README.md 2.37 KB
Newer Older
Torsten Grote's avatar
Torsten Grote committed
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29
# Tor Reproducer

This is a tool you can use to verify that the version of Tor
used by [Briar](https://briar.app) was built exactly from the public source code
and no modifications (such as backdoors) were made.

More information about these so called reproducible builds is available at
[reproducible-builds.org](https://reproducible-builds.org/).

The source code for this tool is available at
https://code.briarproject.org/briar/tor-reproducer

## How to use

Make sure the version of Tor you want to verify is included in `tor-versions.json`.

Verify that you have `docker` installed:

    docker --version

If this command does not work,
please [install Docker](https://docs.docker.com/install/)
and continue once it is installed.

### Using our pre-built image

If you trust that our pre-built Docker image was build exactly from *its* source,
you can use it for faster verification.
If not, you can read the next section to learn how to build the image yourself.
Torsten Grote's avatar
Torsten Grote committed
30
Then you are only trusting the official `debian:stable` image which is out of our control.
Torsten Grote's avatar
Torsten Grote committed
31 32 33 34 35 36 37 38 39 40 41 42 43 44 45

Otherwise, you can skip the next section and move directly to *Run the verification*.

### Building your own image

Check out the source repository:

    git clone https://code.briarproject.org/briar/tor-reproducer.git

Build our Docker image:

    docker build -t briar/tor-reproducer tor-reproducer

### Run the verification

Torsten Grote's avatar
Torsten Grote committed
46
To verify a specific version of Tor, run
Torsten Grote's avatar
Torsten Grote committed
47

48
    docker run briar/tor-reproducer:latest ./verify-tor.py [version]
Torsten Grote's avatar
Torsten Grote committed
49

50
Where `[version]` is the version of Tor you want to test, for example `0.3.3.6`.
Torsten Grote's avatar
Torsten Grote committed
51

52
You can find a list of versions in Tor's
Torsten Grote's avatar
Torsten Grote committed
53
[source code repository](https://gitweb.torproject.org/tor.git/refs/).
54 55 56 57
Just remove the `tor-` from `tor-0.3.3.6`.

If you leave out `[version]` it will build the latest version
that was registered in `tor-versions.json`.
58 59 60 61 62

In case there is an issue with the verification of an old build,
this *might* be caused by an update of the container.
You can try to use the original container by running:

Torsten Grote's avatar
Torsten Grote committed
63
    docker run briar/tor-reproducer:[version] ./verify-tor.py [version]
64 65 66 67 68 69 70

There should be a tag with the name `[version]` in this repository
that you could be used to reproduce the old container.
Note that this will not work if the issue is caused by an updated Debian package.

### Only build Tor

Torsten Grote's avatar
Torsten Grote committed
71
To build a specific version of Tor, run
72

Torsten Grote's avatar
Torsten Grote committed
73
    docker run briar/tor-reproducer:latest ./build-tor.py [version]