jacobcreech
commented
4 months ago @joncinque would you want this to work without docker before getting added to the CLI?
Open jacobcreech opened 6 months ago
jacobcreech
commented
4 months ago @joncinque would you want this to work without docker before getting added to the CLI?
joncinque
commented
4 months ago That would be ideal, since if it requires docker, we introduce a very heavy dependency to building programs. Think of the docs updates :sweat_smile:
jacobcreech
commented
1 month ago @joncinque Ottersec created a program for storing the verified build hash onchain https://github.com/otter-sec/otter-verify. This is to avoid accidentally creating a centralized entity for storing verified build hashes for distribution. We would need to push the hash onchain everytime we do a solana-verify.
IMO it'd be ok to have the solana-verify bin in the Solana Tool Suite for devs to have easy access to, but not as default part of the solana program deploy until it removes a dependency on docker. WDYT?
joncinque
commented
1 month ago Ah finally someone made a program to do this! I definitely want to see people using it as much as possible. For including solana-verify in the tool suite, I'll need to take some time to see how much maintenance it'll require from our side.
Right now, it seems like the biggest annoyance is updating the docker images. For example, I tried a build using 2.0 and it fell back to 1.18. Whenever we deploy a new version of the tools, we'll also need to push a new docker image. If we can automate that in our pipeline, we could certainly take over some of the maintenance.
jacobcreech
commented
1 month ago It looks like Jarry has a script for auto-generating all the docker files given a Rust version and Solana version https://github.com/Ellipsis-Labs/solana-verifiable-build/blob/master/generate_dockerfiles.py
This should make it pretty easy to maintain.
joncinque
commented
1 month ago Ok great!
Problem
Being able to create verifiable builds and prove your smart contract code deployed is the same code as displayed on Github or an explorer is incredibly important. Today developers deploying programs have to go install a separate CLI to create a verifiable build and upload it.
Proposed Solution
Integrate Verifiable Builds into the Solana CLI as part of
solana program deploy. Verifiable build should add information to security.txt so that people can manually verify and not have to rely on uploading to an indexer.