Normalized, Deterministic OSX SDK tarball #10170

issue wtogami opened this issue on April 7, 2017
  1. wtogami commented at 11:13 PM on April 7, 2017: contributor

    https://github.com/bitcoin/bitcoin/blob/master/doc/README_osx.md

    The process to assemble the OSX SDK tarball needed by the gitian deterministic build process for OSX binaries currently generates a non-deterministic tarball.

    We want to improve this by making the script normalize the content of the tarball. This means file order, usernames, timestamps and possibly other things need to be standardized (maybe to what was in the original DMG?). The end goal is to output a tarball that has the same sha256 hash no matter who runs the script.

    This is an opportunity for non-C++ developers to contribute to Bitcoin Core development.

  2. fanquake added the label Build system on Apr 7, 2017
  3. fanquake added the label MacOSX on Apr 7, 2017
  4. luke-jr commented at 7:58 AM on April 8, 2017: member

    On the other hand, having it non-deterministic has an added benefit of being able to tell who is merely copying their SDK from someone else...

  5. laanwj commented at 8:05 AM on April 8, 2017: member

    On the other hand, having it non-deterministic has an added benefit of being able to tell who is merely copying their SDK from someone else...

    That only works as long as people are not aware. It's trivially bypassed by un-tarring and re-tarring.

  6. luke-jr commented at 8:08 AM on April 8, 2017: member

    Sure, I'm assuming no malice. If we were to assume malice, who knows if a signer is just re-signing someone else's assert file. :p

  7. laanwj commented at 8:09 AM on April 8, 2017: member

    In any case a deterministic SDK tar means it can be checked on entry to gitian like other inputs, which is more of an advantage than that would be a disadvantage, IMO.

  8. wtogami commented at 7:11 PM on April 10, 2017: contributor

    On the other hand, having it non-deterministic has an added benefit of being able to tell who is merely copying their SDK from someone else...

    The bigger issue is the need to blindly trust the binary blobs you get from Apple. If you choose to use OSX you have no choice but to trust their binary blobs as you are using their hardware, their firmware, their operating system.

    In any case a deterministic SDK tar means it can be checked on entry to gitian like other inputs, which is more of an advantage than that would be a disadvantage, IMO.

    Exactly.

  9. Leviathn commented at 7:32 AM on September 12, 2017: none

    @wtogami has any progress on this been made?

  10. fanquake commented at 9:38 AM on April 26, 2020: member

    I'm going to close this in favour of #18674, which should solve this issue.

  11. fanquake closed this on Apr 26, 2020
  12. DrahtBot locked this on Feb 15, 2022
Contributors
wtogamiluke-jrlaanwjLeviathnfanquake
Labels
macOSBuild system
github-metadata-mirror

This is a metadata mirror of the GitHub repository bitcoin/bitcoin. This site is not affiliated with GitHub. Content is generated from a GitHub metadata backup.
generated: 2026-04-21 18:15 UTC
This site is hosted by @0xB10C
More mirrored repositories can be found on mirror.b10c.me