You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
Matt Corallo 73d8868c8a Use server kernel for Hardy amd64. 10 years ago
bin Use server kernel for Hardy amd64. 10 years ago
doc check if kvm is available and warn if not 10 years ago
libexec Make the timeout a bit longer to accommodate machines under high load. 10 years ago
share remove files that were removed from manifest in new version, add force flag 10 years ago
target-bin properly handle the local host by using IP addresses 10 years ago
.gitignore implement bin/gsign 10 years ago
README.md gverify 10 years ago

README.md

Gitian

Read about the project goals at the “project home page”:https://gitian.org/ .

This package can do a deterministic build of a package inside a VM.

Deterministic build inside a VM

This performs a build inside a VM, with deterministic inputs and outputs. If the build script takes care of all sources of non-determinism (mostly caused by timestamps), the result will always be the same. This allows multiple independent verifiers to sign a binary with the assurance that it really came from the source they reviewed.

Synopsis:

Install prereqs:

sudo apt-get install python-vm-builder qemu-kvm apt-cacher
sudo service apt-cacher start

Create the base VM for use in further builds (requires sudo, please review the script):

bin/make-base-vm

Copy any additional build inputs into a directory named inputs.

Then execute the build using a YAML description file (can be run as non-root):

bin/gbuild <package>.yml

or if you need to specify a commit for one of the git remotes:

bin/gbuild --commit <dir>=<hash> <package>.yml

The resulting report will appear in result/<package>-res.yml

To sign the result, perform:

bin/gsign --signer <signer> --release <release-name> <package>.yml

Where is your signing PGP key ID and is the name for the current release. This will put the result and signature in the sigs//. The sigs/ directory can be managed through git to coordinate multiple signers.

After you’ve merged everybody’s signatures, verify them:

bin/gverify --release <release-name> <package>.yml

Poking around

  • Log files are captured to the var directory
  • You can run the utilities in libexec by running PATH="libexec:$PATH"
  • To start the target VM run start-target 32 lucid-i386 or start-target 64 lucid-amd64
  • To ssh into the target run on-target or on-target -u root
  • On the target, the build directory contains the code as it is compiled and install contains intermediate libraries
  • By convention, the script in <package>.yml starts with any environment setup you would need to manually compile things on the target

TODO:

  • disable sudo in target, just in case of a hypervisor exploit
  • tar and other archive timestamp setter