From 9c637b8e36948f0fa980ae3e48cffafa39b41c00 Mon Sep 17 00:00:00 2001 From: automated-signal <37887102+automated-signal@users.noreply.github.com> Date: Wed, 21 Aug 2024 14:36:42 -0500 Subject: [PATCH] [signalapp/Signal-Desktop#6989] Improve instructions for reproducible builds Co-authored-by: ayumi-signal <143036029+ayumi-signal@users.noreply.github.com> Co-authored-by: hackerbirds <120066692+hackerbirds@users.noreply.github.com> --- reproducible-builds/README.md | 61 ++++++++++++++++++++++++----------- 1 file changed, 42 insertions(+), 19 deletions(-) diff --git a/reproducible-builds/README.md b/reproducible-builds/README.md index 57c06dcaf3b..d30052a6435 100644 --- a/reproducible-builds/README.md +++ b/reproducible-builds/README.md @@ -17,9 +17,9 @@ Reproducible builds for macOS and Windows are not available yet. ### Experimental notice -We are in the process of rolling out and verifying reproducible builds. As such, reproducibility is still -experimental and may not work on public releases yet. If you notice any inconsistencies then please file an issue [on the Github Issues page](https://github.com/signalapp/Signal-Desktop/issues). -Thanks for your patience while we set it up! +> [!IMPORTANT] +> We are in the process of rolling out and verifying reproducible builds. As such, reproducibility is still +> experimental and may not work on public releases yet. If you notice any inconsistencies then please file an issue [on the Github Issues page](https://github.com/signalapp/Signal-Desktop/issues). Thanks for your patience while we set it up! ### Pre-requisites @@ -33,16 +33,21 @@ First, grab the source code by using `git`: ```bash $ git clone https://github.com/signalapp/Signal-Desktop.git +$ cd Signal-Desktop/ ``` -This will download Signal Desktop's source code under the `Signal-Desktop` directory. Once the download is complete, go inside the directory and make sure you are on the branch used in official builds. For instance, if you are trying to build `7.18.0`, then do: +This will download Signal Desktop's source code under the `Signal-Desktop` directory. + +Now, select the version/branch you would like to verify. For instance, if you are trying to build `7.18.0`, then do: ```bash -$ cd Signal-Desktop/ -$ git checkout tags/7.18.0 +$ git checkout tags/v7.18.0 ``` -You are now on the version of the source code used for `7.18.0`. Then, make sure your shell is in the `reproducible-builds` directory: +> [!NOTE] +> This guide uses `v7.18.0` as the placeholder version. You may want to change this version to the most recent one. All the versions are available here: https://github.com/signalapp/Signal-Desktop/tags. Older versions may however not be reproducible. + +At this point we are now on the branch of the source code used to build version `v7.18.0`. Before continuing, make sure your shell is in the `reproducible-builds` directory: ```bash $ cd reproducible-builds/ @@ -50,40 +55,58 @@ $ pwd [...]/Signal-Desktop/reproducible-builds ``` -The last step is to run the `./build.sh` script, passing the "public" arg because you are verifying -a public production or beta build. -(If your user is not in Docker's `docker` group, then you may need to run the script as `sudo`). +The last step is to run the `./build.sh` script, passing the `public` arg because you are verifying a public production or beta build. + +> [!NOTE] +> If your user is not in Docker's `docker` group, then you may need to run the script as `sudo`. ```bash $ chmod +x ./build.sh public $ ./build.sh public ``` -This bash script will do two things. First, it will create the Docker container where Signal Desktop will be built. Second, it will build Signal Desktop inside the container. +This bash script will create the Docker container where Signal Desktop will be built, then download the required dependencies and start the build inside the container. -When the build is completed, the resulting file will be available at `Signal-Desktop/release/signal-desktop_7.18.0_amd64.deb`. +After the build is completed, the resulting file will be available in the `Signal-Desktop/release` folder. In our case, the file is named `signal-desktop_7.18.0_amd64.deb`. -### Verify the official build +### Verifying the build -If you have followed the official Linux instructions to install Signal Desktop at https://signal.org/download/, then you will have `signal-desktop` available in your `apt` repositories. You can then simply grab the official build by typing: +#### Downloading the official release + +> [!NOTE] +> For this step you will require a distro using the `apt` package manager, such as Debian, Ubuntu, Linux Mint, etc. + +If you have followed the official Linux instructions to install Signal Desktop at https://signal.org/download/, then you will have the `signal-desktop` app available in your `apt` repositories. You can then simply grab the latest release build by typing: ```bash $ apt download signal-desktop ``` -This will automatically download the official `.deb` package. +This will automatically download the `.deb` package into the shell's working directory. -To verify the official `.deb` package against your build, make sure that your version is the same as the official version, for example version `7.18.0`. Then, compare the checksums and make sure they are identical. If they are identical, then the two builds are exactly the same, and you have successfully reproduced Signal Desktop. +> [!TIP] +> If you would like to download the latest beta version instead of the release version, then use `signal-desktop-beta` instead. -(Note: do not compare with the checksums given below! They only serve as a visual example of what the output would look like) +#### Comparing your build against the official build + +To verify the official `.deb` package against your build, make sure that your version is the same as the official version, and use `sha256sum` on both files to calculate the SHA-256 digest. Then compare/verify the output and verify that they match. + +If the checksums from the official build and your own build match, then the two builds are exactly the same, and you have successfully reproduced Signal Desktop! + +> [!TIP] +> Make sure your build is on the same version as the official build, otherwise they will not have the same checksum. + +> [!WARNING] +> Do not compare your output against the checksums given below! They only serve as a visual example of what the output would look like. Yours will look different! ```bash -$ sha256sum signal-desktop_7.18.0_amd64-OUR_BUILD.deb signal-desktop_7.18.0_amd64_OFFICIAL_BUILD.deb +$ sha256sum ../release/signal-desktop_7.18.0_amd64-OUR_BUILD.deb signal-desktop_7.18.0_amd64_OFFICIAL_BUILD.deb -0df3d06f74c6855559ef079b368326ca18e144a28ede559fd76648a62ec3eed7 signal-desktop_7.18.0_amd64-OUR_BUILD.deb +0df3d06f74c6855559ef079b368326ca18e144a28ede559fd76648a62ec3eed7 ../release/signal-desktop_7.18.0_amd64-OUR_BUILD.deb 0df3d06f74c6855559ef079b368326ca18e144a28ede559fd76648a62ec3eed7 signal-desktop_7.18.0_amd64_OFFICIAL_BUILD.deb ``` ### What to do if the checksums don't match +- Double check you have followed the instructions correctly and are comparing the right versions. - File an issue [on the Github Issues page](https://github.com/signalapp/Signal-Desktop/issues).