Reproducible builds for macOS and Windows by crwood · Pull Request #337 · gridsync/gridsync
This PR adds a make test-determinism make target/command that sequentially "compiles" two PyInstaller bundles and compares their hashes against each other in order to verify the (local) reproducibility of the Gridsync build process. The files contained within the generated PyInstaller bundles are added (deterministically, with normalized file-permissions and timestamps) to an intermediate Gridsync.zip archive in order to facilitate further comparison and/or distribution of build outputs, while checks that do fail will have their outputs run through the diffoscope utility in order to identify any sources of variance between builds.
As it currently stands, this work is sufficient to demonstrate that PyInstaller "onedir" builds are indeed deterministic/reproducible on macOS and Windows -- so long as a) the PYTHONHASHSEED environment variable is set to a known-value, b) the file-permissions and timestamps of the files within the bundle are normalized in advance (e.g., by using the scripts contained in this PR and #329), and c) any relevant components in build environment remain otherwise unchanged between builds.
Importantly, while this PR makes it possible to easily verify that a given on-disk install of Gridsync is bit-for-bit identical with that built on a separate system (since the hash of the archive of the installed instance will now match the hash of the intermediate archive built by, e.g., Buildbot or GitHub Actions), in the case of macOS, both codesigned application bundles and disk images (.dmg files) contain timestamps that naturally jeopardize the determinism of the resultant files. Accordingly, the scope of this PR should be understood to only demonstrate the reproducibility of the PyInstaller-generated binaries and related build processes on a given host environment; it does not offer a means of generating reproducible .dmg files, nor does it provide tooling for, e.g., stripping away any codesign signatures prior to verification. Any such efforts will need to be made separately and later.