Open xinbenlv opened 5 years ago
Go does not support bit for bit deterministic builds, so the best you can do is build it yourself.
Ooops that's a hammer. May I ask technically what's the approach a crypto / security community like keybase.io verifies abuild
?
Currently builds are signed by Keybase.
Security around Keybase's signing key is unknown.
Keybase has auto-updates enabled by default.
The reason being, Keybase is primarily geared towards non-tech people.
Tech people can easily build Keybase for themselves, removing any need for some build verification.
See Bitcoin's build process for an example of a good compromise.
Thanks for explanation.
I see. I am a developer myself but I also want to be able to safely rely on what Keybase built without the need to rebuild them always myself. A build provided by Keybase but verifiable if in question will be ideal.
I can totally understand sometimes such solution is unavailable. Thank you for taking the time to explain.
Regarding the solution feasibility, it seems there are some discussion about Dockerized
solution to reproduce the Go-build.
Go does not support bit for bit deterministic builds, so the best you can do is build it yourself.
This is not strictly true, it's generally possible to reproduce anything as long as you can account for the variations in the compiler. In the https://reproducible-builds.org/ initiative, we have managed ways to reproduce binaries, including golang ones -- the main thing to kep in mind is the use of:
-gcflags="all=-trimpath=$GOPATH" -asmflags="all=-trimpath=$GOPATH"
to strip the build directory. You'll also need to check you're using the same version of the compiler (easily done if you're compiling from a Linux distribution package or the official go prebuilt compiler binaries).
Other concerns are the electron GUI application, but since it uses yarn to build, this should be reproducible too.
So I guess the question is probably, "does Keybase publish the metadata for the go compiler version their build server uses?"
...
I would point you to the https://tests.reproducible-builds.org/archlinux/archlinux.html results for my keybase packages, but currently those fail to build at all because one of the variations our reproducible buildbot performs is the date, so contacting the yarnpkg registry triggers an SSL error.
Thank you @eli-schwartz, cool. Then do you think this issue will a good Keybase feature request?
Personally, I have been searching for a real e2e-encrypted safe also convenient IM solutions. Keybase currently looks the best. Telegram or Whatsapp is neither open source let alone verifiable. Instead, Keybase is open source. It's one step from fully verifiable. If the binary is verifiable by reproducible build, it means a full code-audit is possible and pave the ways for individual, government and big institutional company's adoptions as a truly trusted IM. Plus Keybase has e2e encrypted group messages so it looks the best to me.
There are a few different options in the fully open-source messaging ecosystem. You could look at e.g. matrix too.
As far as reproducible builds for keybase go, I would like to see reproducible builds of everything, but I might be a bit biased since I'm a member of the reproducible-builds.org organization. But I think it's quite feasible.
I'd like to note, that on my own laptop I can successfully build keybase (the three community packages listed here: https://keybase.io/docs/the_app/install_linux#arch-linux) twice in a more or less identical environment (distribution packages are built in a documented homogeneous environment) and produce the same byte-identical artifacts.
My community is looking for a secure communication solutions. Keybase seems very promising. In particular, it allows signup (identify yourself) with PGP pubs, and its code is open-sourced, great!
Now a last-mile question is: where do I find the documentation to
How do I build & install a client from source code and check its checksum matches your released binary for download?