sparrowwallet/sparrow
1
0
Fork 0
mirror of https://github.com/sparrowwallet/sparrow.git synced 2024-11-02 20:36:44 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions
sparrow/docs/reproducible.md
Craig Raw b2657cdcfb v1.5.0 final
2021-09-23 15:52:33 +02:00

3.5 KiB
Raw Blame History

Reproducible builds

Reproducibility is a goal of the Sparrow Wallet project. As of v1.5.0 and later, it is possible to recreate the exact binaries in the Github releases (specifically, the contents of the .tar.gz and .zip files).

Due to minor variances, it is not yet possible to reproduce the installer packages (.deb, .rpm and .exe). In addition, the OSX binary is code signed and thus can't be directly reproduced yet. Work on resolving both of these issues is ongoing.

Reproducing a release

Install Java

Because Sparrow bundles a Java runtime in the release binaries, it is essential to have the same version of Java installed when creating the release. For v1.5.0 and later, this is AdoptOpenJdk jdk-16.0.1+9 Hotspot. It is available for all supported platforms from the AdoptOpenJdk site.

For reference, the downloads are as follows:

It is also possible to install via a package manager on *nix systems. For example, on Debian/Ubuntu systems:

sudo apt-get install -y wget apt-transport-https gnupg
wget https://adoptopenjdk.jfrog.io/adoptopenjdk/api/gpg/key/public
gpg --no-default-keyring --keyring ./adoptopenjdk-keyring.gpg --import public
gpg --no-default-keyring --keyring ./adoptopenjdk-keyring.gpg --export --output adoptopenjdk-archive-keyring.gpg
rm adoptopenjdk-keyring.gpg
sudo mv adoptopenjdk-archive-keyring.gpg /usr/share/keyrings
echo "deb [signed-by=/usr/share/keyrings/adoptopenjdk-archive-keyring.gpg] https://adoptopenjdk.jfrog.io/adoptopenjdk/deb $(lsb_release -sc) main" | sudo tee /etc/apt/sources.list.d/adoptopenjdk.list
sudo apt update -y
sudo apt-get install -y adoptopenjdk-16-hotspot=16.0.1+9-3

A alternative option for all platforms is to use the sdkman.io package manager (Git Bash for Windows is a good choice on that platform). See the installation instructions here. Once installed, run

sdk install java 16.0.1.hs-adpt

Other requirements

Other packages may also be necessary to build depending on the platform. On Debian/Ubuntu systems:

sudo apt install -y rpm fakeroot binutils

Building the binaries

The project can cloned for a specific release tag as follows:

GIT_TAG="1.5.0"
git clone --recursive --branch "${GIT_TAG}" git@github.com:sparrowwallet/sparrow.git

Thereafter, building should be straightforward:

cd sparrow
./gradlew jpackage

The binaries (and installers) will be placed in the build/jpackage folder.

Verifying the binaries are identical

Note that you will be verifying the files in the build/jpackage/Sparrow folder against either the .tar.gz or .zip releases. Download either of these depending on your platform and extract the contents to a folder (in the following example, /tmp). Then compare all of the folders and files recursively:

diff -r build/jpackage/Sparrow /tmp/Sparrow

This command should have no output indicating that the two folders (and all their contents) are identical.