Add verification script and verify on CI runs as well

parent 74958ca2
Pipeline #2583 passed with stages
in 10 minutes and 7 seconds
......@@ -8,4 +8,5 @@
/obfs4proxy*.zip
/obfs4proxy*.pom
/obfs4proxy*.jar
/obfs4
\ No newline at end of file
/obfs4
/reference
\ No newline at end of file
......@@ -21,10 +21,10 @@ build:
- docker build -t ${TEST_IMAGE} .
- docker push $TEST_IMAGE
test_build:
test:
stage: test
script:
- docker run -v `pwd`:/opt/go-reproducer ${TEST_IMAGE} /bin/bash -c "./build-obfs4proxy.py"
- docker run -v `pwd`:/opt/go-reproducer ${TEST_IMAGE} /bin/bash -c "./build-obfs4proxy.py 0.0.7 && ./verify-obfs4proxy.py 0.0.7"
artifacts:
paths:
- obfs4proxy-*.zip
......@@ -34,6 +34,19 @@ test_build:
except:
- tags
test_tag:
stage: test
script:
- docker run -v `pwd`:/opt/go-reproducer ${TEST_IMAGE} /bin/bash -c "./verify-obfs4proxy.py ${CI_BUILD_REF_NAME}"
artifacts:
paths:
- obfs4proxy-*.zip
- obfs4proxy-*.pom
- obfs4proxy-*-sources.jar
expire_in: 1 week
only:
- tags
release:
stage: release
script:
......
......@@ -12,7 +12,8 @@ ADD versions.json ./
ADD utils.py ./
ADD template.pom ./
ADD template-android.pom ./
ADD verify-*.py ./
RUN ./install.sh
CMD ./build-obfs4proxy.py
CMD ./verify-obfs4proxy.py
......@@ -5,6 +5,11 @@ used by [Briar](https://briar.app) (such as obfs4proxy)
were built exactly from the public source code
and no modifications (such as backdoors) were added.
Current packages:
* https://bintray.com/briarproject/org.briarproject/obfs4proxy
* https://bintray.com/briarproject/org.briarproject/obfs4proxy-android
More information about these so called reproducible builds is available at
[reproducible-builds.org](https://reproducible-builds.org/).
......@@ -23,6 +28,10 @@ If this command does not work,
please [install Docker](https://docs.docker.com/install/)
and continue once it is installed.
Note: While not guaranteed to work,
it *might* also be possible to perform the steps below
without Docker on a Debian stable system.
### Using our pre-built image
If you trust that our pre-built Docker image was built exactly from *its* source,
......
......@@ -20,7 +20,6 @@ echo "path-exclude=/usr/share/doc/*" >> /etc/dpkg/dpkg.cfg.d/01_nodoc
# install dependencies
./install-dependencies.sh
#./install-dependencies-verification.sh
# clean up for smaller image size
apt-get -y autoremove --purge
......
#!/usr/bin/env python3
import os
import sys
from subprocess import check_call, CalledProcessError
from utils import get_sha256, fail, get_build_versions, get_final_file_name, \
get_version, get_obfs4_version
def main():
# get version from command or show usage information
version = get_version()
verified = verify(version, for_android=False)
verified_android = verify(version, for_android=True)
if verified and verified_android:
sys.exit(0)
else:
sys.exit(1)
def verify(version, for_android):
# get version and versions of its dependencies
tool_version, versions = get_build_versions('obfs4proxy', version)
# download reference binary
file_name = get_final_file_name(versions, for_android)
os.makedirs('reference', exist_ok=True)
reference_file_name = os.path.join('reference', file_name)
try:
# try downloading from jcenter
check_call(['wget', '--no-verbose', get_url(versions, for_android), '-O',
reference_file_name])
except CalledProcessError:
# try fallback to bintray
print("Warning: Download from jcenter failed. Trying bintray directly...")
check_call(['wget', '--no-verbose', get_url(versions, for_android, fallback=True), '-O',
reference_file_name])
# check if it was already build
if not os.path.isfile(file_name):
# build it first
if version is None:
check_call(['./build-obfs4proxy.py'])
else:
check_call(['./build-obfs4proxy.py', version])
# calculate hashes for both files
reference_hash = get_sha256(reference_file_name)
build_hash = get_sha256(file_name)
print("Reference sha256: %s" % reference_hash)
print("Build sha256: %s" % build_hash)
# compare hashes
suffix = " for Android" if for_android else ""
if reference_hash == build_hash:
print("obfs4proxy%s version %s was successfully verified! \o/" % (suffix, tool_version))
return True
else:
print("Hashes for obfs4proxy%s version %s do not match! :(" % (suffix, tool_version))
return False
def get_url(versions, for_android, fallback=False):
version = get_obfs4_version(versions)
directory = "obfs4proxy-android" if for_android else "obfs4proxy"
file = get_final_file_name(versions, for_android)
if not fallback:
return "https://jcenter.bintray.com/org/briarproject/%s/%s/%s" % (directory, version, file)
else:
return "https://dl.bintray.com/briarproject/org.briarproject/org/briarproject/%s/%s/%s" % \
(directory, version, file)
if __name__ == "__main__":
main()
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment