Reproducible build of Freenet do-it-yourself: verify-build demystified

You might know the reproducible-builds project, which tries to allow users to verify that what they install actually corresponds to the released source. Or GNU Guix, which provides transparent reproducible binaries — along with a challenge-function.

Given that Freenet is made for people with high expectations for integrity, it might not surprise you that Freenet has been providing a reproducible build and a verification script since 2012. However until release 1481, it was a hassle to set up, and few people used it.

But now that we’re on gradle, verifying that what I release is actually what’s tagged in the source is much easier than before.

The following instructions are for GNU/Linux, and maybe other *nixes, allowing you to verify the test release of 1482. You can easily adapt them for future releases.

preparation

Firstoff: to verify 1482 you NEED Java 7 - in general you need the Java version I release with. I hope that starting with 1483 it will be Java 8.

get the release

Start by downloading the jar: SSK@…/jar-1482 (needs a running Freenet)

Copy it to /tmp/freenet-1482.jar

verify it

Then run the following:

failureWarning="FAILED TO VERIFY.
If you determine that this failure is not due to build environent differences,
then the source files used to build the published version of Freenet are 
different from the published source files. The build has been compromised.
Take care to only run version of Freenet with published, reviewable source code, 
as compromised versions of Freenet could easily contain back doors."

cd /tmp/
git clone git@github.com:freenet/fred.git
cd fred
git checkout build01482
./gradlew jar
mv build/libs/freenet.jar ../freenet-built.jar
cd ..

mkdir unpacked-built
unzip freenet-built.jar -d unpacked-built
(cd unpacked-built; find -type f) | sort > unpacked-built.list

mkdir unpacked-official
unzip freenet-1482.jar -d unpacked-official
(cd unpacked-official; find -type f) | sort > unpacked-official.list

if ! cmp unpacked-official.list unpacked-built.list; then
    echo FAILED TO VERIFY: Different files in official vs built
    echo Files in official but not in built are marked as +
    echo Files in built but not in official are marked with -
    diff -u unpacked-built.list unpacked-official.list
    echo ""
    echo "$failureWarning"
fi

while read x; do
    if ! cmp "unpacked-official/$x" "unpacked-built/$x"; then
        if [[ "$x" = "./META-INF/MANIFEST.MF" ]]; then
            echo "Manifest file is different; this is expected."
            echo "Please review the differences:"
            diff "unpacked-official/$x" "unpacked-built/$x"
        else
            echo "File is different: $x"
            echo "$x" >> "differences"
        fi
    fi
done < unpacked-official.list

if [[ -s "differences" ]]; then
    echo VERIFY FAILED: FILES ARE DIFFERENT:
    cat differences
    echo ""
    echo "$failureWarning"
fi

celebrate!

That’s it. You just verified release 1482 of Freenet. If that code does not shout a huge warning at you, then what I released is actually what is tagged and signed as 1482 in the source.

PS: This is a shorter and somewhat cleaned up version of the verify-build script.

PPS: Yes, there is also a docker solution. I cannot test it right now, though, because my docker does not work. Ask in IRC (#freenet on chat.freenode.net).

Inhalt abgleichen
Willkommen im Weltenwald!
((λ()'Dr.ArneBab))



Beliebte Inhalte

sn.1w6.org news