add README.md

parent a227cb13
Pipeline #2572 passed with stages
in 10 minutes and 41 seconds
# Go Reproducer
This is a tool you can use to verify that golang binaries
used by [Briar](https://briar.app) (such as obfs4proxy)
were built exactly from the public source code
and no modifications (such as backdoors) were added.
More information about these so called reproducible builds is available at
[reproducible-builds.org](https://reproducible-builds.org/).
The source code for this tool is available at
https://code.briarproject.org/briar/go-reproducer
## How to use
Make sure the version of Go you want to verify is included in `versions.json`.
Verify that you have `docker` installed:
docker --version
If this command does not work,
please [install Docker](https://docs.docker.com/install/)
and continue once it is installed.
### Using our pre-built image
If you trust that our pre-built Docker image was built exactly from *its* source,
you can use it for faster verification.
If not, you can read the next section to learn how to build the image yourself.
Then you are only trusting the official `debian:stable` image which is out of our control.
Otherwise, you can skip the next section and move directly to *Run the verification*.
### Building your own image
Check out the source repository:
git clone https://code.briarproject.org/briar/go-reproducer.git
Build our Docker image:
docker build -t briar/go-reproducer go-reproducer
### Run the verification
To verify a specific version of obfs4proxy, run
docker run briar/go-reproducer:latest ./verify-obfs4proxy.py [version]
Where `[version]` is the version of obfs4proxy you want to test, for example `0.3.3.6`.
You can find a list of versions in obfs4proxy's
[source code repository](https://gitweb.torproject.org/pluggable-transports/obfs4.git/refs/).
Just remove the `obfs4proxy-` from `obfs4proxy-0.0.7`.
If you leave out `[version]` it will build the latest version
that was registered in `versions.json`.
In case there is an issue with the verification of an old build,
this *might* be caused by an update of the container.
You can try to use the original container by running:
docker run briar/go-reproducer:[version] ./verify-obfs4proxy.py [version]
There should be a tag with the name `[version]` in this repository
that you could be used to reproduce the old container.
Note that this will not work if the issue is caused by an updated Debian package.
### Only build obfs4proxy
To build a specific version of obfs4proxy, run
docker run briar/go-reproducer:latest ./build-obfs4proxy.py [version]
\ No newline at end of file
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment