Reproducible Builds regression: dns-fallback.json

[kpcyrd]

Using a supported version?

• [X] I have searched searched open and closed issues for duplicates.
• [X] I am using Signal-Desktop as provided by the Signal team, not a 3rd-party package.

Overall summary

Arch Linux is very far in implementing reproducible builds and has multiple independent groups that compare the official binaries with the binaries they compiled on their own computers.

This has been working fine for signal-desktop the last few years, today I noticed signal-desktop is currently listed as "not reproducible" on https://reproducible.archlinux.org/ (the instance that is run by Arch Linux staff):

The rebuilder has generated a semantic diff (although it doesn't understand .asar that well):

https://web.archive.org/web/20240311104937/https://reproducible.archlinux.org/api/v0/builds/594200/diffoscope

This might be somewhat difficult to read, most of the differences are an offset being off-by-one, but the first difference seems to be:

│ │  00072d70: 3238 3834 3634 3832 227d 2c22 646e 732d  28846482"},"dns-
│ │  00072d80: 6661 6c6c 6261 636b 2e6a 736f 6e22 3a7b  fallback.json":{
│ │ -00072d90: 2273 697a 6522 3a34 3530 312c 2269 6e74  "size":4501,"int
│ │ +00072d90: 2273 697a 6522 3a34 3530 322c 2269 6e74  "size":4502,"int
│ │  00072da0: 6567 7269 7479 223a 7b22 616c 676f 7269  egrity":{"algori
│ │  00072db0: 7468 6d22 3a22 5348 4132 3536 222c 2268  thm":"SHA256","h

So the content of dns-fallback.json became 1 byte larger in the second build.

Ater a quick search in the source code I found ts/scripts/generate-dns-fallback.ts which seems to define how this file is generated.

The content of build/dns-fallback.json as currently distributed by Arch Linux:

