Skip to content

Commit bff8bce

Browse files
burgerdevthomasten
andauthored
docs: how to reproduce released artifacts (#3451)
* ci: test reproducability with different dependency installation methods * nix: mitigate nix store optimisiation * docs: reproducible builds Co-authored-by: Daniel Weiße <66256922+daniel-weisse@users.noreply.github.com> Co-authored-by: Thomas Tendyck <51411342+thomasten@users.noreply.github.com> * ci: upgrade ubuntu runners for reproducible builds --------- Co-authored-by: Thomas Tendyck <51411342+thomasten@users.noreply.github.com>
1 parent 9124691 commit bff8bce

File tree

6 files changed

+113
-13
lines changed

6 files changed

+113
-13
lines changed

.github/workflows/reproducible-builds.yml

Lines changed: 41 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -1,8 +1,9 @@
11
# Verify that Constellation builds are reproducible.
22
#
3-
# The build-* jobs' matrix has two dimensions: a list of targets to build and
4-
# a list of runners to build on. The produced binaries and OS images are
5-
# expected to be bit-for-bit identical, regardless of the chosen build runner.
3+
# The build-* jobs' matrix has three dimensions: a list of targets to build, a
4+
# list of runners to build on and a method of installing dependencies. The
5+
# produced binaries and OS images are expected to be bit-for-bit identical,
6+
# without any dependencies on the runtime setup details.
67
#
78
# The compare-* jobs only have the target dimension. They obtain the built
89
# targets from all runners and check that there are no diffs between them.
@@ -24,19 +25,38 @@ jobs:
2425
- "cli_enterprise_linux_amd64"
2526
- "cli_enterprise_linux_arm64"
2627
- "cli_enterprise_windows_amd64"
27-
runner: ["ubuntu-22.04", "ubuntu-20.04"]
28+
runner:
29+
- "ubuntu-24.04"
30+
- "ubuntu-22.04"
31+
deps:
32+
- conventional
33+
- eccentric
2834
env:
2935
bazel_target: "//cli:${{ matrix.target }}"
30-
binary: "${{ matrix.target }}-${{ matrix.runner }}"
36+
binary: "${{ matrix.target }}-${{ matrix.runner }}-${{ matrix.deps }}"
3137
runs-on: ${{ matrix.runner }}
3238
steps:
3339
- name: Checkout
3440
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
3541
with:
3642
ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}
3743

38-
- name: Setup bazel
44+
- name: Setup dependencies
3945
uses: ./.github/actions/setup_bazel_nix
46+
if: matrix.deps == 'conventional'
47+
48+
- name: Setup dependencies (eccentric)
49+
if: matrix.deps == 'eccentric'
50+
run: |
51+
version=$(cat .bazelversion)
52+
mkdir -p "$HOME/.local/bin"
53+
curl -fsSL -o "$HOME/.local/bin/bazel" "https://github.com/bazelbuild/bazel/releases/download/$version/bazel-$version-linux-x86_64"
54+
chmod a+x "$HOME/.local/bin/bazel"
55+
echo "$HOME/.local/bin" >> "$GITHUB_PATH"
56+
57+
curl -fsSL -o "$HOME/.local/bin/nix-installer" https://github.com/DeterminateSystems/nix-installer/releases/download/v0.26.3/nix-installer-x86_64-linux # renovate:github-release
58+
chmod a+x "$HOME/.local/bin/nix-installer"
59+
"$HOME/.local/bin/nix-installer" install --no-confirm
4060
4161
- name: Build
4262
shell: bash
@@ -59,13 +79,13 @@ jobs:
5979
- name: Upload binary artifact
6080
uses: actions/upload-artifact@0b2256b8c012f0828dc542b3febcab082c67f72b # v4.3.4
6181
with:
62-
name: "binaries-${{ matrix.target }}-${{ matrix.runner }}"
82+
name: "binaries-${{ matrix.target }}-${{ matrix.runner }}-${{ matrix.deps }}"
6383
path: "${{ env.binary }}"
6484

