Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

We can not reproduce the same chcksum for cardano-cli #1013

Open
n0price opened this issue Jan 9, 2025 · 9 comments
Open

We can not reproduce the same chcksum for cardano-cli #1013

n0price opened this issue Jan 9, 2025 · 9 comments
Assignees

Comments

@n0price
Copy link

n0price commented Jan 9, 2025

We can not reproduce the sha256sum for the version 10.2.0.0.

We simply forked the project 
checkout the commit (6385b7412f6fbe15429b505886c39f6fc842ad3a)
We used build the build action
We downloaded the binary generated on the worflow step Save artificat
The checksun from the forked repo:
vm:~/libsodium$ sha256sum ~/cardano-keys/ceremony_cardano/bin/cardano-cli
4125368d8568888f4800613f288f8b797956087001a8ad95033e898c5bfb6cf4  /home/hamo/cardano-keys/ceremony_cardano/bin/cardano-cli
vm:~/libsodium$ sha256sum ~/cardano-keys/ceremony_cardano/bin/cardano-cli*
4125368d8568888f4800613f288f8b797956087001a8ad95033e898c5bfb6cf4  /home/hamo/cardano-keys/ceremony_cardano/bin/cardano-cli
vm:~/libsodium$ sudo strip --strip-all /home/hamo/cardano-keys/ceremony_cardano/bin/cardano-cli
vm:~/libsodium$ sha256sum ~/cardano-keys/ceremony_cardano/bin/cardano-cli*
06af14126ec65d8335e2eaa01fd6a32ab45afc6bf859412e57d120a256be2cf2  /home/hamo/cardano-keys/ceremony_cardano/bin/cardano-cli

cardano-cli-10.2.0.0-sha256sums.txt

a3b8959eccedc87dcd2151b040c2cc45cbde6327ba2c998a722e8dca478735ff  cardano-cli-10.2.0.0-x86_64-linux.tar.gz
575ccd161d5ae442e904fd1be22622fe7f4161be4eadee10b9722359581f5243  cardano-cli-10.2.0.0-x86_64-darwin.tar.gz
3fc0fe8fe0707a2d216891b55c1919317b7453985e888262babfadf9ddb9a6ac  cardano-cli-10.2.0.0-aarch64-darwin.tar.gz
9a389efb17350c82284775570394140c7ccd68b200ff73733344cfc7eda5b117  cardano-cli-10.2.0.0-aarch64-linux.tar.gz`
``
@smelc
Copy link
Contributor

smelc commented Jan 10, 2025

@n0price> that is because the SHA in cardano-cli-10.2.0.0-sha256sums.txt are the SHAs of the individual .tar.gz archives attached to the release, not the SHA of the repository (there is only a single SHA of the repository, not one per platform).

This is visible here: https://github.com/IntersectMBO/cardano-cli/blob/5c768706b41f/.github/workflows/release-upload.yml#L206

Let me know if you need further assistance.

@smelc smelc self-assigned this Jan 10, 2025
@n0price
Copy link
Author

n0price commented Jan 10, 2025

I downloaded the cardano-cli binary from the release 10.2.0.0 located in cardano-cli-10.2.0.0-x86_64-linux/cardano-cli. After running the command:

strip --strip-all cardano-cli-10.2.0.0-x86_64-linux/cardano-cli
sha256sum cardano-cli-10.2.0.0-x86_64-linux/cardano-cli
I obtained the following hash:

82f82d3c255b51904119dfcabc6af21df59213d08e40ba0614892c329f2cfd9d
However, when I compared this to binaries from artifacts (9.10, 9.8, and 9.6) downloaded from the GitHub workflow of the forked repository (same commit as 10.2.0.0), I received completely different hashes for each version.

The comparison was conducted only on the binaries, using the same steps

@rdlrt
Copy link

rdlrt commented Jan 10, 2025

The release binaries are uploaded from Hydra CI builds, which is based on nix-ops (not cabal build you're tracking on github workflows) that IO uses across the board for their devops.

@n0price
Copy link
Author

n0price commented Jan 13, 2025

How then to reproduce the same hash? I need to build cabal build. which version ghc and cabal version is used?
One more thing I compared the artificats hash generated by CI between the forked repo and the official they don't match even though the artificats are using nix-ops and build the same way.

@smelc
Copy link
Contributor

smelc commented Jan 13, 2025

I'm not sure what you want to achieve @n0price. The purpose of tags listed in the cardano-cli-10.2.0.0-sha256sums.txt is such that you can verify your download wasn't corrupted:

  1. You download the binary archive you want
  2. You compute the archive's hash after you've downloaded it
  3. You check that the hash you obtained is the same one as in cardano-cli-10.2.0.0-sha256sums.txt
  4. Now you have confidence your download wasn't tainted

@n0price
Copy link
Author

n0price commented Jan 13, 2025

For risks reasons to remove single point of failure we should be able to reproduce the same hash using the same code.

@smelc
Copy link
Contributor

smelc commented Jan 14, 2025

@CarlosLopezDeLara> do you know if we could redirect this reproducibility feature to another team? This is outside the scope of the cardano-cli team. It's a broader issue.

@n0price
Copy link
Author

n0price commented Jan 14, 2025

Thanks, just to add, IMHO this is crucial for institutions and will become even more essential in the future.
The cardano-cli on the 10.2.0.0 is it build with the following version:

ghc 8.10.7
cabal 3.8.1.0

@smelc
Copy link
Contributor

smelc commented Jan 17, 2025

The cardano-cli on the 10.2.0.0 is it build with the following version:

Alas because the binaries in releases are built by Hydra, it is outside of the scope of this team to know the details of how the binaries are generated. The build process goes as follows if you want to dig by yourself:

The release pipeline workflow is called when a tag is created:

Image

And then the pipeline takes the binaries built by Hydra's run on the given commit:

Image

which, in the case of 10.3.0.0 show in these scrennshots is 0c904ea3332acfdd2f063648400ab52e34bd2e9c.

Then if you go to this commit's view:

Image

You should open the CI's run for this commit and select this Hydra entry:

Image

Open Hydra as follows:

Image

Select the exe target for the platform you aim for:

Image

And then access the logs, which tell you how Nix built the thing:

Image

Image

So if you are capable of reproducing this Nix build, you should maybe get a hash similar to the one attached to release, but byte for byte reproducibility is its own deep topic, which the CLI team is not responsible for; and so we cannot help you more here.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants