Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Feature Request - Add Verifiable Builds to the Solana CLI #23

Open
jacobcreech opened this issue Feb 27, 2024 · 6 comments
Open

Feature Request - Add Verifiable Builds to the Solana CLI #23

jacobcreech opened this issue Feb 27, 2024 · 6 comments

Comments

@jacobcreech
Copy link

Problem

Being able to create verifiable builds and prove your smart contract code deployed is the same code as displayed on Github or an explorer is incredibly important. Today developers deploying programs have to go install a separate CLI to create a verifiable build and upload it.

Proposed Solution

Integrate Verifiable Builds into the Solana CLI as part of solana program deploy. Verifiable build should add information to security.txt so that people can manually verify and not have to rely on uploading to an indexer.
@jacobcreech
Copy link
Author

@joncinque would you want this to work without docker before getting added to the CLI?

@joncinque
Copy link

That would be ideal, since if it requires docker, we introduce a very heavy dependency to building programs. Think of the docs updates 😅

@jacobcreech
Copy link
Author

@joncinque Ottersec created a program for storing the verified build hash onchain https://github.com/otter-sec/otter-verify. This is to avoid accidentally creating a centralized entity for storing verified build hashes for distribution. We would need to push the hash onchain everytime we do a solana-verify.

IMO it'd be ok to have the solana-verify bin in the Solana Tool Suite for devs to have easy access to, but not as default part of the solana program deploy until it removes a dependency on docker. WDYT?

@joncinque
Copy link

Ah finally someone made a program to do this! I definitely want to see people using it as much as possible. For including solana-verify in the tool suite, I'll need to take some time to see how much maintenance it'll require from our side.

Right now, it seems like the biggest annoyance is updating the docker images. For example, I tried a build using 2.0 and it fell back to 1.18. Whenever we deploy a new version of the tools, we'll also need to push a new docker image. If we can automate that in our pipeline, we could certainly take over some of the maintenance.

@jacobcreech
Copy link
Author

It looks like Jarry has a script for auto-generating all the docker files given a Rust version and Solana version https://github.com/Ellipsis-Labs/solana-verifiable-build/blob/master/generate_dockerfiles.py

This should make it pretty easy to maintain.

@joncinque
Copy link

Ok great!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@joncinque @jacobcreech