[signalapp/Signal-Desktop#6989] Improve instructions for reproducible builds

Co-authored-by: ayumi-signal <143036029+ayumi-signal@users.noreply.github.com> Co-authored-by: hackerbirds <120066692+hackerbirds@users.noreply.github.com>
2024-08-21 14:36:42 -05:00 · 2024-08-21 14:36:42 -05:00 · 9c637b8e36
commit 9c637b8e36
parent c4e87a56cf
1 changed files with 42 additions and 19 deletions
--- a/reproducible-builds/README.md
+++ b/reproducible-builds/README.md
@ -17,9 +17,9 @@ Reproducible builds for macOS and Windows are not available yet.

 ### Experimental notice

-We are in the process of rolling out and verifying reproducible builds. As such, reproducibility is still
-experimental and may not work on public releases yet. If you notice any inconsistencies then please file an issue [on the Github Issues page](https://github.com/signalapp/Signal-Desktop/issues).
-Thanks for your patience while we set it up!
+> [!IMPORTANT]
+> We are in the process of rolling out and verifying reproducible builds. As such, reproducibility is still
+> experimental and may not work on public releases yet. If you notice any inconsistencies then please file an issue [on the Github Issues page](https://github.com/signalapp/Signal-Desktop/issues). Thanks for your patience while we set it up!

 ### Pre-requisites

@ -33,16 +33,21 @@ First, grab the source code by using `git`:

 ```bash
 $ git clone https://github.com/signalapp/Signal-Desktop.git
+$ cd Signal-Desktop/
 ```

-This will download Signal Desktop's source code under the `Signal-Desktop` directory. Once the download is complete, go inside the directory and make sure you are on the branch used in official builds. For instance, if you are trying to build `7.18.0`, then do:
+This will download Signal Desktop's source code under the `Signal-Desktop` directory.
+
+Now, select the version/branch you would like to verify. For instance, if you are trying to build `7.18.0`, then do:

 ```bash
-$ cd Signal-Desktop/
-$ git checkout tags/7.18.0
+$ git checkout tags/v7.18.0
 ```

-You are now on the version of the source code used for `7.18.0`. Then, make sure your shell is in the `reproducible-builds` directory:
+> [!NOTE]
+> This guide uses `v7.18.0` as the placeholder version. You may want to change this version to the most recent one. All the versions are available here: https://github.com/signalapp/Signal-Desktop/tags. Older versions may however not be reproducible.
+
+At this point we are now on the branch of the source code used to build version `v7.18.0`. Before continuing, make sure your shell is in the `reproducible-builds` directory:

 ```bash
 $ cd reproducible-builds/
@ -50,40 +55,58 @@ $ pwd
 [...]/Signal-Desktop/reproducible-builds
 ```

-The last step is to run the `./build.sh` script, passing the "public" arg because you are verifying
-a public production or beta build.
-(If your user is not in Docker's `docker` group, then you may need to run the script as `sudo`).
+The last step is to run the `./build.sh` script, passing the `public` arg because you are verifying a public production or beta build.
+
+> [!NOTE]
+> If your user is not in Docker's `docker` group, then you may need to run the script as `sudo`.

 ```bash
 $ chmod +x ./build.sh public
 $ ./build.sh public
 ```

-This bash script will do two things. First, it will create the Docker container where Signal Desktop will be built. Second, it will build Signal Desktop inside the container.
+This bash script will create the Docker container where Signal Desktop will be built, then download the required dependencies and start the build inside the container.

-When the build is completed, the resulting file will be available at `Signal-Desktop/release/signal-desktop_7.18.0_amd64.deb`.
+After the build is completed, the resulting file will be available in the `Signal-Desktop/release` folder. In our case, the file is named `signal-desktop_7.18.0_amd64.deb`.

-### Verify the official build
+### Verifying the build

-If you have followed the official Linux instructions to install Signal Desktop at https://signal.org/download/, then you will have `signal-desktop` available in your `apt` repositories. You can then simply grab the official build by typing:
+#### Downloading the official release
+
+> [!NOTE]
+> For this step you will require a distro using the `apt` package manager, such as Debian, Ubuntu, Linux Mint, etc.
+
+If you have followed the official Linux instructions to install Signal Desktop at https://signal.org/download/, then you will have the `signal-desktop` app available in your `apt` repositories. You can then simply grab the latest release build by typing:

 ```bash
 $ apt download signal-desktop
 ```

-This will automatically download the official `.deb` package.
+This will automatically download the `.deb` package into the shell's working directory.

-To verify the official `.deb` package against your build, make sure that your version is the same as the official version, for example version `7.18.0`. Then, compare the checksums and make sure they are identical. If they are identical, then the two builds are exactly the same, and you have successfully reproduced Signal Desktop.
+> [!TIP]
+> If you would like to download the latest beta version instead of the release version, then use `signal-desktop-beta` instead.

-(Note: do not compare with the checksums given below! They only serve as a visual example of what the output would look like)
+#### Comparing your build against the official build
+
+To verify the official `.deb` package against your build, make sure that your version is the same as the official version, and use `sha256sum` on both files to calculate the SHA-256 digest. Then compare/verify the output and verify that they match.
+
+If the checksums from the official build and your own build match, then the two builds are exactly the same, and you have successfully reproduced Signal Desktop!
+
+> [!TIP]
+> Make sure your build is on the same version as the official build, otherwise they will not have the same checksum.
+
+> [!WARNING]
+> Do not compare your output against the checksums given below! They only serve as a visual example of what the output would look like. Yours will look different!

 ```bash
-$ sha256sum signal-desktop_7.18.0_amd64-OUR_BUILD.deb signal-desktop_7.18.0_amd64_OFFICIAL_BUILD.deb
+$ sha256sum ../release/signal-desktop_7.18.0_amd64-OUR_BUILD.deb signal-desktop_7.18.0_amd64_OFFICIAL_BUILD.deb

-0df3d06f74c6855559ef079b368326ca18e144a28ede559fd76648a62ec3eed7  signal-desktop_7.18.0_amd64-OUR_BUILD.deb
+0df3d06f74c6855559ef079b368326ca18e144a28ede559fd76648a62ec3eed7  ../release/signal-desktop_7.18.0_amd64-OUR_BUILD.deb
 0df3d06f74c6855559ef079b368326ca18e144a28ede559fd76648a62ec3eed7  signal-desktop_7.18.0_amd64_OFFICIAL_BUILD.deb
 ```

 ### What to do if the checksums don't match

+- Double check you have followed the instructions correctly and are comparing the right versions.
 - File an issue [on the Github Issues page](https://github.com/signalapp/Signal-Desktop/issues).