Archives
/
gitian-builder
2
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity
Build packages in a secure deterministic fashion inside a VM
You cannot select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
77 Commits
6 Branches
2 Tags
995 KiB
Python 43.5%
Shell 29.7%
Ruby 26.8%
 
 
 
master
redo121
lxc
lxcbr
git-archive
updater
0.1
0.2
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'lxcbr'
${ noResults }
Go to file
devrandom 684f6c9427 Use lxcbr0 as bridge 12 years ago
bin Use lxcbr0 as bridge 12 years ago
doc check if kvm is available and warn if not 13 years ago
etc Use lxcbr0 as bridge 12 years ago
libexec Use lxcbr0 as bridge 12 years ago
share Start unit testing 12 years ago
target-bin Use lxcbr0 as bridge 12 years ago
.gitignore implement bin/gsign 13 years ago
README.md Use lxcbr0 as bridge 12 years ago

README.md

Gitian

Read about the project goals at the "project home page":https://gitian.org/ .

This package can do a deterministic build of a package inside a VM.

Deterministic build inside a VM

This performs a build inside a VM, with deterministic inputs and outputs. If the build script takes care of all sources of non-determinism (mostly caused by timestamps), the result will always be the same. This allows multiple independent verifiers to sign a binary with the assurance that it really came from the source they reviewed.

Synopsis:

Install prereqs:

sudo apt-get install apt-cacher-ng python-vm-builder ruby

If you want to use kvm: sudo apt-get install qemu-kvm

or alternatively, lxc (no need for hardware support): sudo apt-get install debootstrap lxc

Create the base VM for use in further builds (requires sudo, please review the script):

bin/make-base-vm
bin/make-base-vm --arch i386

or for lxc:

bin/make-base-vm --lxc
bin/make-base-vm --lxc --arch i386

Copy any additional build inputs into a directory named inputs.

Then execute the build using a YAML description file (can be run as non-root):

export USE_LXC=1 # LXC only
bin/gbuild <package>.yml

or if you need to specify a commit for one of the git remotes:

bin/gbuild --commit <dir>=<hash> <package>.yml

The resulting report will appear in result/<package>-res.yml

To sign the result, perform:

bin/gsign --signer <signer> --release <release-name> <package>.yml

Where is your signing PGP key ID and is the name for the current release. This will put the result and signature in the sigs//. The sigs/ directory can be managed through git to coordinate multiple signers.

After you've merged everybody's signatures, verify them:

bin/gverify --release <release-name> <package>.yml

Poking around

  • Log files are captured to the var directory
  • You can run the utilities in libexec by running PATH="libexec:$PATH"
  • To start the target VM run start-target 32 lucid-i386 or start-target 64 lucid-amd64
  • To ssh into the target run on-target or on-target -u root
  • On the target, the build directory contains the code as it is compiled and install contains intermediate libraries
  • By convention, the script in <package>.yml starts with any environment setup you would need to manually compile things on the target

TODO:

  • disable sudo in target, just in case of a hypervisor exploit
  • tar and other archive timestamp setter

LXC tips

bin/gbuild runs lxc-start, which may require root. If you are in the admin group, you can add the following sudoers line to prevent asking for the password every time:

%admin ALL=NOPASSWD: /usr/bin/lxc-start

Recent distributions allow lxc-start to be run by non-priviledged users, so you might be able to rip-out the sudo calls in libexec/*.

If you have a runaway lxc-start command, just use kill -9 on it.

The machine configuration requires access to lxcbr0 and assumes that the host address is 10.0.3.1 . If lxc does not configure lxcbr0 on boot, you can do so manually:

sudo brctl addbr lxcbr0
sudo ifconfig lxcbr0 10.0.3.1/24 up

Tests

Not very extensive, currently.

python -m unittest discover test