2016-10-16 18:50:37 -07:00
Zcash deterministic builds
==========================
This is a deterministic build environment for [Zcash ](https://github.com/zcash/zcash/ ) that uses [Gitian ](https://gitian.org/ ).
Gitian provides a way to be reasonably certain that the Zcash executables are really built from the exact source on GitHub and have not been tampered with. It also makes sure that the same, tested dependencies are used and statically built into the executable.
2018-04-02 11:08:26 -07:00
Multiple developers build from source code by following a specific descriptor ("recipe"), cryptographically sign the result, and upload the resulting signature. These results are compared and only if they match is the build accepted.
2016-10-16 18:50:37 -07:00
More independent Gitian builders are needed, which is why this guide exists.
Requirements
------------
2019-02-14 12:10:14 -08:00
6GB of RAM, four cores.
2016-10-16 18:50:37 -07:00
2019-04-16 15:50:32 -07:00
Note: This project uses VirtualBox to run a virtual machine. If you are running this inside a
virtual machine, you'll likely need to enable a feature such as “nested virtualization”, “VT-x”, or
similar in your virtualization software's settings for that virtual machine.
2018-04-23 12:56:06 -07:00
Install Dependencies
--------------------
2016-10-16 18:50:37 -07:00
2019-02-14 12:18:25 -08:00
If you're using one of the following platforms, see the linked instructions for that platform:
- [Debian 9.x ](dependency_install_steps_by_platform/Debian_9.x.md )
2018-05-07 10:37:42 -07:00
- [Ubuntu 18.04.x ](dependency_install_steps_by_platform/Ubuntu_18.04.x.md )
2019-03-22 09:44:41 -07:00
- [macOS ](dependency_install_steps_by_platform/macOS.md )
2019-02-14 12:18:25 -08:00
If you're not using one of the platforms that we have specific instructions for, this is the list of
dependencies we want. Please document the steps involved and we can add another platform to the list
above!
2016-10-18 20:41:43 -07:00
2018-04-23 12:56:06 -07:00
- [Git ](https://git-scm.com/ )
- [VirtualBox ](https://www.virtualbox.org/ )
2018-05-07 09:11:58 -07:00
- [Vagrant ](https://www.vagrantup.com/ ) 2.0.3 or higher
2019-03-26 20:16:25 -07:00
- [GnuPG ](https://www.gnupg.org/ ) 2.x (2.11.18 or greater)
2019-03-21 13:32:37 -07:00
- [Python ](https://www.python.org/ ) 3.x (with `venv` support in case that is packaged separately)
2019-03-21 11:19:24 -07:00
- [direnv ](https://direnv.net/ ) (Optional/Recommended)
2016-10-18 20:41:43 -07:00
2018-04-02 14:50:14 -07:00
2018-04-23 12:56:06 -07:00
Configuration
-------------
2018-04-02 14:50:14 -07:00
2018-04-23 12:56:06 -07:00
## Configure git
2018-04-02 14:50:14 -07:00
2018-04-23 12:56:06 -07:00
We want a configuration file in the home directory of the account you'll be working in. This will
determine how you are identified on the projects you contribute to. These settings can be overridden
on a per-project basis.
2018-03-22 08:38:15 -07:00
2018-04-23 12:56:06 -07:00
Git provides some convenient command options for setting this up:
2018-03-22 08:38:15 -07:00
2018-03-31 07:18:36 -07:00
```
2018-04-23 12:56:06 -07:00
$ git config --global user.name "Harry Potter"
$ git config --global user.email "hpotter@hogwarts.wiz"
2018-03-31 07:18:36 -07:00
```
2018-03-22 08:38:15 -07:00
2018-04-23 12:56:06 -07:00
Checking that this worked:
2018-03-22 08:38:15 -07:00
2018-03-31 07:21:09 -07:00
```
2018-04-23 12:56:06 -07:00
$ git config user.name
Harry Potter
$ git config user.email
hpotter@hogwarts.wiz
2018-03-31 07:21:09 -07:00
```
2018-03-22 08:38:15 -07:00
2019-03-21 11:42:59 -07:00
This is all the git configuration needed for the steps below, but here is a good reference for
further reading on configuring git:
2018-04-23 12:56:06 -07:00
https://git-scm.com/book/en/v2/Customizing-Git-Git-Configuration
2018-03-22 08:38:44 -07:00
2019-02-14 14:23:21 -08:00
## Decide on an ssh keypair to use when uploading build signatures to github
2018-04-23 12:56:06 -07:00
You can generate a keypair specifically for connecting to github like this:
2018-03-22 08:38:44 -07:00
2018-03-31 07:18:36 -07:00
```
2019-03-28 22:34:23 -07:00
$ ssh-keygen -t rsa -b 4096 -C "hpotter@hogwarts.wiz" -f ~/.ssh/github_id_rsa -N ''
2018-03-22 08:38:44 -07:00
Generating public/private rsa key pair.
