Reproducible builds for macOS and Windows #337
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
To allow running on arm64 macs
Otherwise, GitHub Actions runs mingw32-make
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR adds a
make test-determinismmake target/command that sequentially "compiles" two PyInstaller bundles and compares their hashes against each other in order to verify the (local) reproducibility of the Gridsync build process. The files contained within the generated PyInstaller bundles are added (deterministically, with normalized file-permissions and timestamps) to an intermediateGridsync.ziparchive in order to facilitate further comparison and/or distribution of build outputs, while checks that do fail will have their outputs run through thediffoscopeutility in order to identify any sources of variance between builds.As it currently stands, this work is sufficient to demonstrate that PyInstaller "onedir" builds are indeed deterministic/reproducible on macOS and Windows -- so long as a) the
PYTHONHASHSEEDenvironment variable is set to a known-value, b) the file-permissions and timestamps of the files within the bundle are normalized in advance (e.g., by using the scripts contained in this PR and #329), and c) any relevant components in build environment remain otherwise unchanged between builds.Importantly, while this PR makes it possible to easily verify that a given on-disk install of Gridsync is bit-for-bit identical with that built on a separate system (since the hash of the archive of the installed instance will now match the hash of the intermediate archive built by, e.g., Buildbot or GitHub Actions), in the case of macOS, both
codesigned application bundles and disk images (.dmgfiles) contain timestamps that naturally jeopardize the determinism of the resultant files. Accordingly, the scope of this PR should be understood to only demonstrate the reproducibility of the PyInstaller-generated binaries and related build processes on a given host environment; it does not offer a means of generating reproducible.dmgfiles, nor does it provide tooling for, e.g., stripping away anycodesignsignatures prior to verification. Any such efforts will need to be made separately and later.Closes #331 and #332.