Major Changes to Reproducible Builds #53
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
rory-ocl
reviewed
Jul 12, 2024
rauljordan
changed the title
|
Thanks @rory-ocl ! This is ready again |
rory-ocl
reviewed
Jul 16, 2024
| RUN cargo install cargo-stylus | ||
| RUN cargo install --force cargo-stylus-check | ||
| RUN cargo install --force cargo-stylus-replay | ||
| RUN cargo install --force cargo-stylus-cgen | ||
| ", | ||
| version | ||
| version, |
There was a problem hiding this comment.
Can you confirm that this version variable has also been cleaned to prevent injection attacks? @rauljordan
There was a problem hiding this comment.
Nice catch! Fixed
rory-ocl
reviewed
Jul 16, 2024
check/src/project.rs
Outdated
| // Next, parse the Rust version from the toolchain project, only allowing alphanumeric chars and dashes. | ||
| let channel = channel | ||
| .chars() | ||
| .filter(|c| c.is_alphanumeric() || *c == '-') |
There was a problem hiding this comment.
It looks like . should also be a valid character according to the docs. <channel> = stable|beta|nightly|<major.minor.patch>
There was a problem hiding this comment.
Thanks for confirming ! will add
rauljordan
commented
Jul 16, 2024
| @@ -76,10 +86,14 @@ fn run_in_docker_container(version: &str, command_line: &[&str]) -> Result<()> { | |||
| } | |||
|
|
|||
| pub fn run_reproducible(version: &str, command_line: &[String]) -> Result<()> { | |||
| let version: String = version | |||
There was a problem hiding this comment.
added here @rory-ocl
rory-ocl
approved these changes
Jul 16, 2024
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description
Add Project Hash as Custom WASM Section
Currently, program verification involves injecting a hash of the contents of all Rust sources of a project in the contract deployment calldata. However, this project hash should actually be part of the WASM file itself. We include it as a custom wasm section, which will cause different project hashes to require unique program activations and make them part of consensus. This also extends the docker.rs of reproducible builds to support nightly.
Tested to show that changing a single comment in a project leads to a different activation, and that hashes match with verification:
We also add more details in case verification fails, such as what part of the verification mismatches: either the EVM prelude or the contract code itself.
Require Toolchain File for Reproducible Stylus Programs
Our next major change is requiring a rust-toolchain.toml file, which is a convention for reproducible Rust programs in the directory of the project being deployed. This allows specifying the exact toolchain channel, such as a specific nightly Rust version, to ensure builds are always made with the expected channel.