The NPM package, Android apk builds, Linux AppImage/snap/tar.gz builds, macOS zip builds and Windows exe installer are deterministically reproducible.
The Android apk, Linux deb and Windows portable runner are currently not. :-(
A Dockerfile for reproducing the builds is available at scripts/builder.Dockerfile.
It can be used as follows:
$ git clone https://github.com/shesek/spark-wallet && cd spark-wallet
$ docker build -f scripts/builder.Dockerfile -t spark-builder .
$ docker run --cap-add SYS_ADMIN --device /dev/fuse --security-opt apparmor:unconfined \
-it -v `pwd`/docker-builds:/target spark-builderThe distribution files and a SHA256SUMS file will be created in ./docker-builds/.
You need FUSE on your host (
apt install fuse) and the--cap-add SYS_ADMIN --device /dev/fuse --security-opt apparmor:unconfinedargs to enable FUSE in the docker container, which is required for making reproducible Androidapkbuilds (usingdisorderfs, see [1] [2] [3] [4]). If you don't care about apk reproducibility, you can run docker without these args.
The npm package should be reproducible even without docker.
It should be sufficient to use a recent nodejs release (the official releases are made with nodejs v16.8.0 and npm v7.21.0).
Run npm run dist:npm -- --pack-tgz to create spark-wallet-[x.y.z]-npm.tgz in main directory.
The npm-shrinkwrap.json file inside the npm package commits to integrity checksums
for the entire dependency graph using
Subresource Integrity.
The builds are reproduced on Travis-CI. The SHA256 checksums are available at the end of the job log.
You can get the checksums for the last stable release as follows:
$ jobid=$(curl -s 'https://api.travis-ci.org/v3/repo/shesek%2Fspark-wallet/builds?branch.name=stable&sort_by=started_at:desc&limit=1' | jq -r '.builds[0].jobs[0].id')
$ curl -s https://api.travis-ci.org/v3/job/$jobid/log.txt | sed -nr '/^-----BEGIN SHA256SUM-----\s*$/{:a;n;/^\s*$/q;p;ba}'