how to validate the deterministic build

[amiller]

Hi, I'm trying to practice reproducing the build. I am on this version of docker
Docker version 1.12.1, build 23cf638 on ubuntu, and get the following error when trying to build:

amiller@amiller-asus ~/projects/mpc $ ./build-iso.sh 
Sending build context to Docker daemon 6.656 kB
Step 1 : FROM ubuntu:16.04
 ---> f753707788c5
Step 2 : RUN apt-get update &&     apt-get install -y         build-essential         cmake         curl         file         git         sudo         xutils-dev         &&     apt-get clean && rm -rf /var/lib/apt/lists/* &&     useradd rust --user-group --create-home --shell /bin/bash --groups sudo
 ---> Using cache
 ---> bc0c1c5e6016
Step 3 : ADD sudoers /etc/sudoers.d/nopasswd
 ---> Using cache
 ---> 61f0adc7b60f
Step 4 : USER rust
 ---> Using cache
 ---> 04facd2795aa
Step 5 : RUN mkdir -p /home/rust/libs /home/rust/src
 ---> Using cache
 ---> c90ebbc3dc87
Step 6 : ENV PATH /home/rust/.cargo/bin:/usr/local/musl/bin:/usr/local/bin:/usr/bin:/bin
 ---> Using cache
 ---> f6d2e3075579
Step 7 : RUN curl https://sh.rustup.rs -sSf | sh -s -- -y &&     rustup default stable &&     rustup target add x86_64-unknown-linux-musl
 ---> Using cache
 ---> 72cc166a32c1
Step 8 : ADD cargo-config.toml /home/rust/.cargo/config
 ---> Using cache
 ---> 433769717106
Step 9 : WORKDIR /home/rust/libs
 ---> Using cache
 ---> e74707ece99b
Step 10 : ADD musl /home/rust/libs/musl
 ---> Using cache
 ---> d50a2b090c64
Step 11 : RUN sudo chown -R rust:rust /home/rust/libs &&     cd musl &&     ./configure && make && sudo make install &&     cd .. && rm -rf musl
 ---> Running in 362cbd6abede
/bin/sh: 1: ./configure: not found
The command '/bin/sh -c sudo chown -R rust:rust /home/rust/libs &&     cd musl &&     ./configure && make && sudo make install &&     cd .. && rm -rf musl' returned a non-zero code: 127

[ebfull]

The repository has git submodules you will need to clone in order to perform the build. :)

[amiller]

Ok, I didn't notice the submodules. git clone with --recursive makes progress. Now I'm able to produce iso's, but their hashes don't match. I didn't save the whole log the first time, so I am pasting a log of what happens after using caches:
Here's a gist: https://gist.github.com/amiller/504034ee29b1ab7df12201c6fdb14098
In the mean time, I am clearing my cache and rebuilding to get a more useful log

[ebfull]

The ISOs will not be the same due to timestamps. Use diffoscope to compare the two -- it will show those are the only differences. (Along with signatures of the timestamps.)

[ebfull]

I'll leave this open until you succeed, and fix documentation based on your experience.

[amiller]

OK, I think this is probably fine. Here are my diffs.
http://filebin.ca/30NaVJ3xP4gU/diff-network
http://filebin.ca/30NY8Z1rLub2/diff-compute

I'm not 100% sure how to read all what is different. Here's an excerpt from the mpc_compute apk. I think what this is showing is that only the metadata (timestamps) of most of the files are different. The signatures and .pkginfo also have different data, but all the rest of the files are identical except for their names.

