Creating some public database of "reproduced builds"
The process of checking that our builds have been reproduced by multiple people is currently mostly manual. In order to make this process easier, more automated (to be able to use it in the updater or some launcher) and possible to use at a larger scale (checking that some large number of people reproduced a build), we could have some tool indexing the builds created by various people.
This could be done by adding the generation of some buildinfo
files (similar to the Debian's buildinfo files) to our build process, containing important informations about the build, such as its inputs and outputs, and indexing them with their signatures in some database.
This database would contain the following types of builds or operations, signed by various builders:
- the build of a bundle from a git tag
- the creation of a signed mar file, from an unsigned mar (or the reverse operation)
- the creation of an OSX code-signed mar file, from an unsigned mar (or the reverse operation)
- the creation of an incremental mar file, from two full mar files