2018-04-23 12:56:06 -07:00
Your identification has been saved in /Users/hpotter/.ssh/github_id_rsa.
Your public key has been saved in /Users/hpotter/.ssh/github_id_rsa.pub.
2018-03-22 08:38:44 -07:00
The key fingerprint is:
SHA256:w1ZAgf+Ge+R662PU18ASqx8sZYfg9OxKhE/ZFf9zwvE hpotter@hogwarts.wiz
The key's randomart image is:
+---[RSA 2048]----+
| o+. .. |
| . .o . .. |
| . +.* *. .|
| .o.= X.+o.|
| S* B oo+E|
| ...X = ..+|
| B + o |
| . B . |
| .*oo |
+----[SHA256]-----+
2018-04-02 15:14:28 -07:00
```
2018-03-22 08:38:44 -07:00
Some explanation of the arguments used in the above example:
2018-04-02 15:14:28 -07:00
2018-04-23 12:56:06 -07:00
```
2018-04-02 15:14:28 -07:00
-t rsa Use a key type of RSA
-C "hpotter@hogwarts.wiz" Provide an identity to associate with the key (default is
user@host in the local environment)
2018-04-23 12:56:06 -07:00
-f ~/.ssh/github_id_rsa Path to the private key to generate. The corresponding public key
will be saved at ~/.ssh/github_id_rsa.pub
2018-04-02 15:14:28 -07:00
-N '' Passphrase for the generated key. An empty string as shown here
means save the private key unencrypted.
2018-04-23 12:56:06 -07:00
```
2018-03-22 08:38:44 -07:00
2016-10-16 18:50:37 -07:00
2018-04-23 12:56:06 -07:00
# Set up your ssh keypair for use with github
2016-10-16 18:50:37 -07:00
2018-04-23 12:56:06 -07:00
[Add the new key to your github account. ](https://help.github.com/articles/adding-a-new-ssh-key-to-your-github-account/ )
2016-10-16 18:50:37 -07:00
2019-02-14 14:24:37 -08:00
Add an entry to `~/.ssh/config` (create this file if necessary) telling ssh to use the keypair you
2019-02-13 15:02:37 -08:00
generated above when connecting to github.com.
2016-10-16 18:50:37 -07:00
2018-04-23 12:56:06 -07:00
For instance:
2016-10-16 18:50:37 -07:00
2018-04-23 12:56:06 -07:00
```
Host github.com
User harrypotter
PreferredAuthentications publickey
IdentityFile /home/hpotter/.ssh/github_id_rsa
AddKeysToAgent yes
```
2016-10-16 18:50:37 -07:00
2018-04-23 12:56:06 -07:00
The 'User' entry should match your github username.
2016-10-16 18:50:37 -07:00
2018-05-21 16:59:50 -07:00
Test that ssh will successfully use your new key to connect to github.
```
$ ssh -T git@github.com
The authenticity of host 'github.com (192.30.253.112)' can't be established.
RSA key fingerprint is SHA256:nThbg6kXUpJWGl7E1IGOCspRomTxdCARLviKw6E5SY8.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'github.com,192.30.253.112' (RSA) to the list of known hosts.
Hi harrypotter! You've successfully authenticated, but GitHub does not provide shell access.
$
```
2018-04-23 12:56:06 -07:00
## Clone this git project on your machine
2019-03-30 09:34:40 -07:00
From a location where you want to place your local clone of this repository (e.g. `~/Projects` ). If
there's a possibility you'll want to make and contribute changes, consider forking the repository
and cloning from your fork.