[
  {
    "domain": "cdn.signal.org",
    "endpoints": [
      {
        "family": "ipv4",
        "address": "52.85.243.122"
      },
      {
        "family": "ipv4",
        "address": "52.85.243.45"
      },
      {
        "family": "ipv4",
        "address": "52.85.243.48"
      },
      {
        "family": "ipv4",
        "address": "52.85.243.51"
      },
      {
        "family": "ipv6",
        "address": "2600:9000:20ab:0:1d:4f32:50c0:93a1"
      },
      {
        "family": "ipv6",
        "address": "2600:9000:20ab:3800:1d:4f32:50c0:93a1"
      },
      {
        "family": "ipv6",
        "address": "2600:9000:20ab:5a00:1d:4f32:50c0:93a1"
      },
      {
        "family": "ipv6",
        "address": "2600:9000:20ab:6000:1d:4f32:50c0:93a1"
      },
      {
        "family": "ipv6",
        "address": "2600:9000:20ab:6e00:1d:4f32:50c0:93a1"
      },
      {
        "family": "ipv6",
        "address": "2600:9000:20ab:ca00:1d:4f32:50c0:93a1"
      },
      {
        "family": "ipv6",
        "address": "2600:9000:20ab:d000:1d:4f32:50c0:93a1"
      },
      {
        "family": "ipv6",
        "address": "2600:9000:20ab:e800:1d:4f32:50c0:93a1"
      }
    ]
  },
  {
    "domain": "cdn2.signal.org",
    "endpoints": [
      {
        "family": "ipv4",
        "address": "104.18.37.148"
      },
      {
        "family": "ipv4",
        "address": "172.64.150.108"
      },
      {
        "family": "ipv6",
        "address": "2606:4700:4400::6812:2594"
      },
      {
        "family": "ipv6",
        "address": "2606:4700:4400::ac40:966c"
      }
    ]
  },
  {
    "domain": "cdn3.signal.org",
    "endpoints": [
      {
        "family": "ipv4",
        "address": "104.18.37.148"
      },
      {
        "family": "ipv4",
        "address": "172.64.150.108"
      },
      {
        "family": "ipv6",
        "address": "2606:4700:4400::6812:2594"
      },
      {
        "family": "ipv6",
        "address": "2606:4700:4400::ac40:966c"
      }
    ]
  },
  {
    "domain": "cdsi.signal.org",
    "endpoints": [
      {
        "family": "ipv4",
        "address": "40.122.45.194"
      },
      {
        "family": "ipv6",
        "address": "2603:1030:7::1"
      }
    ]
  },
  {
    "domain": "chat.signal.org",
    "endpoints": [
      {
        "family": "ipv4",
        "address": "13.248.212.111"
      },
      {
        "family": "ipv4",
        "address": "76.223.92.165"
      },
      {
        "family": "ipv6",
        "address": "2600:9000:a507:ab6d:4ce3:2f58:25d7:9cbf"
      },
      {
        "family": "ipv6",
        "address": "2600:9000:a61f:527c:d5eb:a431:5239:3232"
      }
    ]
  },
  {
    "domain": "create.signal.art",
    "endpoints": [
      {
        "family": "ipv4",
        "address": "3.212.48.146"
      },
      {
        "family": "ipv4",
        "address": "34.225.135.26"
      },
      {
        "family": "ipv4",
        "address": "34.237.179.85"
      },
      {
        "family": "ipv4",
        "address": "44.207.181.6"
      },
      {
        "family": "ipv4",
        "address": "52.204.93.252"
      },
      {
        "family": "ipv6",
        "address": "2600:1f18:3b01:a400:de47:813d:5ced:e4ad"
      },
      {
        "family": "ipv6",
        "address": "2600:1f18:3b01:a401:5c61:96fd:2912:fd11"
      },
      {
        "family": "ipv6",
        "address": "2600:1f18:3b01:a402:8d24:5bdf:4599:d940"
      },
      {
        "family": "ipv6",
        "address": "2600:1f18:3b01:a403:2b1b:7db6:c854:78e2"
      },
      {
        "family": "ipv6",
        "address": "2600:1f18:3b01:a404:6629:1881:83cc:3cfa"
      }
    ]
  },
  {
    "domain": "sfu.voip.signal.org",
    "endpoints": [
      {
        "family": "ipv4",
        "address": "35.244.140.160"
      },
      {
        "family": "ipv6",
        "address": "2600:1901:0:feb2::"
      }
    ]
  },
  {
    "domain": "storage.signal.org",
    "endpoints": [
      {
        "family": "ipv4",
        "address": "142.250.74.115"
      },
      {
        "family": "ipv6",
        "address": "2a00:1450:400f:805::2013"
      }
    ]
  },
  {
    "domain": "updates2.signal.org",
    "endpoints": [
      {
        "family": "ipv4",
        "address": "104.18.43.97"
      },
      {
        "family": "ipv4",
        "address": "172.64.144.159"
      },
      {
        "family": "ipv6",
        "address": "2606:4700:4400::6812:2b61"
      },
      {
        "family": "ipv6",
        "address": "2606:4700:4400::ac40:909f"
      }
    ]
  }
]

It seems storage.signal.org has changed from 142.250.74.115 to 142.250.181.211 (causing the 1 byte increase).

Embedding this kind of data is generally fine in Arch Linux, however could this file be attached to the github release as an artifact? The "official" dns-fallback.json is currently only available inside of the official signal-desktop .deb. :)

Currently these build instructions are used:

git lfs install
cd sticker-creator
yarn install
cd ..
yarn install --ignore-engines

Suggestions on how to edit this very welcome! 🫶

This is somewhat related to #6814.

Thanks!

Steps to reproduce

• Build from source code
• Wait for dns records to update
• Build from source again (same source code, same build environment)

Expected result

• Identical signal-desktop binaries

Actual result

• signal-desktop binaries differ

Screenshots

Signal version

7.1.1

Operating system

Arch Linux

Version of Signal on your phone

No response

Link to debug log

No response

[kpcyrd]

I've setup a project that automatically extracts the official dns-fallback.json from updates.signal.org and makes it available on github as a release artifact:

https://github.com/kpcyrd/signal-desktop-dns-fallback-extractor

The dns-fallback.json for each signal-desktop release can be downloaded like this:

https://raw.githubusercontent.com/kpcyrd/signal-desktop-dns-fallback-extractor/${pkgver}/dns-fallback.json