Add verification script and verify on CI runs as well

.gitignore

@@ -9,3 +9,4 @@
 /obfs4proxy*.pom
 /obfs4proxy*.jar
 /obfs4
+/reference
\ No newline at end of file

.gitlab-ci.yml

@@ -21,10 +21,10 @@ build:
     - docker build -t ${TEST_IMAGE} .
     - docker push $TEST_IMAGE
 
-test_build:
+test:
   stage: test
   script:
-    - docker run -v `pwd`:/opt/go-reproducer ${TEST_IMAGE} /bin/bash -c "./build-obfs4proxy.py"
+    - docker run -v `pwd`:/opt/go-reproducer ${TEST_IMAGE} /bin/bash -c "./build-obfs4proxy.py 0.0.7 && ./verify-obfs4proxy.py 0.0.7"
   artifacts:
     paths:
     - obfs4proxy-*.zip
@@ -34,6 +34,19 @@ test_build:
   except:
     - tags
 
+test_tag:
+  stage: test
+  script:
+    - docker run -v `pwd`:/opt/go-reproducer ${TEST_IMAGE} /bin/bash -c "./verify-obfs4proxy.py ${CI_BUILD_REF_NAME}"
+  artifacts:
+    paths:
+    - obfs4proxy-*.zip
+    - obfs4proxy-*.pom
+    - obfs4proxy-*-sources.jar
+    expire_in: 1 week
+  only:
+    - tags
+
 release:
   stage: release
   script:

Dockerfile

@@ -12,7 +12,8 @@ ADD versions.json ./
 ADD utils.py ./
 ADD template.pom ./
 ADD template-android.pom ./
+ADD verify-*.py ./
 
 RUN ./install.sh
 
-CMD ./build-obfs4proxy.py
+CMD ./verify-obfs4proxy.py

README.md

@@ -5,6 +5,11 @@ used by [Briar](https://briar.app) (such as obfs4proxy)
 were built exactly from the public source code
 and no modifications (such as backdoors) were added.
 
+Current packages:
+
+* https://bintray.com/briarproject/org.briarproject/obfs4proxy
+* https://bintray.com/briarproject/org.briarproject/obfs4proxy-android
+
 More information about these so called reproducible builds is available at
 [reproducible-builds.org](https://reproducible-builds.org/).
 
@@ -23,6 +28,10 @@ If this command does not work,
 please [install Docker](https://docs.docker.com/install/)
 and continue once it is installed.
 
+Note: While not guaranteed to work,
+it *might* also be possible to perform the steps below
+without Docker on a Debian stable system.
+
 ### Using our pre-built image
 
 If you trust that our pre-built Docker image was built exactly from *its* source,

install.sh

@@ -20,7 +20,6 @@ echo "path-exclude=/usr/share/doc/*" >> /etc/dpkg/dpkg.cfg.d/01_nodoc
 
 # install dependencies
 ./install-dependencies.sh
-#./install-dependencies-verification.sh
 
 # clean up for smaller image size
 apt-get -y autoremove --purge

verify-obfs4proxy.py

+#!/usr/bin/env python3
+import os
+import sys
+from subprocess import check_call, CalledProcessError
+
+from utils import get_sha256, fail, get_build_versions, get_final_file_name, \
+    get_version, get_obfs4_version
+
+
+def main():
+    # get version from command or show usage information
+    version = get_version()
+
+    verified = verify(version, for_android=False)
+    verified_android = verify(version, for_android=True)
+    if verified and verified_android:
+        sys.exit(0)
+    else:
+        sys.exit(1)
+
+
+def verify(version, for_android):
+    # get version and versions of its dependencies
+    tool_version, versions = get_build_versions('obfs4proxy', version)
+
+    # download reference binary
+    file_name = get_final_file_name(versions, for_android)
+    os.makedirs('reference', exist_ok=True)
+    reference_file_name = os.path.join('reference', file_name)
+    try:
+        # try downloading from jcenter
+        check_call(['wget', '--no-verbose', get_url(versions, for_android), '-O',
+                    reference_file_name])
+    except CalledProcessError:
+        # try fallback to bintray
+        print("Warning: Download from jcenter failed. Trying bintray directly...")
+        check_call(['wget', '--no-verbose', get_url(versions, for_android, fallback=True), '-O',
+                    reference_file_name])
+
+    # check if it was already build
+    if not os.path.isfile(file_name):
+        # build it first
+        if version is None:
+            check_call(['./build-obfs4proxy.py'])
+        else:
+            check_call(['./build-obfs4proxy.py', version])
+
+    # calculate hashes for both files
+    reference_hash = get_sha256(reference_file_name)
+    build_hash = get_sha256(file_name)
+    print("Reference sha256: %s" % reference_hash)
+    print("Build sha256:     %s" % build_hash)
+
+    # compare hashes
+    suffix = " for Android" if for_android else ""
+    if reference_hash == build_hash:
+        print("obfs4proxy%s version %s was successfully verified! \o/" % (suffix, tool_version))
+        return True
+    else:
+        print("Hashes for obfs4proxy%s version %s do not match! :(" % (suffix, tool_version))
+        return False
+
+
+def get_url(versions, for_android, fallback=False):
+    version = get_obfs4_version(versions)
+    directory = "obfs4proxy-android" if for_android else "obfs4proxy"
+    file = get_final_file_name(versions, for_android)
+    if not fallback:
+        return "https://jcenter.bintray.com/org/briarproject/%s/%s/%s" % (directory, version, file)
+    else:
+        return "https://dl.bintray.com/briarproject/org.briarproject/org/briarproject/%s/%s/%s" % \
+               (directory, version, file)
+
+
+if __name__ == "__main__":
+    main()