── apks/x86_64/mpc_compute-1.0.0-r0.apk
│   ├── mpc_compute-1.0.0-r0.apk-content
│   │   ├── file list
│   │   │ @@ -1,8 +1,8 @@
│   │   │ --rw-r--r--   0 root         (0) root         (0)      256 2016-10-31 02:39:44.000000 .SIGN.RSA.iso.rsa.pub
│   │   │ --rw-r--r--   0 root         (0) root         (0)      507 2016-10-31 02:39:44.000000 .PKGINFO
│   │   │ --rwxr-xr-x   0 root         (0) root         (0)      203 2016-10-31 02:39:44.000000 .post-install
│   │   │ -drwxr-xr-x   0 root         (0) root         (0)        0 2016-10-31 02:39:44.178203 bin/
│   │   │ --rwxr-xr-x   0 root         (0) root         (0)   800784 2016-10-31 02:39:44.178203 bin/mpc_compute.rs
│   │   │ --rwxr-xr-x   0 root         (0) root         (0)      262 2016-10-31 02:39:44.166203 bin/mpc_compute
│   │   │ -drwxr-xr-x   0 root         (0) root         (0)        0 2016-10-31 02:39:44.170203 etc/
│   │   │ --rw-r--r--   0 root         (0) root         (0)      232 2016-10-31 02:39:44.170203 etc/inittab
│   │   │ +-rw-r--r--   0 root         (0) root         (0)      256 2016-10-21 17:22:10.000000 .SIGN.RSA.iso.rsa.pub
│   │   │ +-rw-r--r--   0 root         (0) root         (0)      507 2016-10-21 17:22:10.000000 .PKGINFO
│   │   │ +-rwxr-xr-x   0 root         (0) root         (0)      203 2016-10-21 17:22:10.000000 .post-install
│   │   │ +drwxr-xr-x   0 root         (0) root         (0)        0 2016-10-21 17:22:10.163711 bin/
│   │   │ +-rwxr-xr-x   0 root         (0) root         (0)      262 2016-10-21 17:22:10.155711 bin/mpc_compute
│   │   │ +-rwxr-xr-x   0 root         (0) root         (0)   800784 2016-10-21 17:22:10.163711 bin/mpc_compute.rs
│   │   │ +drwxr-xr-x   0 root         (0) root         (0)        0 2016-10-21 17:22:10.155711 etc/
│   │   │ +-rw-r--r--   0 root         (0) root         (0)      232 2016-10-21 17:22:10.155711 etc/inittab
│   │   ├── .SIGN.RSA.iso.rsa.pub
│   │   │ @@ -1,16 +1,16 @@
│   │   │ -00000000: 62ee c74e a775 9386 cc9b 42f0 924e 1f5e  b..N.u....B..N.^
│   │   │ -00000010: e162 021c 6e2d e026 f73d 4520 9f29 65b5  .b..n-.&.=E .)e.
│   │   │ -00000020: 7a1f 39b9 0f9b 8e6c 6663 da87 8496 92f7  z.9....lfc......
....
....
   │   │ +000000f0: 105a ab88 bf03 d21f 88e2 41b6 bab1 4923  .Z........A...I#
│   │   ├── .PKGINFO
│   │   │ @@ -1,21 +1,21 @@
│   │   │  # Generated by abuild 2.27.1
│   │   │  # using fakeroot version 1.20.2
│   │   │ -# Mon Oct 31 02:39:44 UTC 2016
│   │   │ +# Fri Oct 21 17:22:10 UTC 2016
│   │   │  pkgname = mpc_compute
│   │   │  pkgver = 1.0.0-r0
│   │   │  pkgdesc = MPC compute node binary
│   │   │  url = https://z.cash/
│   │   │ -builddate = 1477881584
│   │   │ +builddate = 1477070530
│   │   │  packager = Unknown
│   │   │  size = 823296
│   │   │  arch = x86_64
│   │   │  origin = mpc_compute
│   │   │  commit = 
│   │   │  license = MIT
│   │   │  replaces = alpine-base
│   │   │  depend = alpine-base
│   │   │  depend = xorriso
│   │   │  depend = gradm-improved
│   │   │  depend = busybox
│   │   │  # automatically detected:
│   │   │ -datahash = d4adf609a2ed4a8d1ce4bcacfd77dec029704ce2539cc333807a97b04288fbbe
│   │   │ +datahash = 9aad620c0b76127231b7dda3234f345a670fd39bb4cb74a02cb4205b8cc6e903
│   │   ╵
│   ╵

It would be nice to write down a policy of what to expect, i.e. that can be written in a script and checked automatically rather than by eye, such that any malicious difference would show up.