2016-10-16 18:50:37 -07:00
2019-03-21 11:55:28 -07:00
cd into the project repo
```
$ cd zcash-gitian
zcash-gitian
```
2018-03-20 08:41:41 -07:00
2019-03-21 13:01:22 -07:00
## Copy example environment configuration files
The files `.env.example` and `.envrc.example` are tracked in the repo as example configurations you
should be able to use to get started. The filenames `.env` and `.envrc` are `.gitignore` 'd to allow
you to easily make local customizations that don't show up as untracked changes.
Note that `.envrc` is probably only useful if you are using `direnv` . If you're not, you can ignore
that file and the places below that talk about it, and use your preferred way of managing
environment variables instead.
```
zcash-gitian$ cp .env.example .env
zcash-gitian$ cp .envrc.example .envrc
direnv: error .envrc is blocked. Run `direnv allow` to approve its content.
zcash-gitian$
```
More on that above message in the following section...
2019-03-21 13:03:14 -07:00
## Enable auto-execution of .envrc
If you installed and activated `direnv` , it will detect when `.envrc` is created in your current
directory, as shown above. As a security precaution, it won't automatically run it without your
approval (to prevent untrusted code from doing something malicious). Let's take a look at what's in
the file:
```
zcash-gitian$ cat .envrc
source_up
dotenv
export GIT_NAME=`git config user.name`
export GIT_EMAIL=`git config user.email`
direnv: error .envrc is blocked. Run `direnv allow` to approve its content.
zcash-gitian$
```
Some explanation of the lines in the above `.envrc` file:
```
`source_up` Load any .envrc higher up in the folder structure. So if for
example you place an `.envrc` in your home directory, variables
set there will still be available within this project, rather
than being overridden by this project's `.envrc` .
`dotenv` Set the environment variables defined in `.env` . Think of
`.envrc` as code (it runs in a bash interpreter with some extra
functions added) and `.env` as data (you can basically just set
literal values, and each update to it doesn't require approval).
export GIT_NAME=`git config user.name`
export GIT_EMAIL=`git config user.email`
Use your local git configuration values for the name and email
that will be used to add build signatures inside the virtual
environment.
```
If you're ok with running `.envrc` , follow the directions in the prompt to allow it.
```
zcash-gitian$ echo $ZCASH_GIT_REPO_URL
direnv: error .envrc is blocked. Run `direnv allow` to approve its content.
zcash-gitian$ direnv allow
direnv: loading .envrc
2019-03-21 14:23:55 -07:00
direnv: export +GIT_EMAIL +GIT_NAME +GPG_KEY_ID +GPG_KEY_NAME +ZCASH_GIT_REPO_URL +ZCASH_VERSION
2019-03-21 13:03:14 -07:00
zcash-gitian$ echo $ZCASH_GIT_REPO_URL
https://github.com/zcash/zcash
zcash-gitian$
```
A variable defined in `.env` is now active in our environment. If we leave this project, it is
unloaded. When we return, it is reloaded:
```
zcash-gitian$ cd ..
direnv: unloading
$ echo $ZCASH_GIT_REPO_URL
$ cd zcash-gitian/
direnv: loading .envrc
2019-03-21 14:23:55 -07:00
direnv: export +GIT_EMAIL +GIT_NAME +GPG_KEY_ID +GPG_KEY_NAME +ZCASH_GIT_REPO_URL +ZCASH_VERSION
2019-03-21 13:03:14 -07:00
zcash-gitian$ echo $ZCASH_GIT_REPO_URL
https://github.com/zcash/zcash
zcash-gitian$
```
2019-03-21 14:01:41 -07:00
Project-specific environment settings will come in handy in the next step, when we'll create an
isolated python virtual environment specifically for use with this project.
## Create a python virtual environment for this project
2019-03-26 20:56:02 -07:00
Note: The main purpose of this part is to get a current version of ansible, and keep it locally
within this project. If you already installed ansible (e.g. from an OS package manager like apt),
you can skip this part and the following parts about pip and pip packages.
