Introduce reproducible, prebuilt binaries

2021-04-19 18:13:28 -03:00 · 2021-04-19 18:13:28 -03:00 · 036cfa7f1d
parent fd92825ddc
commit 036cfa7f1d
10 changed files with 124 additions and 23 deletions
--- a/.gitignore
+++ b/.gitignore
@ -2,4 +2,3 @@
 .idea
 neutrino_test

-/bin
--- a/31
+++ b/31
@ -0,0 +1,31 @@
+# Building this Dockerfile executes a full build of the Recovery Tool, cross-compiling inside 
+# the container. The resulting executable is copied to the output directory using Docker BuildKit.
+
+# You need to pass 3 parameters via --build-arg:
+# 1. `os`  : the GOOS env var -- `linux`, `windows` or `darwin`.
+# 2. `arch`: the GOARCH env var -- `386` or `amd64` (note that darwin/386 is not a thing).
+# 3. `out` : the name of the resulting executable, placed in the output directory on the host.
+
+# For example, to build a linux/386 binary into `bin/rt`:
+#   docker build . --output bin --build-arg os=linux --build-arg arch=386 --build-arg out=rt
+
+# Note that the --output <dir> flag refers to the host, outside the container.
+
+FROM golang:1.16.0-alpine3.13 AS build
+ARG os
+ARG arch
+
+RUN apk add --no-cache build-base=0.5-r2
+
+WORKDIR /src
+COPY . .
+
+ENV CGO_ENABLED=0
+RUN env GOOS=${os} GOARCH=${arch} go build -mod=vendor -a -trimpath -o /out .
+
+# ---
+
+FROM scratch
+ARG out
+
+COPY --from=build /out ${out}
--- a/36
+++ b/36
@ -0,0 +1,36 @@
+# (Default) build the Recovery Tool to run on this system.
+build:
+	mkdir -p bin
+	
+	echo "Building recovery tool"
+	go build -a -trimpath -o "bin/recovery-tool"
+
+	echo "Success! Built to bin/recovery-tool"
+
+# Cross-compile and checksum the Recovery Tool for a range of OS/archs.
+build-checksum-all: export DOCKER_BUILDKIT=1
+build-checksum-all:
+	# Get vendor dependencies:
+	go mod vendor -v
+
+	# Linux 32-bit:
+	docker build . -o bin --build-arg os=linux --build-arg arch=386 --build-arg out=recovery-tool-linux32
+	/bin/echo -n '✓ Linux 32-bit ' && sha256sum "bin/recovery-tool-linux32"
+
+	# Linux 64-bit:
+	docker build . -o bin --build-arg os=linux --build-arg arch=amd64 --build-arg out=recovery-tool-linux64
+	/bin/echo -n '✓ Linux 64-bit ' && sha256sum "bin/recovery-tool-linux64"
+	
+	# Windows 32-bit:
+	docker build . -o bin --build-arg os=windows --build-arg arch=386 --build-arg out=recovery-tool-windows32.exe
+	/bin/echo -n '✓ Windows 32-bit ' && sha256sum "bin/recovery-tool-windows32.exe"
+	
+	# Windows 64-bit:
+	docker build . -o bin --build-arg os=windows --build-arg arch=amd64 --build-arg out=recovery-tool-windows64.exe
+	/bin/echo -n '✓ Windows 64-bit ' && sha256sum "bin/recovery-tool-windows64.exe"
+
+	# Darwin 64-bit:
+	docker build . -o bin --build-arg os=darwin --build-arg arch=amd64 --build-arg out=recovery-tool-macos64
+	/bin/echo -n '✓ MacOS 64-bit ' && sha256sum "bin/recovery-tool-macos64"
+
+.SILENT:
--- a/README.md
+++ b/README.md
@ -4,7 +4,7 @@

 Welcome!

-You can use this tool to transfer all funds from your Muun wallet to an address of your choosing.
+You can use this tool to transfer all funds out of your Muun account to an address of your choosing.

 ![](readme/demo.gif)

@ -14,35 +14,66 @@ control over their own money. Bitcoin has finally made this possible.

 ## Usage

-To execute a recovery, you will need:
+Download the appropriate binary in the following table, according to your operating system and
+architecture.

