sparrowwallet/sparrow
1
0
Fork 0
mirror of https://github.com/sparrowwallet/sparrow.git synced 2025-11-05 11:56:37 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions
sparrow/docs/REPRODUCIBLE.md

7.4 KiB
Raw Blame History

Reproducible builds

Reproducibility is a goal of the Sparrow Wallet project. As of v1.5.0 and later, it is possible to recreate the exact binaries in the Github releases (specifically, the contents of the .tar.gz and .zip files).

Due to minor variances, it is not yet possible to reproduce the installer packages (.deb, .rpm and .exe). In addition, the OSX binary is code signed and thus can't be directly reproduced yet. Work on resolving both of these issues is ongoing.

Reproducing a release

Install Java

Because Sparrow bundles a Java runtime in the release binaries, it is essential to have the same version of Java installed when creating the release. For v1.5.0 and later, the project will be using AdoptOpenJdk jdk-16.0.1+9 Hotspot.

Set AdoptOpenJDK version for command line installation:

ADOPTOPENJDK_MAJOR_VERSION=16
ADOPTOPENJDK_UNDERLINE_VERSION=16.0.1_9
ADOPTOPENJDK_PLUS_VERSION=16.0.1+9
ADOPTOPENJDK_FULL_VERSION=16.0.1+9-3

Binaries from official site

It is available for all supported platforms from the adoptopenjdk.net.

Binaries from GitHub

For reference, the downloads are as follows on the adoptopenjdk github release page:

Download from terminal for *nix systems

Set your operating system [mac|linux|alpine-linux|aix]:

OPERATING_SYSTEM=linux

Set the building machine architecture: linux=[x64|arm|aarch64|ppc64le|ppc64|s390x] aix=[ppc64] mac=[x64]

ARCHITECTURE=x64

Download AdoptOpenJDK to the /tmp folder:

wget -q --show-progress -P /tmp/ https://github.com/AdoptOpenJDK/openjdk16-binaries/releases/download/jdk-${ADOPTOPENJDK_PLUS_VERSION}/OpenJDK16U-jdk_${ARCHITECTURE}_${OPERATING_SYSTEM}_hotspot_${ADOPTOPENJDK_UNDERLINE_VERSION}.tar.gz
wget -q --show-progress -P /tmp/ https://github.com/AdoptOpenJDK/openjdk16-binaries/releases/download/jdk-${ADOPTOPENJDK_PLUS_VERSION}/OpenJDK16U-jdk_${ARCHITECTURE}_${OPERATING_SYSTEM}_hotspot_${ADOPTOPENJDK_UNDERLINE_VERSION}.tar.gz.sha256.txt

Check if the hash of the tar.gz is correct (OK is what you need):

sha256sum -c /tmp/OpenJDK16U-jdk_${ARCHITECTURE}_linux_hotspot_${ADOPTOPENJDK_UNDERLINE_VERSION}.tar.gz.sha256.txt

Package manager

AdoptOpenJDK RPM and DEB packages are available on adoptopenjdk.net latest install guide.

APT

Debian and Ubuntu:

sudo apt update -y
sudo apt-get install -y wget gnupg apt-transport-https
wget -q --show-progress https://adoptopenjdk.jfrog.io/adoptopenjdk/api/gpg/key/public
gpg --no-default-keyring --keyring ./adoptopenjdk-keyring.gpg --import public
gpg --no-default-keyring --keyring ./adoptopenjdk-keyring.gpg --export --output adoptopenjdk-archive-keyring.gpg
rm adoptopenjdk-keyring.gpg
sudo mv adoptopenjdk-archive-keyring.gpg /usr/share/keyrings
echo "deb [signed-by=/usr/share/keyrings/adoptopenjdk-archive-keyring.gpg] https://adoptopenjdk.jfrog.io/adoptopenjdk/deb $(lsb_release -sc) main" | sudo tee /etc/apt/sources.list.d/adoptopenjdk.list
sudo apt update -y
sudo apt-get install -y adoptopenjdk-${ADOPTOPENJDK_MAJOR_VERSION}-hotspot=${ADOPTOPENJDK_FULL_VERSION}