2019-03-21 14:01:41 -07:00
When creating a virtual environment, call the python executable you want the virtual environment to
use. The location and version will depend on your specific setup -- your OS may provide a suitably
current python interpreter, or you may have built and installed one yourself. If it's in your PATH,
a command like `type python3` should tell you where it is installed on your system. For example:
```
zcash-gitian$ type python3
python3 is /usr/local/bin/python3
zcash-gitian$ /usr/local/python3 --version
2019-03-30 09:32:17 -07:00
Python 3.7.3
2019-03-21 14:01:41 -07:00
```
2019-03-30 09:35:19 -07:00
You may also want to check if the `python3` in `PATH` is a symlink to a versioned location, if you
are using a system (like `brew` ) that can manage multiple installed versions. This way, our virtual
environment will remain pinned to a specific python version even after a newer python version is
installed later.
```
$ ls -n /usr/local/bin/python3
lrwxr-xr-x 1 501 20 34 Mar 30 09:35 /usr/local/bin/python3 -> ../Cellar/python/3.7.3/bin/python3
```
2019-03-21 14:01:41 -07:00
We can use python's built-in `venv` module to create a virtual environment:
```
2019-03-30 09:35:19 -07:00
zcash-gitian$ /usr/local/Cellar/python/3.7.3/bin/python3 -m venv local/python_v3.7.3_venv
2019-03-21 14:01:41 -07:00
```
2019-03-30 09:32:17 -07:00
Translation: "Create a virtual environment at ./local/python_v3.7.3_venv".
2019-03-21 14:01:41 -07:00
The project subdirectory `local` is `.gitignored` to provide a convenient location for files we
don't want to commit and track in version control.
2019-03-30 09:32:17 -07:00
You should now have a tree of directories and files in `local/python_v3.7.3_venv` :
2019-03-21 14:01:41 -07:00
```
2019-03-30 09:32:17 -07:00
zcash-gitian$ ls -F local/python_v3.7.3_venv/
2019-03-21 14:01:41 -07:00
bin/ include/ lib/ pyvenv.cfg
```
Inside the `bin` directory, among other things, are the entries `python` and `python3` , which are
symlinks that point back to the `python3` executable we used to create this environment:
```
2019-03-30 09:32:17 -07:00
zcash-gitian$ ls -F local/python_v3.7.3_venv/bin/
2019-03-21 14:01:41 -07:00
activate activate.fish easy_install-3.7* pip3* python@
activate.csh easy_install* pip* pip3.7* python3@
```
A python virtual environment is 'active' if the python interpreter being executed is run from its
path inside the environment's `bin` directory. Even though the file being executed is the same
whether run directly or via a symlink, it pays attention to the path of the command that was used to
run it.
An `activate` script is provided, and you can use that, but if you're using `direnv` you can set up
a simple automatic activation for the project directory by adding the following line to `.envrc` :
```
2019-03-30 09:32:17 -07:00
load_prefix local/python_v3.7.3_venv
2019-03-21 14:01:41 -07:00
```
The command `load_prefix` is provided by `direnv` to modify a whole set of common "path" variables
(including PATH) according to a common unix pattern.
Let's add that line now:
```
2019-03-30 09:32:17 -07:00
zcash-gitian$ echo "load_prefix local/python_v3.7.3_venv" >> .envrc
2019-03-21 14:01:41 -07:00
direnv: error .envrc is blocked. Run `direnv allow` to approve its content.