-1. **Your Recovery Code**, which you wrote down during your security setup
-2. **Your Emergency Kit PDF**, which you exported from the app
-3. **Your destination bitcoin address**, where all your funds will be sent
+| System | Checksum | Link |
+| --- | --- | --- |
+| Linux 32-bit | `65c0e27bcff10210f5637a8b9f95ffd8c932d258c21d23d5d9da40ba091864a3` | [Download](https://raw.githubusercontent.com/muun/recovery/master/bin/recovery-tool-linux32) |
+| Linux 64-bit | `596c819d22501e267385325dd2bba7e5260f711eb3d210c468a606699c8d8369` | [Download](https://raw.githubusercontent.com/muun/recovery/master/bin/recovery-tool-linux64) |
+| Windows 32-bit | `897ff4db5ccc7f5b37c9c479f018b5ba4a98a243137f186fbf4b96138eff6adc` | [Download](https://raw.githubusercontent.com/muun/recovery/master/bin/recovery-tool-windows32.exe) |
+| Windows 64-bit | `c03e981119c18270d517d74691283fd3e4d57460d1bf02189c7552b8daa06625` | [Download](https://raw.githubusercontent.com/muun/recovery/master/bin/recovery-tool-windows64.exe) |
+| MacOS 64-bit | `c5b5d0f65f6b0a1a98bcbf405b50a691b33c347b06b02af98d3350bddb9353f3` | [Download](https://raw.githubusercontent.com/muun/recovery/master/bin/recovery-tool-macos64) |

-Once you have that, you must:
+Once you have that, run:

-1. Install [golang](https://golang.org/)
-2. Open a terminal window
-3. Run:
+```
+./recovery-tool <path to your Emergency Kit PDF>
+```

-        git clone https://github.com/muun/recovery
-        cd recovery
-        ./recovery-tool <path to your Emergency Kit PDF>
+The process takes only a few minutes (depending on your connection).

-The recovery process takes only a few minutes  (depending on your connection).
-
-## Questions
-
-If you have any questions, we'll be happy to answer them. Contact us at [contact@muun.com](mailto:contact@muun.com)
+If you have any questions, we'll be happy to answer them. Contact us at support@muun.com

 ## Auditing

-Begin by reading `main.go`, and follow calls to other files and modules as you see fit. We always work
-to improve code quality and readability with each release, so that auditing is easier and more effective.
+This tool is open-sourced so that auditors can dive into the code, and verify it to their benefit
+and everyone else's. We encourage people with the technical knowledge to do this.

-The low-level encryption, key handling and transaction crafting code can be found in the `libwallet`
-module, and it's the same our iOS and Android applications use.
+To build the tool locally and run it, you must:
+
+1. Install the [Go](https://golang.org/) toolchain.
+2. Clone the repository:
+
+    ```
+    git clone https://github.com/muun/recovery
+    cd recovery
+    ```
+      
+3. Run the tool with:
+
+    ```
+    go run -mod=vendor . -- <path to your Emergency Kit PDF>
+    ```
+
+To build the tool in all its variants and verify the checksums for the above binaries, you need to:
+
+1. Install the [Docker](https://www.docker.com/) toolchain and start the daemon.
+2. Run this command:
+
+    ```
+    make build-checksum-all
+    ```
+
+3. Verify that the printed checksums match those of the downloaded versions, using `sha256sum` 
+as in the `Makefile`.
+
+We use Docker for these builds to ensure they are reproducible.
+
+
+## Questions
+
+If you have any questions, we'll be happy to answer them. Contact us at contact@muun.com


 ## Responsible Disclosure
@ -51,4 +82,4 @@ Send us an email to report any security related bugs or vulnerabilities at [secu

 You can encrypt your email message using our public PGP key.

-Public key fingerprint: `1299 28C1 E79F E011 6DA4 C80F 8DB7 FD0F 61E6 ED76`
+Public key fingerprint: `1299 28C1 E79F E011 6DA4 C80F 8DB7 FD0F 61E6 ED76`
--- a/bin/recovery-tool-linux32
+++ b/bin/recovery-tool-linux32
--- a/bin/recovery-tool-linux64
+++ b/bin/recovery-tool-linux64
--- a/bin/recovery-tool-macos64
+++ b/bin/recovery-tool-macos64
--- a/bin/recovery-tool-windows32.exe
+++ b/bin/recovery-tool-windows32.exe
--- a/bin/recovery-tool-windows64.exe
+++ b/bin/recovery-tool-windows64.exe
--- a/readme/demo.yml
+++ b/readme/demo.yml
@ -3,6 +3,9 @@
 # Render with:
 # $ terminalizer render demo.yml -o demo-unoptimized.gif

+# Make background transparent with:
+# https://onlinegiftools.com/create-transparent-gif (use white, 1%)
+
 # Optimize with:
 # $ gifsicle --optimize=3 --colors=32 -i demo-unoptimized.gif -o demo.gif

@ -24,6 +27,7 @@ config:
    title: null
    style:
      border: 0px black solid
+      boxShadow: none

  watermark:
    imagePath: null