6585
- name: Upload hash artifact
6686
uses: actions/upload-artifact@0b2256b8c012f0828dc542b3febcab082c67f72b # v4.3.4
6787
with:
68-
name: "sha256sums-${{ matrix.target }}-${{ matrix.runner }}"
88+
name: "sha256sums-${{ matrix.target }}-${{ matrix.runner }}-${{ matrix.deps }}"
6989
path: "${{ env.binary }}.sha256"
7090

7191
build-osimages:
@@ -77,12 +97,24 @@ jobs:
7797
- "aws_aws-nitro-tpm_console"
7898
- "qemu_qemu-vtpm_debug"
7999
- "gcp_gcp-sev-snp_nightly"
80-
runner: ["ubuntu-22.04", "ubuntu-20.04"]
100+
runner: ["ubuntu-24.04", "ubuntu-22.04"]
81101
env:
82102
bazel_target: "//image/system:${{ matrix.target }}"
83103
binary: "osimage-${{ matrix.target }}-${{ matrix.runner }}"
84104
runs-on: ${{ matrix.runner }}
85105
steps:
106+
- name: Remove security hardening features
107+
if: matrix.runner == 'ubuntu-24.04'
108+
shell: bash
109+
run: |
110+
# Taken from https://github.com/systemd/mkosi/blob/fcacc94b9f72d9b6b1f03779b0c6e07209ceb54b/action.yaml#L42-L57.
111+
sudo sysctl --ignore --write kernel.apparmor_restrict_unprivileged_unconfined=0
112+
sudo sysctl --ignore --write kernel.apparmor_restrict_unprivileged_userns=0
113+
# This command fails with a non-zero error code even though it unloads the apparmor profiles.
114+
# https://gitlab.com/apparmor/apparmor/-/issues/403
115+
sudo aa-teardown || true
116+
sudo apt-get remove -y apparmor
117+
86118
- name: Checkout
87119
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
88120
with:
Lines changed: 63 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,63 @@
1+
# Reproduce released artifacts
2+
3+
Constellation has first-class support for [reproducible builds](https://reproducible-builds.org).
4+
Reproducing the released artifacts is an alternative to [signature verification](verify-cli.md) that doesn't require trusting Edgeless Systems' release process.
5+
The following sections describe how to rebuild an artifact and how Constellation ensures that the rebuild reproduces the artifacts bit-by-bit.
6+
7+
## Build environment prerequisites
8+
9+
The build systems used by Constellation - [Bazel](https://bazel.build/) and [Nix](https://nixos.org) - are designed for deterministic, reproducible builds.
10+
These two dependencies should be the only prerequisites for a successful build.
11+
However, it can't be ruled out completely that peculiarities of the host affect the build result.
12+
Thus, we recommend the following host setup for best results:
13+
14+
1. A Linux operating system not older than v5.4.
15+
2. The GNU C library not older than v2.31 (avoid `musl`).
16+
3. GNU `coreutils` not older than v8.30 (avoid `busybox`).
17+
4. An `ext4` filesystem for building.
18+
5. AppArmor turned off.
19+
20+
This is given, for example, on an Ubuntu 22.04 system, which is also used for reproducibility tests.
21+
22+
:::note
23+
24+
To avoid any backwards-compatibility issues, the host software versions should also not be much newer than the Constellation release.
25+
26+
:::
27+
28+
## Run the build
29+
30+
The following instructions outline qualitatively how to reproduce a build.
31+
Constellation implements these instructions in the [Reproducible Builds workflow](https://github.com/edgelesssys/constellation/actions/workflows/reproducible-builds.yml), which continuously tests for reproducibility.
32+
The workflow is a good place to look up specific version numbers and build steps.
33+
34+
1. Check out the Constellation repository at the tag corresponding to the release.
35+
36+
```bash
37+
git clone https://github.com/edgelesssys/constellation.git
38+
cd constellation
39+
git checkout v2.20.0
40+
```
41+
42+
2. [Install the Bazel release](https://bazel.build/install) specified in `.bazelversion`.
43+
3. [Install Nix](https://nixos.org/download/) (any recent version should do).
44+
4. Run the build with `bazel build $target` for one of the following targets of interest:
45+
46+
```data
47+
//cli:cli_enterprise_darwin_amd64
48+
//cli:cli_enterprise_darwin_arm64
49+
//cli:cli_enterprise_linux_amd64
50+
//cli:cli_enterprise_linux_arm64
51+
//cli:cli_enterprise_windows_amd64
52+
```
53+
54+
5. Compare the build result with the downloaded release artifact.
55+
56+
<!-- TODO(burgerdev): document reproducing images -->
57+
58+
## Feedback
59+
60+
Reproduction failures often indicate a bug in the build system or in the build definitions.
61+
Therefore, we're interested in any reproducibility issues you might encounter.
62+
[Start a bug report](https://github.com/edgelesssys/constellation/issues/new/choose) and describe the details of your build environment.
63+
Make sure to include your result binary or a [`diffoscope`](https://diffoscope.org/) report, if possible.

