mac build: attempt at "reproducible" codesigned builds

- added notes about reproducibility requirements - adapted build scripts from Bitcoin Core that can - extract signatures from a signed .app - apply previously extracted signatures to an unsigned .app
2021-07-19 06:28:27 +02:00
parent 71b02df832
commit f50882d8df
4 changed files with 211 additions and 27 deletions
--- a/contrib/osx/README.md
+++ b/contrib/osx/README.md
@@ -1,9 +1,8 @@
 Building macOS binaries
 =======================

-✗ _This script does not produce reproducible output (yet!).
-   Please help us remedy this.
-   [(see #7266)](https://github.com/spesmilo/electrum/issues/7266)_
+✓ _This binary should be reproducible, meaning you should be able to generate
+   binaries that match the official releases._

 This guide explains how to build Electrum binaries for macOS systems.

@@ -32,6 +31,20 @@ We currently build the release binaries on macOS 10.14.6, and these seem to run
 Before starting, make sure that the Xcode command line tools are installed (e.g. you have `git`).


+#### Notes about reproducibility
+
+- We recommend creating a VM with a macOS guest, e.g. using VirtualBox,
+  and building there.
+- The guest should run macOS 10.14.6 (that specific version).
+- The unix username should be `vagrant`, and `electrum` should be cloned directly
+  to the user's home dir: `/Users/vagrant/electrum`.
+- Builders need to use the same version of Xcode; and note that
+  full Xcode and Xcode commandline tools differ!
+  You should build with Xcode 11.3.1 (full Xcode).
+- Make sure that you are building from a fresh clone of electrum
+  (or run e.g. `git clean -ffxd` to rm all local changes).
+
+
 #### 1. Get Xcode

 Notarizing the application requires full Xcode
@@ -63,3 +76,18 @@ provide these env vars to the `make_osx` script:
    APPLE_ID_USER="me@email.com" \
    APPLE_ID_PASSWORD="1234" \
    ./contrib/osx/make_osx
+
+
+## Verifying reproducibility and comparing against official binary
+
+Every user can verify that the official binary was created from the source code in this 
+repository.
+
+1. Build your own binary as described above.
+2. Use the provided `compare_dmg` script to compare the binary you built with
+   the official release binary.
+    ```
+    $ ./contrib/osx/compare_dmg dist/electrum-*.dmg electrum_dmg_official_release.dmg
+    ```
+   The `compare_dmg` is only needed as the official release binary is codesigned and notarized.
+   Otherwise, the built dmg files should be byte-identical.