Skip to content
Snippets Groups Projects
Verified Commit 22d04ff8 authored by Torsten Grote's avatar Torsten Grote
Browse files

Use disorderfs deterministic file system to fix differences in resources.arsc

Thanks @goapunk for the prototype and the heavy lifting! :)
parent 04c2a281
No related branches found
No related tags found
No related merge requests found
Pipeline #
...@@ -24,12 +24,14 @@ build: ...@@ -24,12 +24,14 @@ build:
test_success: test_success:
stage: test stage: test
script: script:
- docker run ${TEST_IMAGE} ./reproduce.py release-1.0.1 # Consider adding the cap and the device directly to the CI config
# https://docs.gitlab.com/runner/configuration/advanced-configuration.html#the-runners-docker-section
- docker run --cap-add SYS_ADMIN --device /dev/fuse ${TEST_IMAGE} ./reproduce.py release-1.0.1
test_failure: test_failure:
stage: test stage: test
script: script:
- if docker run ${TEST_IMAGE} ./reproduce.py release-1.0.3; then exit 1; else exit 0; fi - if docker run --cap-add SYS_ADMIN --device /dev/fuse ${TEST_IMAGE} ./reproduce.py release-1.0.3; then exit 1; else exit 0; fi
release: release:
stage: release stage: release
......
...@@ -72,12 +72,22 @@ Build our Docker image: ...@@ -72,12 +72,22 @@ Build our Docker image:
### Run the verification ### Run the verification
Currently, the verification needs `disorderfs` as a deterministic file-system.
Therefore, please make sure that `fuse` is installed on your host system.
apt install fuse
To verify a specific version of Briar, run To verify a specific version of Briar, run
docker run briar/reproducer:latest ./reproduce.py [tag] docker run --cap-add SYS_ADMIN --device /dev/fuse briar/reproducer:latest ./reproduce.py [tag]
Where `[tag]` is the git tag (source code snapshot) that identifies the version Where `[tag]` is the git tag (source code snapshot) that identifies the version
you want to test, for example `release-1.0.1`. you want to test, for example `release-1.0.1`.
You can find a list of tags in Briar's You can find a list of tags in Briar's
[source code repository](https://code.briarproject.org/akwizgran/briar/tags). [source code repository](https://code.briarproject.org/akwizgran/briar/tags).
The `SYS_ADMIN` capability and the `fuse` device are required,
so the container can build the app inside a `disorderfs`.
We hope to be able to drop this requirement
once this [upstream issue](https://issuetracker.google.com/issues/110237303) is fixed.
\ No newline at end of file
...@@ -5,5 +5,7 @@ set -x ...@@ -5,5 +5,7 @@ set -x
apt-get install -y --no-install-recommends \ apt-get install -y --no-install-recommends \
git \ git \
default-jdk-headless \ default-jdk-headless \
fuse \
disorderfs \
unzip \ unzip \
wget wget
#!/usr/bin/env python3 #!/usr/bin/env python3
import os import os
import subprocess from subprocess import call, check_call, check_output
import sys import sys
REPO_DIR = "briar" REPO_DIR = "briar"
REFERENCE_URL = 'https://briarproject.org/apk/briar-%s.apk' REFERENCE_URL = 'https://briarproject.org/apk/briar-%s.apk'
GRADLE_TASK = "briar-android:assembleRelease" GRADLE_TASK = "briar-android:assembleRelease"
APK_PATH = "briar-android/build/outputs/apk/release/briar-android-release-unsigned.apk" APK_PATH = "briar-android/build/outputs/apk/release/briar-android-release-unsigned.apk"
BUILD_DIR = "briar-build"
def main(): def main():
...@@ -22,14 +23,19 @@ def main(): ...@@ -22,14 +23,19 @@ def main():
version = tag.split('-')[1] version = tag.split('-')[1]
url = REFERENCE_URL % version url = REFERENCE_URL % version
reference_apk = "briar-%s.apk" % version reference_apk = "briar-%s.apk" % version
subprocess.check_call(['wget', '--no-verbose', url, '-O', reference_apk]) check_call(['wget', '--no-verbose', url, '-O', reference_apk])
# use deterministic file system for building the app
if not os.path.exists(BUILD_DIR):
os.makedirs(BUILD_DIR)
check_call(['disorderfs', '--sort-dirents=yes', '--reverse-dirents=no', REPO_DIR, BUILD_DIR])
# build the app # build the app
repo_call(["./gradlew", "--no-daemon", GRADLE_TASK]) check_call(["./gradlew", "--no-daemon", GRADLE_TASK], cwd=BUILD_DIR)
# check if both APKs match # check if both APKs match
apk = os.path.join(REPO_DIR, APK_PATH) apk = os.path.join(BUILD_DIR, APK_PATH)
if subprocess.call(['./verify-apk.py', reference_apk, apk]) == 0: if call(['./verify-apk.py', reference_apk, apk]) == 0:
print("Version '%s' was built reproducible! :)" % tag) print("Version '%s' was built reproducible! :)" % tag)
sys.exit(0) sys.exit(0)
else: else:
...@@ -44,7 +50,7 @@ def prepare_repo(tag): ...@@ -44,7 +50,7 @@ def prepare_repo(tag):
repo_call(['git', 'checkout', '-f', 'master']) repo_call(['git', 'checkout', '-f', 'master'])
else: else:
# clone repo # clone repo
subprocess.check_call(['git', 'clone', os.environ.get("REPO_URL"), REPO_DIR]) check_call(['git', 'clone', os.environ.get("REPO_URL"), REPO_DIR])
# undo all changes # undo all changes
repo_call(['git', 'reset', '--hard']) repo_call(['git', 'reset', '--hard'])
...@@ -54,7 +60,7 @@ def prepare_repo(tag): ...@@ -54,7 +60,7 @@ def prepare_repo(tag):
# use latest tag if none given # use latest tag if none given
if tag is None: if tag is None:
result = subprocess.check_output(['git', 'describe', '--abbrev=0', '--tags'], cwd=REPO_DIR) result = check_output(['git', 'describe', '--abbrev=0', '--tags'], cwd=REPO_DIR)
tag = result.decode().rstrip() # strip away line-break tag = result.decode().rstrip() # strip away line-break
# checkout tag # checkout tag
...@@ -65,7 +71,7 @@ def prepare_repo(tag): ...@@ -65,7 +71,7 @@ def prepare_repo(tag):
def repo_call(command): def repo_call(command):
subprocess.check_call(command, cwd=REPO_DIR) check_call(command, cwd=REPO_DIR)
def fail(msg=""): def fail(msg=""):
......
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment