We currently distribute binary releases that people can use to download and install MacVim. We should add reproducible builds so that the binary we release is deterministic and reproducible and can be easily built on a local machine by any third party in an identical fashion.
Some motivations include the fact that supply chain attacks are real and while MacVim is unlikely a high-value target, it's still useful to reduce the likelihood of such problem happening to begin with. Also, with the deprecation of the macos-12 GitHub Action runner we will need to find another way to build the legacy MacVim binaries (either via a custom VM, or another CI service like Circle CI), and it would be nice to have some standard way to compare the generated artifacts and to have trust in the process working.
Note that we distribute signed apps, which is signed by a private key that only the maintainer controls, so it's impossible to have an artifact (MacVim.app) that can be compared bit-by-bit to a local build. We will need to use a script to resign the app to an ad-hoc signature (basically a signature without any cryptographic proof that is used for local compiles) before comparing.
[ ] Use relative paths for debug symbols and reproducible linker flags when building Vim
[ ] Use SOURCE_DATE_EPOCH to make builds not dependent on date/time.
[ ] Add documentation, and refactor build scripts (also necessary when adding another CI system) to make it more easily to build locally with the same flags.
[ ] Add CI output artifacts that contain necessary environment info.
[ ] Add script to re-sign with ad-hoc signature and compare the results.
[ ] CI test to validate reproducible builds.
[ ] Test in older versions of Xcode to make sure didn't break anything.
Related:
[ ] Add support for exporting dSYM files as part of build steps. These contain debug symbols and help diagnose crash issues for users. Make sure to use relative paths as it's necessary for reproducibility.
We currently distribute binary releases that people can use to download and install MacVim. We should add reproducible builds so that the binary we release is deterministic and reproducible and can be easily built on a local machine by any third party in an identical fashion.
Some motivations include the fact that supply chain attacks are real and while MacVim is unlikely a high-value target, it's still useful to reduce the likelihood of such problem happening to begin with. Also, with the deprecation of the macos-12 GitHub Action runner we will need to find another way to build the legacy MacVim binaries (either via a custom VM, or another CI service like Circle CI), and it would be nice to have some standard way to compare the generated artifacts and to have trust in the process working.
Note that we distribute signed apps, which is signed by a private key that only the maintainer controls, so it's impossible to have an artifact (MacVim.app) that can be compared bit-by-bit to a local build. We will need to use a script to resign the app to an ad-hoc signature (basically a signature without any cryptographic proof that is used for local compiles) before comparing.
SOURCE_DATE_EPOCHto make builds not dependent on date/time.Related: