You might know the reproducible-builds [1] project, which tries to allow users to verify that what they install actually corresponds to the released source. Or GNU Guix [2], which provides transparent reproducible binaries — along with a challenge-function.
Given that Freenet [3] is made for people with high expectations for integrity, it might not surprise you that Freenet has been providing a verifyable1 build and a verification script since 2012. However until release 1481, it was a hassle to set up, and few people used it.
But now that we’re on gradle, verifying that what I release is actually what’s tagged in the source is much easier than before.
The following instructions are for GNU/Linux, and maybe other *nixes, allowing you to verify the test release of 1482. You can easily adapt them for future releases.
Firstoff: to verify 1482 you NEED Java 7 - in general you need the Java version I release with. I hope that starting with 1483 it will be Java 8.
Update 2022: Now it’s Java 8.
Start by downloading the jar: SSK@…/jar-1482 [4] (needs a running Freenet)
Copy it to /tmp/freenet-1482.jar
Then run the following:
failureWarning="FAILED TO VERIFY.
If you determine that this failure is not due to build environent differences,
then the source files used to build the published version of Freenet are
different from the published source files. The build has been compromised.
Take care to only run version of Freenet with published, reviewable source code,
as compromised versions of Freenet could easily contain back doors."
cd /tmp/
git clone git@github.com:freenet/fred.git
cd fred
git checkout build01482
./gradlew jar
mv build/libs/freenet.jar ../freenet-built.jar
cd ..
mkdir unpacked-built
unzip freenet-built.jar -d unpacked-built
(cd unpacked-built; find -type f) | sort > unpacked-built.list
mkdir unpacked-official
unzip freenet-1482.jar -d unpacked-official
(cd unpacked-official; find -type f) | sort > unpacked-official.list
if ! cmp unpacked-official.list unpacked-built.list; then
echo FAILED TO VERIFY: Different files in official vs built
echo Files in official but not in built are marked as +
echo Files in built but not in official are marked with -
diff -u unpacked-built.list unpacked-official.list
echo ""
echo "$failureWarning"
fi
while read x; do
if ! cmp "unpacked-official/$x" "unpacked-built/$x"; then
if [[ "$x" = "./META-INF/MANIFEST.MF" ]]; then
echo "Manifest file is different; this is expected."
echo "Please review the differences:"
diff "unpacked-official/$x" "unpacked-built/$x"
else
echo "File is different: $x"
echo "$x" >> "differences"
fi
fi
done < unpacked-official.list
if [[ -s "differences" ]]; then
echo VERIFY FAILED: FILES ARE DIFFERENT:
cat differences
echo ""
echo "$failureWarning"
fi
That’s it. You just verified release 1482 of Freenet. If that code does not shout a huge warning at you, then what I released is actually what is tagged and signed as 1482 in the source.
PS: This is a shorter and somewhat cleaned up version of the verify-build script [5].
PPS: Yes, there is also a docker solution. I cannot test it right now, though, because my docker does not work. Ask in IRC (#freenet on libera.chat [6]).
Since Java puts timestamps into class files and requires signing of jars, the jar is not byte-by-byte reproducible, but the verify-build script unpacks the jar and compares the class-files, ensuring that they only differ in timestamps and similar that do not affect functionality. ↩
Links:
[1] https://reproducible-builds.org/
[2] http://gnu.org/s/guix
[3] https://freenetproject.org
[4] http://127.0.0.1:8888/SSK@dLxKiIFKlfhgdgkYNlHoGoSO~KWRYPTkdbWfznZyatg,OwghtrmoY5Mj~1pfUHbo308FHZyTVwXfEXNX5C2EKT8,AQACAAE/jar-1482
[5] https://github.com/freenet/scripts/blob/master/verify-build#L169
[6] https://web.libera.chat/?nick=FollowTheRabbit|?#freenet