Add reproducible build setup (#15)

xxuejie · web-flow · commit f59b6e92dc4d · 2025-09-08T18:31:37.000+08:00
* Add reproducible build setup

* Fix CI

* Skip unsupported LDFLAGS in macOS

* Restore to latest LLVM

* Fix typo

* Yet another fix

* Try using lld on macOS

* Use lld linker

* Update rust.yml

macOS uses a different LLVM version, so we will skip the fmt part since different clang version might format the code differently

* Fix description
diff --git a/.github/workflows/rust.yml b/.github/workflows/rust.yml
@@ -23,6 +23,17 @@ jobs:
     - name: git diff
       run: git diff --exit-code
 
+  reproducible-build:
+
+    runs-on: ubuntu-latest
+
+    steps:
+    - uses: actions/checkout@v4
+      with:
+        submodules: "true"
+    - name: Reproducible build
+      run: ./scripts/reproducible_build_docker
+
   macos-build:
 
     runs-on: macos-latest
@@ -34,7 +45,5 @@ jobs:
     - name: Install latest llvm & lld
       run: brew install llvm lld
     - uses: actions-rust-lang/setup-rust-toolchain@v1
-    - name: Prepare, build, test, clippy, format
-      run: make prepare build test clippy fmt
-    - name: git diff
-      run: git diff --exit-code
+    - name: Prepare, build, test, clippy
+      run: make prepare build test clippy
diff --git a/checksums.txt b/checksums.txt
@@ -0,0 +1,10 @@
+59a4c25e6185f906ba379db530fc08c1e1f8aa23db2bcb265a6ab321a0d5b527  build/release/c-sphincs-all-in-one-lock
+55fbe64ca9dfc17335ee9af56083dde6bbdf23c79a967d37805b8467b86d458e  build/release/c-sphincs-all-in-one-lock.debug
+313f3122a5ad662a9f7cf81d18d3ec4fd3ba3ea5af43fb3ac405844731d6306a  build/release/hybrid-sphincs-all-in-one-lock
+7cfd89954d36dc22381b3d5179eb7c75556abe8c576bf3551cdda3d5d60ace0d  build/release/hybrid-sphincs-all-in-one-lock.debug
+67e27355b90b19e4768ef83d771d085aaee451942eb84c88f7383e23e7ec80ac  build/release/nist-vector-tester
+a0999aac87383e8ac3191f6d9472d2e94b61e9077b1bcd00f510d6cf67e3ab7f  build/release/nist-vector-tester.debug
+fb6448fc699653474620c041b0be05b0393b612a023221010f39a61c47c9102f  build/release/spawn-exec-test-runner
+0ceeffed81973224e315953147012c3fe6a058f0f24c605fc53deefd7564d72b  build/release/spawn-exec-test-runner.debug
+45946de1491b199b2975b6c7bff7a5149e384337db1ced7a366c9ef7299f0884  build/release/sphincs-all-in-one-lock
+6dadb87af0433b1045a5271f1efca6420e1408df6668498043ca3e2a91c37c54  build/release/sphincs-all-in-one-lock.debug
diff --git a/contracts/c-sphincs-all-in-one-lock/Makefile b/contracts/c-sphincs-all-in-one-lock/Makefile
@@ -50,7 +50,11 @@ CFLAGS += --target=riscv64 -march=rv64imc_zba_zbb_zbc_zbs \
 CFLAGS += -I $(SPHINCS_PLUS_DIR) -I $(CUR_BUILD) -I $(cur_dir)/utils
 # CFLAGS += -DCKB_C_STDLIB_PRINTF
 
+OS := $(shell uname -s)
 LDFLAGS := -static -Wl,--gc-sections
+ifeq ($(OS),Darwin)
+	LDFLAGS += -fuse-ld=lld
+endif
 
 default: build
 
diff --git a/scripts/reproducible_build_docker b/scripts/reproducible_build_docker
@@ -0,0 +1,66 @@
+#!/usr/bin/env bash
+#
+# An utility script helping with reproducible script builds via docker.
+# Note that this utility serves only as one example, docker is not
+# necessarily THE way to do reproducible build, nor is it the best way
+# to do reproducible build.
+set -ex
+
+DOCKER="${DOCKER:-docker}"
+# docker pull docker.io/cryptape/llvm-n-rust:20250617
+DOCKER_IMAGE="${DOCKER_IMAGE:-docker.io/cryptape/llvm-n-rust@sha256:d6d1f9a6656039273210de91913c828f5b4aa4a3282d2c93ed19bcb7bbf728fe}"
+CHECKSUM_FILE_PATH="${CHECKSUM_FILE_PATH:-checksums.txt}"
+
+# We are parsing command line arguments based on tips from:
+# https://stackoverflow.com/a/14203146
+
+while [[ $# -gt 0 ]]; do
+  case $1 in
+    -p|--proxy)
+      PROXY="$2"
+      shift # past argument
+      shift # past value
+      ;;
+    -u|--update)
+      UPDATE="yes"
+      shift # past argument
+      ;;
+    --no-clean)
+      NOCLEAN="yes"
+      shift # past argument
+      ;;
+    -*|--*)
+      echo "Unknown option $1"
+      exit 1
+      ;;
+    *)
+      echo "Unknown argument $1"
+      exit 1
+      ;;
+  esac
+done
+
+if [[ -n "${PROXY}" ]]; then
+  DOCKER_RUN_ARGS="-e ALL_PROXY=${PROXY} -e HTTPS_PROXY=${PROXY} -e HTTP_PROXY=${PROXY} ${DOCKER_RUN_ARGS}"
+fi
+
+TASKS=""
+if [[ "${NOCLEAN}" != "yes" ]]; then
+  TASKS+=" clean "
+fi
+
+if [[ "${UPDATE}" = "yes" ]]; then
+  TASKS+=" checksum CHECKSUM_FILE=${CHECKSUM_FILE_PATH} "
+else
+  TASKS+=" build "
+fi
+
+$DOCKER run --rm $DOCKER_RUN_ARGS -v `pwd`:/code $DOCKER_IMAGE make $TASKS
+# Reset file ownerships for all files docker might touch
+$DOCKER run --rm $DOCKER_RUN_ARGS -e UID=`id -u` -e GID=`id -g` -v `pwd`:/code $DOCKER_IMAGE bash -c 'chown -R -f $UID:$GID checksums.txt build target'
+
+if [[ "${UPDATE}" = "yes" ]]; then
+  echo "${CHECKSUM_FILE_PATH} file is updated with latest binary hashes!"
+else
+  shasum -a 256 -c ${CHECKSUM_FILE_PATH}
+fi
