You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
Matt Corallo ae82fbad45 Add support for names with spaces in them and automatically pull keys first. 10 years ago
bin Add support for names with spaces in them and automatically pull keys first. 10 years ago
libexec no host auth for copy-*-target 10 years ago
target-bin properly handle the local host by using IP addresses 10 years ago
.gitignore implement bin/gsign 10 years ago gverify 10 years ago


Read about the project goals at the “project home page”: .

This package can do a deterministic build of a package inside a VM.

Deterministic build inside a VM

This performs a build inside a VM, with deterministic inputs and outputs. If the build script takes care of all sources of non-determinism (mostly caused by timestamps), the result will always be the same. This allows multiple independent verifiers to sign a binary with the assurance that it really came from the source they reviewed.


Install prereqs:

sudo apt-get install python-vm-builder qemu-kvm apt-cacher
sudo service apt-cacher start

Create the base VM for use in further builds (requires sudo, please review the script):


Copy any additional build inputs into a directory named inputs.

Then execute the build using a YAML description file (can be run as non-root):

bin/gbuild <package>.yml

or if you need to specify a commit for one of the git remotes:

bin/gbuild --commit <dir>=<hash> <package>.yml

The resulting report will appear in result/<package>-res.yml

To sign the result, perform:

bin/gsign --signer <signer> --release <release-name> <package>.yml

Where is your signing PGP key ID and is the name for the current release. This will put the result and signature in the sigs//. The sigs/ directory can be managed through git to coordinate multiple signers.

After you’ve merged everybody’s signatures, verify them:

bin/gverify --release <release-name> <package>.yml

Poking around

  • Log files are captured to the var directory
  • You can run the utilities in libexec by running PATH="libexec:$PATH"
  • To start the target VM run start-target 32 lucid-i386 or start-target 64 lucid-amd64
  • To ssh into the target run on-target or on-target -u root
  • On the target, the build directory contains the code as it is compiled and install contains intermediate libraries
  • By convention, the script in <package>.yml starts with any environment setup you would need to manually compile things on the target


  • disable sudo in target, just in case of a hypervisor exploit
  • tar and other archive timestamp setter