zcash-gitian$ direnv allow
direnv: loading .envrc
2019-03-21 14:23:55 -07:00
direnv: export +CPATH +GIT_EMAIL +GIT_NAME +GPG_KEY_ID +GPG_KEY_NAME +LD_LIBRARY_PATH +LIBRARY_PATH +MANPATH +PKG_CONFIG_PATH +ZCASH_GIT_REPO_URL +ZCASH_VERSION ~PATH
2019-03-21 14:01:41 -07:00
zcash-gitian$
```
When the content of `.envrc` is changed, it needs to be approved again (another security
precaution). Then, several variables were set or updated to add paths within our virtual environment
directory at the front (left side) of the list. Let's look at PATH and its effect on which `python`
locations we default to:
```
zcash-gitian$ echo $PATH
2019-03-30 09:32:17 -07:00
/Users/harrypotter/Projects/zcash-gitian/local/python_v3.7.3_venv/bin:/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games
2019-03-21 14:01:41 -07:00
zcash-gitian$ type python
2019-03-30 09:32:17 -07:00
python is /Users/harrypotter/Projects/zcash-gitian/local/python_v3.7.3_venv/bin/python
2019-03-21 14:01:41 -07:00
zcash-gitian$ type python3
2019-03-30 09:32:17 -07:00
python3 is /Users/harrypotter/Projects/zcash-gitian/local/python_v3.7.3_venv/bin/python3
2019-03-21 14:01:41 -07:00
```
Since the `python` and `python3` commands will now run from the locations we've installed into our
project's virtual environment while we are in the project directory, we can consider the virtual
environment active when using a shell at (or below) that location.
2018-03-20 08:41:41 -07:00
2018-04-23 12:56:06 -07:00
2019-03-21 14:34:07 -07:00
## Upgrade pip
`pip` has a command to upgrade itself. Let's go ahead and run that:
```
zcash-gitian$ pip install --upgrade pip
Collecting pip
[...]
Successfully installed pip-19.0.3
```
2019-03-21 14:44:58 -07:00
## Install pip packages
We have some dependencies to install as python packages, using the pip package manager installed
above. The set we need, with version numbers managed via git, is in `requirements-pip.lock` ; we can
run `pip install` with that file as input:
```
zcash-gitian$ pip install --requirement requirements-pip.lock
```
Check that you can run `ansible` from the command line:
```
zcash-gitian$ ansible --version
ansible 2.7.9
[...]
zcash-gitian$
```
2018-04-23 12:56:06 -07:00
## Decide on a gpg keypair to use for gitian
You can generate a keypair specifically for zcash gitian builds with a command like the one below.
```
2019-03-26 20:16:25 -07:00
zcash-gitian$ gpg --quick-generate-key --batch --passphrase '' "Harry Potter (zcash gitian) < hpotter @ hogwarts . wiz > "
2018-04-23 12:56:06 -07:00
gpg: key 3F0C2117D53A4A49 marked as ultimately trusted
gpg: directory '/home/hpotter/.gnupg/openpgp-revocs.d' created
gpg: revocation certificate stored as '/home/hpotter/.gnupg/openpgp-revocs.d/3F14A629C06FA31D59C64FE93F0C2117D53A4A49.rev'
```
Some explanation of the arguments used in the above example:
--quick-generate-key --batch This combination of options allows options to be given on the
command line. Other key generation options use interative
prompts.
--passphrase '' Passphrase for the generated key. An empty string as shown here
means save the private key unencrypted.
"Name (Comment) < Email > " The user id (also called uid) to associate with the generated
keys. Concatenating a name, an optional comment, and an email
address using this format is a gpg convention.
You can check that the key was generated and added to your local gpg key database, and see its
fingerprint value, like this:
```
2019-03-26 20:16:25 -07:00
zcash-gitian$ gpg --list-keys
2018-04-23 12:56:06 -07:00
/home/hpotter/.gnupg/pubring.kbx
----------------------------------
pub rsa2048 2018-04-23 [SC] [expires: 2020-04-22]
3F14A629C06FA31D59C64FE93F0C2117D53A4A49
uid [ultimate] Harry Potter (zcash gitian) < hpotter @ hogwarts . wiz >
sub rsa2048 2018-04-23 [E]
```
2019-03-21 14:25:36 -07:00
Update your `GPG_KEY_ID` and `GPG_KEY_NAME` variables in `.env` as follows:
2018-04-23 12:56:06 -07:00
2019-03-21 14:25:36 -07:00
- `GPG_KEY_ID` : In the example output shown here, this is the 40 character string
2018-04-23 12:56:06 -07:00
`3F14A629C06FA31D59C64FE93F0C2117D53A4A49` . Some versions of gpg may truncate this value, e.g. to 8
or 16 characters. You should be able to use the truncated value.
2019-03-23 15:25:52 -07:00
- `GPG_KEY_NAME` : This is passed as the '--signer' argument to Gitian, and used as the name of a
directory for your signatures in our `gitian.sigs` repository. We suggest using the username portion
of the email address associated with your GPG key. In our example this is `hpotter` .
