|
| 1 | + |
| 2 | +Reproducing a tagged seedkit build |
| 3 | +================================== |
| 4 | + |
| 5 | +Seedkit uses [reproducible builds](https://reproducible-builds.org/), |
| 6 | +which allows users to personally reproduce an identical binary from |
| 7 | +given source files. |
| 8 | + |
| 9 | +This allows technical users who have reviewed a certain set of source |
| 10 | +code to build local binaries and tar files directly from that source |
| 11 | +code, and to verify that they are bit-for-bit identical with the published |
| 12 | +versions. |
| 13 | + |
| 14 | +This procedure does NOT need to be done on an air-gapped live system |
| 15 | +like [Tails](https://tails.net/) - you can build and verify the build |
| 16 | +artifacts on any system, and then confirm that the binary you are using |
| 17 | +later on your secure system is identical. |
| 18 | + |
| 19 | + |
| 20 | +Dependencies |
| 21 | +------------ |
| 22 | + |
| 23 | +* Go: seedkit is written in Go, and a reproducible build requires the |
| 24 | + same version of Go as was used for the build, which is currently |
| 25 | + Go 1.22 (try `go version` to see if you have one already installed). |
| 26 | + |
| 27 | + If not, install the latest release of that version (e.g. 1.22.5, |
| 28 | + using the official [Go installation instructions](https://golang.org/doc/install). |
| 29 | + |
| 30 | + |
| 31 | +* Goreleaser - seedkit uses [goreleaser](https://goreleaser.com) to |
| 32 | + build the seedkit releases, and this provides a convenient way to |
| 33 | + produce an identical build process. |
| 34 | + |
| 35 | + Install |
| 36 | + |
| 37 | + ```bash |
| 38 | + go get -u github.com/goreleaser/goreleaser |
| 39 | + ``` |
| 40 | + |
| 41 | +* A unix-like shell environment - this recipe should work directly on |
| 42 | + Linux and Mac, but on Windows will probably require a Windows |
| 43 | + Subsystem for Linux (WSL) environment. |
| 44 | + |
| 45 | + Install using the official [WSL installation instructions](https://docs.microsoft.com/en-us/windows/wsl/install). |
| 46 | + |
| 47 | + |
| 48 | +Recipe |
| 49 | +------ |
| 50 | + |
| 51 | +* Check [the latest seedkit release](https://github.com/gavincarr/seedkit/releases/latest) |
| 52 | + in your browser and download the tar (or zip) file you are wanting to |
| 53 | + verify against. If you are wanting to verify a binary for use on Tails, |
| 54 | + you will want the Linux tar file that matches the architecture of the |
| 55 | + machine you will be using (probably x86_64 unless you're on a Mac or |
| 56 | + Raspberry Pi - check with `uname -m`). |
| 57 | + |
| 58 | +* Then in a shell enviromment, do: |
| 59 | + |
| 60 | +```bash |
| 61 | +# Set VTAG and TAG variables for the seedkit release you want to reproduce |
| 62 | +VTAG=v0.1.7 |
| 63 | +TAG=${VTAG#v} |
| 64 | + |
| 65 | +# Clone the seedkit repository for that tag |
| 66 | +git clone --depth 1 --branch $VTAG https://github.com/gavincarr/seedkit |
| 67 | +# (ignore the warnings about being in `detached HEAD` state) |
| 68 | + |
| 69 | +# Change to the seedkit directory |
| 70 | +cd seedkit |
| 71 | + |
| 72 | +# Use goreleaser to do a local build |
| 73 | +goreleaser --skip=publish,sign --clean |
| 74 | + |
| 75 | +# Calculate the sha256 checksum of the Linux tarfiles |
| 76 | +sha256sum dist/seedkit_Linux_x86_64.tar.gz |
| 77 | +sha256sum dist/seedkit_Linux_arm64.tar.gz |
| 78 | +``` |
| 79 | + |
| 80 | +* Verify the checksums against the ones from the corresponding seedkit |
| 81 | + release page. If they match, you have verified that those tar files |
| 82 | + have been built from the source code you cloned, and that reviews of |
| 83 | + that source code are trustworthy for the binaries in those tar files. |
| 84 | + |
| 85 | + |
| 86 | +* If you are using Tails, you can now download the tar file you verified |
| 87 | + from the seedkit releases page and set it up for use on Tails (or put |
| 88 | + the tar file you build on a webserver somewhere where Tails can access |
| 89 | + it). |
| 90 | + |
0 commit comments