fi

celebrate!

That’s it. You just verified release 1482 of Freenet. If that code does not shout a huge warning at you, then what I released is actually what is tagged and signed as 1482 in the source.

PS: This is a shorter and somewhat cleaned up version of the verify-build script.

PPS: Yes, there is also a docker solution. I cannot test it right now, though, because my docker does not work. Ask in IRC (#freenet on libera.chat).


  1. Since Java puts timestamps into class files and requires signing of jars, the jar is not byte-by-byte reproducible, but the verify-build script unpacks the jar and compares the class-files, ensuring that they only differ in timestamps and similar that do not affect functionality. 

Use Node:

⚙ Babcom is trying to load the comments ⚙

This textbox will disappear when the comments have been loaded.

If the box below shows an error-page, you need to install Freenet with the Sone-Plugin or set the node-path to your freenet node and click the Reload Comments button (or return).

If you see something like Invalid key: java.net.MalformedURLException: There is no @ in that URI! (Sone/search.html), you need to setup Sone and the Web of Trust

If you had Javascript enabled, you would see comments for this page instead of the Sone page of the sites author.

Note: To make a comment which isn’t a reply visible to others here, include a link to this site somewhere in the text of your comment. It will then show up here. To ensure that I get notified of your comment, also include my Sone-ID.

Link to this site and my Sone ID: sone://6~ZDYdvAgMoUfG6M5Kwi7SQqyS-gTcyFeaNN1Pf3FvY

This spam-resistant comment-field is made with babcom.

Inhalt abgleichen
Willkommen im Weltenwald!
((λ()'Dr.ArneBab))



Beliebte Inhalte

sn.1w6.org news

Draketo neu: Beiträge