Gitian is a secure source-control oriented software distribution method. This means you can download trusted binaries that are verified by multiple builders.
Source : Gitian.org
Gitian is a deterministic build process that is used to release Dogecoin Core executables. It uses a virtualized environment and a predetermined set of dependencies and system libraries to build binaries. This lets many independent builders compare and publish their results before releasing executables, allowing for an end-to-end auditable release that can be verified by anyone.
To reduce the probability of compromised releases, more independent gitian builders are needed!
Anyone can participate and help to increase the security of Dogecoin Core releases by following this guide.
To perform a gitian build, you can use different virtualization software : Docker, KVM or LXC. Dependencies will change according to your choice.
You need to install some required dependencies whatever you will choose.
Use your packet manager to install them : apt, brew, dnf, pacman...
The following common dependencies are required regardless of virtualization:
git ruby wget apt-cacher-ng gpg
Note: When asked to allow secure tunnels through apt-cacher, answer "no"
After installation, you will need to enable apt-cacher, eg:
sudo systemctl enable apt-cacher-ng.service
sudo systemctl start apt-cacher-ng.serviceYou can define your apt-cacher host by specifying MIRROR_HOST environment variable.
To create a PGP key to sign files, see : https://gnupg.org/gph/en/manual.html#INTRO.
You will need to specify your user ID, find it using gpg -k.
Please refer to the official Docker documentation to install it for your operating system.
Make sure your user can run the docker command without root privilege by being in the docker group:
sudo usermod -aG docker $(whoami)
#Enable group without logging out
newgrp dockerYou can now use the --docker option with gitian-build.sh in the Usage section of this guide.
Install the following package :
lxc
Then use --lxc option with gitian-build.sh.
[Documentation not available, help is welcome]
gitian-build.sh is a standalone script, it can be downloaded and run outside of Dogecoin Core repository.
It can download dependency files for the Gitian, build and optionally sign binaries, or verify signatures.
Binaries and signatures will be created in a gitian-output folder, relative to where the
gitian-build.sh script is ran.
./gitian-build.sh [options] version
#See help menu for available options
./gitian-build.sh --helpThe entire gitian flow can be performed step by step, example using docker :
#Download Gitian dependencies
./gitian-build.sh --docker --setup 1.14.5
#Build & sign executables
./gitian-build.sh --docker --build --sign SIGNER 1.14.5
#Verify signatures
./gitian-build.sh --verify 1.14.5Or to do everything at once :
./gitian-build.sh --docker --setup --build --sign SIGNER --verify 1.14.5If you want to do the PGP signing on another device, that's also possible; just define SIGNER as mentioned
and follow the steps in the build process as normal.
gpg: skipped "shibetoshi": secret key not availableWhen you execute gsign you will get an error from GPG, which can be ignored. Copy the resulting .assert files in gitian.sigs to your signing machine and do
gpg --detach-sign ${VERSION}-linux/${SIGNER}/dogecoin-linux-build.assert
gpg --detach-sign ${VERSION}-win/${SIGNER}/dogecoin-win-build.assert
gpg --detach-sign ${VERSION}-osx-unsigned/${SIGNER}/dogecoin-osx-build.assertThis will create the .sig files that can be committed together with the .assert files to assert your Gitian build.
Gitian signatures for each release are added to https://github.com/dogecoin/gitian.sigs.
gitian-build.sh will create signatures inside gitian-output/sigs/ folder. Create a pull request to dogecoin/gitian.sigs to publish your signatures, the .assert and .assert.sig files.
When your PR is merged, you will be recorded for all future history as a Gitian Builder of Dogecoin Core!