docs/sidebars.js

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -220,6 +220,11 @@ const sidebars = {
220220
label: 'Consume SBOMs',
221221
id: 'workflows/sbom',
222222
},
223+
{
224+
type: 'doc',
225+
label: 'Reproduce release artifacts',
226+
id: 'workflows/reproducible-builds',
227+
},
223228
{
224229
type: 'doc',
225230
label: 'Troubleshooting',

nix/cc/cryptsetup.nix

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -11,7 +11,7 @@ pkgs.symlinkJoin {
1111
paths = packages;
1212
buildInputs = packages;
1313
postBuild = ''
14-
tar -cf $out/closure.tar --mtime="@$SOURCE_DATE_EPOCH" --sort=name ${closure}
14+
tar -cf $out/closure.tar --mtime="@$SOURCE_DATE_EPOCH" --sort=name --hard-dereference ${closure}
1515
echo "${rpath}" > $out/rpath
1616
cp ${cc}/nix-support/dynamic-linker $out/dynamic-linker
1717
'';

nix/cc/libvirt.nix

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -11,7 +11,7 @@ pkgs.symlinkJoin {
1111
paths = packages;
1212
buildInputs = packages;
1313
postBuild = ''
14-
tar -cf $out/closure.tar --mtime="@$SOURCE_DATE_EPOCH" --sort=name ${closure}
14+
tar -cf $out/closure.tar --mtime="@$SOURCE_DATE_EPOCH" --sort=name --hard-dereference ${closure}
1515
tar --transform 's+^./+bin/+' -cf $out/bin-linktree.tar --mtime="@$SOURCE_DATE_EPOCH" --sort=name -C $out/bin .
1616
echo "${rpath}" > $out/rpath
1717
cp ${cc}/nix-support/dynamic-linker $out/dynamic-linker

renovate.json5

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -246,12 +246,12 @@
246246
"datasourceTemplate": "github-releases",
247247
},
248248
{
249-
"fileMatch": ["(^|\\/)versions.go$"],
249+
"fileMatch": ["(^|\\/)versions.go$", "[.]github\\/(actions|workflows)\\/.*[.]ya?ml"],
250250
"matchStrings": [
251251
// Match github releases.
252252
// example match:' "https://github.com/foo/bar/releases/download/v1.2.3/foo.bin" // renovate:github-release'
253253
// (foo/bar -> depName, v1.2.3 -> currentValue)
254-
" \"https:\\/\\/github\\.com\\/(?<depName>[^\\/\\s\"]+\\/[^\\/\\s\"]+)\\/releases\\/download\\/(?<currentValue>[^\\/\\s\"]+)\\/[^\"]+\"[^\\n]+\\/\\/ renovate:github-release",
254+
"https:\\/\\/github\\.com\\/(?<depName>[^\\/\\s\"]+\\/[^\\/\\s\"]+)\\/releases\\/download\\/(?<currentValue>[^\\/\\s\"]+).*renovate:github-release",
255255
],
256256
"datasourceTemplate": "github-releases",
257257
},

0 commit comments

Comments
 (0)