Skip to content

Reproducible Build

Jump to bottom
Alejandro Cavallero edited this page Mar 8, 2019 · 41 revisions

Gradle building

Setup instructions for gradle build in docker container.

This is a deterministic build process used to build RSK node JAR file. It provides a way to be reasonable sure that the JAR is built from GitHub RskJ repository. It also makes sure that the same tested dependencies are used and statically built into the executable.

It's strongly suggested to follow the steps by yourself to avoid any kind of contamination in the process.

Table of Contents

Install Docker

Depending on your OS, you can install Docker following the official Docker guide:

Build Container

Create a Dockerfile to setup the build environment

FROM ubuntu:16.04

RUN apt-get update -y && \
    apt-get install -y git curl gnupg-curl openjdk-8-jdk && \
    rm -rf /var/lib/apt/lists/* && \
    apt-get autoremove -y && \
    apt-get clean

If you are not familiar with Docker or the Dockerfile format: what this does is use the Ubuntu 16.04 base image and install git, curl, gnupg-curl and openjdk-8-jdk, required for building RSK node. You will notice that openjdk-8-jdk has a fixed version numbers in order to avoid problems caused by newer packages upstream.

The next step is to create an actual image from this Dockerfile running the following command:

sudo docker build -t buildmachine .

Run build

To run the reproducible build in our reproducible environment you need a fresh cloned RskJ repository placed in the RskJ wanted version.

As an example, to clone tag ORCHID-0.6.1:

git clone --branch ORCHID-0.6.1 https://github.com/rsksmart/rskj.git

Then place on the RskJ repository root directory run:

sudo docker run -v $(pwd):/rskj -w /rskj buildmachine:latest sh -c 'gpg --keyserver https://secchannel.rsk.co/release.asc --recv-keys 5DECF4415E3B8FA4 && gpg --finger 5DECF4415E3B8FA4 && gpg --verify SHA256SUMS.asc && sha256sum --check SHA256SUMS.asc && ./configure.sh && ./gradlew clean build -x test && sha256sum /rskj/rskj-core/build/libs/*'

Note: if you are using Windows, replace $(pwd) with /`pwd` .

This may take several minutes to complete. What is done is:

  • Place in the RskJ repository root because we need Gradle and the project.
  • -v $(pwd):/rskj mount our current directory to the /rskj directory in the container.
  • -w /rskj sets /rskj as the working directory in the container.
  • buildmachine:latest means that we use the lastest version with the tag buildmachine.
  • Runs the secure chain verification process.
  • Compile a reproducible RskJ node.
  • /gradlew clean build -x test builds without running tests.

Check Results

After running the build process, a JAR file will be created in ./rskj-core/build/libs/

You can check the SHA256 sum of the result file and compare it to the one published by RSK for that version.

7b218742eabe2b477c5d0328d78983015f782f8023db12f1e3d1ec90e9db7927  /rskj/rskj-core/build/libs/rskj-core-0.6.1-ORCHID-all.jar
809471ea516437c44e8f7d59e331488b91251ebbab4869bd8c51ed1c482f1cab  /rskj/rskj-core/build/libs/rskj-core-0.6.1-ORCHID-sources.jar
acf2733fbd24cd4145c838f66bc14102d77d825f23cebd45c2a29be7c6cd94b7  /rskj/rskj-core/build/libs/rskj-core-0.6.1-ORCHID.jar
26957e775e935d808e01e99db2af5e509ef5a41ee052e14dc95bf71c0a24e870  /rskj/rskj-core/build/libs/rskj-core-0.6.1-ORCHID.pom

For SHA256 sum of older versions check the releases page.

If you check inside the JAR file, you will find that the dates of the files are the same as the version commit you are using.

Developers Portal

Clone this wiki locally