RPM

CentOS, RHEL and Fedora:

cat <<'EOF' > /etc/yum.repos.d/adoptopenjdk.repo
[AdoptOpenJDK]
name=AdoptOpenJDK
baseurl=http://adoptopenjdk.jfrog.io/adoptopenjdk/rpm/centos/$releasever/$basearch
enabled=1
gpgcheck=1
gpgkey=https://adoptopenjdk.jfrog.io/adoptopenjdk/api/gpg/key/public
EOF
sudo yum install -y adoptopenjdk-${ADOPTOPENJDK_MAJOR_VERSION}-hotspot=${ADOPTOPENJDK_FULL_VERSION}

openSUSE and SLES:

sudo zypper ar -f http://adoptopenjdk.jfrog.io/adoptopenjdk/rpm/opensuse/15.0/$(uname -m) adoptopenjdk
sudo zypper install -y adoptopenjdk-${ADOPTOPENJDK_MAJOR_VERSION}-hotspot=${ADOPTOPENJDK_FULL_VERSION}

SDK

A alternative option for all platforms is to use the sdkman.io package manager. See the installation instructions here.

First, install zip and unzip. Example on Debian/Ubuntu systems:

sudo apt-get install -y zip unzip

Installation on macOS, Linux, WSL, Cygwin, Solaris and FreeBSD (compatible with Bash and Zsh shells):

curl -sS "https://get.sdkman.io" | ${SHELL##*/}
. "$HOME/.sdkman/bin/sdkman-init.sh"

Installation on Windows with git-scm.

Install AdoptOpenJDK HostSpot:

sdk install java 16.0.1.hs-adpt

Building the binaries

To complete the build the package below are required. Installation on Debian/Ubuntu systems:

sudo apt install -y rpm fakeroot binutils git wget curl gnupg tar diffutils

Set a specific release tag as follows:

GIT_TAG="1.5.0-beta1"

Clone the repository:

  • without SSH credentials:
git clone --recursive --branch "${GIT_TAG}" https://github.com/sparrowwallet/sparrow.git
  • with SSH credentials:
git clone --recursive --branch "${GIT_TAG}" git@github.com:sparrowwallet/sparrow.git

Thereafter, building should be straightforward:

cd sparrow
./gradlew jpackage

The binaries (and installers) will be placed in the build/jpackage folder.

Verifying if the binaries are identical

Note: If you encounter any errors on the following steps, you should not procede until it is resolved.

Import the maintainer PGP public key (Fingerperint: E946 1833 4C67 4B40:

curl -sS https://keybase.io/craigraw/pgp_keys.asc | gpg --import

Download the manifest and signed manifest that are available on the releases page (will download to the /tmp folder):

wget -q --show-progress -P /tmp/ https://github.com/sparrowwallet/sparrow/releases/download/"${GIT_TAG}"/sparrow-"${GIT_TAG}"-manifest.txt
wget -q --show-progress -P /tmp/ https://github.com/sparrowwallet/sparrow/releases/download/"${GIT_TAG}"/sparrow-"${GIT_TAG}"-manifest.txt.asc

Download the compressed binaries [tar.gz|zip]:

COMPRESSION_METHOD="tar.gz"
wget -q --show-progress -P /tmp/ https://github.com/sparrowwallet/sparrow/releases/download/"${GIT_TAG}"/sparrow-"${GIT_TAG}".${COMPRESSION_METHOD}

Verify the manifest authenticity (*Good signaure* is what you need):
```shell
gpg --verify /tmp/sparrow-${GIT_TAG}-manifest.txt.asc /tmp/sparrow-${GIT_TAG}-manifest.txt

Check if the hash of the .tar.gz is correct (OK is what you need):

sha256sum -c /tmp/sparrow-"${GIT_TAG}"-manifest.txt --ignore-missing

Extract the archive with:

  • tar:
sudo tar -xf /tmp/sparrow-"${GIT_TAG}".tar.gz
  • unzip:
sudo unzip -q /tmp/sparrow-"${GIT_TAG}".zip

Compare recursively the files in the build/jpackage/Sparrow folder against either the uncompressed releases. This command should have no output indicating that the two folders and all their contents are identical:

diff -r build/jpackage/Sparrow /tmp/Sparrow