2018-04-23 12:56:06 -07:00
2019-03-21 15:07:35 -07:00
2019-03-24 20:26:07 -07:00
## Install Vagrant plugins
2019-03-23 07:59:21 -07:00
2019-03-24 20:26:07 -07:00
This project uses some 3rd party Vagrant plugins. These dependencies are specified in `Vagrantfile` .
We can install them locally in the `.vagrant` directory with the following command:
2019-03-23 07:59:21 -07:00
```
2019-03-24 20:26:07 -07:00
zcash-gitian$ vagrant plugin install --local
2019-03-23 07:59:21 -07:00
```
2019-03-21 15:07:35 -07:00
## Configure the version of zcash you want to build and sign
Set the value of the `ZCASH_VERSION` variable in `.env` to point to the zcash commit you want to
create a signature for. Likely you want the name of a git tag, such as `v2.0.4` .
2018-04-23 12:56:06 -07:00
## Provision a virtual machine
From the project root directory, run:
```
2019-03-22 06:55:32 -07:00
zcash-gitian$ vagrant up --provision zcash-build
2018-04-23 12:56:06 -07:00
```
This will provision a Gitian host virtual machine that uses a Linux container (LXC) guest to perform
the actual builds.
2016-10-16 18:50:37 -07:00
2018-04-23 12:56:06 -07:00
2019-02-14 14:28:19 -08:00
Load your ssh key into ssh-agent
--------------------------------
2018-04-23 12:56:06 -07:00
2019-02-14 14:28:19 -08:00
Load your ssh key (for pushing signatures to github) into ssh-agent. The approach here is to allow
programs in the zcash-build VM to connect to ssh-agent to perform operations with the private key.
This way, we don't need to copy ssh keys into the VM. You can verify that the key is loaded by
running `ssh-add -l` .
```
2019-03-22 06:55:32 -07:00
zcash-gitian$ ssh-add -l
2019-02-14 14:28:19 -08:00
The agent has no identities.
2019-03-22 06:55:32 -07:00
zcash-gitian$ ssh-add ~/.ssh/github_id_rsa
2019-02-14 14:28:19 -08:00
Identity added: /home/hpotter/.ssh/github_id_rsa (/home/hpotter/.ssh/github_id_rsa)
2019-03-22 06:55:32 -07:00
zcash-gitian$ ssh-add -l
2019-02-14 14:28:19 -08:00
4096 SHA256:4fFdwJ71VIpF5cW0dqrsU7jxjctaFcAKmdQZPEqR0Y4 /home/hpotter/.ssh/github_id_rsa (RSA)
```
SSH into the VM
---------------
Vagrant should now show that the new VM is in the 'running' state:
```
2019-03-22 06:55:32 -07:00
zcash-gitian$ vagrant status
2019-02-14 14:28:19 -08:00
Current machine states:
zcash-build running (virtualbox)
The VM is running. To stop this VM, you can run `vagrant halt` to
shut it down forcefully, or you can run `vagrant suspend` to simply
suspend the virtual machine. In either case, to restart it again,
simply run `vagrant up` .
```
Use the `vagrant ssh` command to start a shell session in the VM. Once in that session, you can use
ssh-add again to see that your forwarded key is available, and check that you can use that key to
authenticate to github.
2016-10-16 18:50:37 -07:00
2018-04-23 12:56:06 -07:00
```
2019-03-22 06:55:32 -07:00
zcash-gitian$ vagrant ssh zcash-build
2018-04-23 12:56:06 -07:00
[...]
2019-02-14 14:28:19 -08:00
# on the virtualbox vm
2019-03-22 06:55:32 -07:00
vagrant@zcash-build:~$ ssh-add -l
2019-02-14 14:28:19 -08:00
4096 d1:43:75:a7:95:65:9e:d4:8e:57:d8:98:58:7d:92:4c /home/hpotter/.ssh/github_id_rsa (RSA)
2019-03-22 06:55:32 -07:00
vagrant@zcash-build:~$ ssh -T git@github.com
2019-02-14 14:28:19 -08:00
Warning: Permanently added the RSA host key for IP address '192.30.253.112' to the list of known hosts.