[hyngo1358]

Hi, I'm trying to do the same thing @amiller did, and I got the following error. Please help me understand where I was wrong!
My docker's version: Docker version 17.03.2-ce, build f5ec1e2
Step 1/12 : FROM ubuntu:16.04g
---> b9e15a5d1e1a
Step 2/12 : RUN apt-get update && apt-get install -y build-essential cmake curl file git sudo xutils-dev && apt-get clean && rm -rf /var/lib/apt/lists/* && useradd rust --user-group --create-home --shell /bin/bash --groups sudo
---> Using cache
---> 9a6a5e602ef3
Step 3/12 : ADD sudoers /etc/sudoers.d/nopasswd
---> Using cache
---> 1502582bd8d7
Step 4/12 : USER rust
---> Using cache
---> 5fd7ffdd3df4
Step 5/12 : RUN mkdir -p /home/rust/libs /home/rust/src
---> Using cache
---> 4dd335101c92
Step 6/12 : ENV PATH /home/rust/.cargo/bin:/usr/local/musl/bin:/usr/local/bin:/usr/bin:/bin
---> Using cache
---> 2418e50d8351
Step 7/12 : RUN curl https://sh.rustup.rs -sSf | sh -s -- -y && rustup default stable && rustup target add x86_64-unknown-linux-musl
---> Using cache
---> 705c0946c8cf
Step 8/12 : ADD cargo-config.toml /home/rust/.cargo/config
---> Using cache
---> 086ca730e945
Step 9/12 : WORKDIR /home/rust/libs
---> Using cache
---> a6b01a36dc18
Step 10/12 : ADD musl /home/rust/libs/musl
---> Using cache
---> 6872e7ba9edb
Step 11/12 : RUN sudo chown -R rust:rust /home/rust/libs && cd musl && ./configure && make && sudo make install && cd .. && rm -rf musl
---> Using cache
---> 8d118827d8e5
Step 12/12 : WORKDIR /home/rust/src
---> Using cache
---> fecddf950b9b
Successfully built fecddf950b9b
Updating registry https://github.com/rust-lang/crates.io-index
Downloading time v0.1.35
Downloading env_logger v0.3.5
Downloading log v0.3.6
Downloading crossbeam v0.2.10
Downloading bn v0.4.1
Downloading rand v0.3.14
Downloading ansi_term v0.9.0
Downloading rustc-serialize v0.3.19
Downloading bincode v0.6.0
Downloading byteorder v0.5.3
Downloading blake2-rfc v0.2.17
Downloading kernel32-sys v0.2.2
Downloading winapi v0.2.8
Downloading libc v0.2.16
Downloading winapi-build v0.1.1
Downloading regex v0.1.77
Downloading utf8-ranges v0.1.3
Downloading memchr v0.1.11
Downloading aho-corasick v0.5.3
Downloading regex-syntax v0.3.5
Downloading thread_local v0.2.7
Downloading thread-id v2.0.0
Downloading num-traits v0.1.35
Downloading constant_time_eq v0.1.2
Compiling num-traits v0.1.35
Compiling rustc-serialize v0.3.19
error[E0642]: patterns aren't allowed in methods without bodies
--> /home/rust/.cargo/registry/src/github.com-1ecc6299db9ec823/rustc-serialize-0.3.19/src/serialize.rs:147:45
|
147 | &f_name: &str,
| ^^^^^^^

error: aborting due to previous error

For more information about this error, try rustc --explain E0642.
error: Could not compile rustc-serialize.