Hi harrypotter! You've successfully authenticated, but GitHub does not provide shell access.
```
Building Zcash
--------------
Once in a shell session in the VM, we're ready to run the gitian build.
```
2018-04-23 12:56:06 -07:00
# on the virtualbox vm
2019-03-22 06:55:32 -07:00
vagrant@zcash-build:~$ ./gitian-build.sh
2018-04-23 12:56:06 -07:00
```
2016-10-16 18:50:37 -07:00
2016-10-16 23:08:43 -07:00
The output from `gbuild` is informative. There are some common warnings which can be ignored, e.g. if you get an intermittent privileges error related to LXC then just execute the script again. The most important thing is that one reaches the step which says `Running build script (log in var/build.log)` . If not, then something else is wrong and you should let us know.
2016-10-16 18:50:37 -07:00
2016-10-18 20:41:43 -07:00
Take a look at the variables near the top of `~/gitian-build.sh` and get familiar with its functioning, as it can handle most tasks.
2016-10-18 00:57:58 -07:00
2016-10-18 20:41:43 -07:00
It's also a good idea to regularly `git pull` on this repository to obtain updates and re-run the entire VM provisioning for each release, to ensure current and consistent state for your builder.
2016-10-16 18:50:37 -07:00
Generating and uploading signatures
-----------------------------------
2019-03-27 11:22:25 -07:00
After the build successfully completes, the gitian command `gsign` will be called, which will
generate signatures, and a commit will be added. You can cd into the gitian.sigs directory, set the
2019-03-27 12:27:02 -07:00
repository to point to your fork of [zcash/gitian.sigs ](https://github.com/zcash/gitian.sigs ), push
your updates to a branch, and then make a pull request on github.
2019-03-27 11:22:25 -07:00
```
cd gitian.sigs
git remote rename origin upstream
2019-03-27 12:27:02 -07:00
git remote add origin git@github.com:harrypotter/zcash-gitian.git
2019-03-27 11:22:25 -07:00
git checkout -b v2.0.4
git push origin v2.0.4
```
2016-10-16 18:50:37 -07:00
2016-10-22 16:44:26 -07:00
Signatures can be verified by running `gitian-build.sh --verify` , but set `build=false` in the script to skip building. Run a `git pull` beforehand on `gitian.sigs` so you have the latest. The provisioning includes a task which imports Zcash developer public keys to the Vagrant user's keyring and sets them to ultimately trusted, but they can also be found at `contrib/gitian-downloader` within the Zcash source repository.
2019-02-14 14:30:11 -08:00
Working with GPG
----------------
2016-10-16 18:50:37 -07:00
2019-02-14 14:30:11 -08:00
We provide two options for automatically importing keys into the VM, or you may choose to copy them manually. GPG keys are needed to sign the manifests which get pushed to [gitian.sigs ](https://github.com/zcash/gitian.sigs ).
2016-10-16 18:50:37 -07:00
2019-02-14 14:30:11 -08:00
GPG is tricky, especially if you use a smartcard and can't copy the secret key. We have a script intended to forward the gpg-agent socket into the VM, `forward_gpg_agent.sh` , but it is not currently working. If you want your full keyring to be available, you can use the following workaround involving `sshfs` and synced folders:
2016-10-16 18:50:37 -07:00
vagrant plugin install vagrant-sshfs
Uncomment the line beginning with `gitian.vm.synced_folder "~/.gnupg"` in `Vagrantfile` . Ensure the destination mount point is empty. Then run:
vagrant sshfs --mount zcash-build
Vagrant synced folders may also work natively with `vboxfs` if you install VirtualBox Guest Additions into the VM from `contrib` , but that's not as easy to setup.
Copying files
-------------
To copy files to the VM: `vagrant scp file_on_host.txt :file_on_vm.txt`
To copy files from the VM: `vagrant scp :file_on_vm.txt file_on_host.txt`
Other notes
-----------
Port 2200 on the host machine should be forwarded to port 22 on the guest virtual machine.
The automation and configuration management assumes that VirtualBox will assign the IP address `10.0.2.15` to the Gitian host Vagrant VM.