Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

debug/buildinfo/testdata: test binaries should be more reproducible #71734

Open
yosifkit opened this issue Feb 13, 2025 · 6 comments
Open

debug/buildinfo/testdata: test binaries should be more reproducible #71734

yosifkit opened this issue Feb 13, 2025 · 6 comments
Assignees
@prattmic
Labels
NeedsFix The path to resolution is known, but the work has not been done. Other None of the above.

Comments

@yosifkit
Copy link

The binaries added in 28aed40 and part of the go 1.24.0 release artifacts are not reproducible without knowing the GOPATH (/usr/local/google/home/mpratt/go) and source path (/tmp/old/main.go) that were used to build them. And even that isn't enough, you have to also know that main.go was formatted with gofmt. Can the source files and more accurate build instructions used to generate them be more than a comment and instead be separate files that could be used to verify that the provided binary is an accurate representation of its source?

This is not enough to generate the given go117 binary:

// main.go:
//
// package main
// func main() {}
//
// GOTOOLCHAIN=go1.17 go mod init example.com/go117
// GOTOOLCHAIN=go1.17 go build

This is what it takes to reproduce it:

set -eux; \
	mkdir -p /usr/local/google/home/mpratt/go; \
	export GOPATH=/usr/local/google/home/mpratt/go; \
	mkdir -p /tmp/old; \
	cd /tmp/old; \
	{ \
		echo 'package main'; \
		echo 'func main() {}'; \
	} > main.go; \
	gofmt -w main.go; \
	cat main.go; \
	GOTOOLCHAIN=go1.17 go mod init example.com/go117; \
	GOTOOLCHAIN=go1.17 go build

# verification:
	sha256sum go117; \
	sha256sum /usr/local/go/src/debug/buildinfo/testdata/go117

And the abbreviated output:

+ cat main.go
package main

func main() {}
+ go build
+ sha256sum go117
95da139e18904482b2c4f94981cd30a54d6c76e6773d2b0366786ef34afbf763  go117
+ sha256sum /usr/local/go/src/debug/buildinfo/testdata/go117
95da139e18904482b2c4f94981cd30a54d6c76e6773d2b0366786ef34afbf763  /usr/local/go/src/debug/buildinfo/testdata/go117

For easier verification, can go117 also be built with -trimpath?

The above is mostly about reproducing the go117 binary, but the notgo C binary should be reproducible as well.

attempted `notgo` reproduction 
echo 'int main(void) { return 0; }' > main.c
cc -o notgo main.c
sha256sum notgo
sha256sum /usr/local/go/src/debug/buildinfo/testdata/notgo
diffoscope notgo /usr/local/go/src/debug/buildinfo/testdata/notgo
+ sha256sum notgo
25aeb0102fa3aae6f58b595be0d12d6770e3bada68d1fa375f58b7b066544be0  notgo
+ sha256sum /usr/local/go/src/debug/buildinfo/testdata/notgo
9adbf130f3710480b54f28a1243208931d94ea19a21d4676a40078948ce80d04  /usr/local/go/src/debug/buildinfo/testdata/notgo
+ diffoscope notgo /usr/local/go/src/debug/buildinfo/testdata/notgo
--- notgo
+++ /usr/local/go/src/debug/buildinfo/testdata/notgo
│┄ File has been modified after NT_GNU_BUILD_ID has been applied.
├── readelf --wide --notes {}
│ @@ -1,12 +1,12 @@
│
│  Displaying notes found in: .note.gnu.property
│    Owner                Data size     Description
│    GNU                  0x00000010    NT_GNU_PROPERTY_TYPE_0        Properties: x86 ISA needed: x86-64-baseline
│
│  Displaying notes found in: .note.gnu.build-id
│    Owner                Data size     Description
│ -  GNU                  0x00000014    NT_GNU_BUILD_ID (unique build ID bitstring)         Build ID: db62bee0401069db6abcf17e53640fc2bc5d44dc
│ +  GNU                  0x00000014    NT_GNU_BUILD_ID (unique build ID bitstring)         Build ID: c9b33e0b5754e44e971e8fe413e2a8d5e8466dcd
│
│  Displaying notes found in: .note.ABI-tag
│    Owner                Data size     Description
│    GNU                  0x00000010    NT_GNU_ABI_TAG (ABI version tag)            OS: Linux, ABI: 3.2.0
├── strings --all --bytes=8 {}
│ @@ -1,17 +1,17 @@
│  /lib64/ld-linux-x86-64.so.2
│ -__libc_start_main
│  __cxa_finalize
│ +__libc_start_main
│  libc.so.6
│  GLIBC_2.2.5
│  GLIBC_2.34
│  _ITM_deregisterTMCloneTable
│  __gmon_start__
│  _ITM_registerTMCloneTable
│ -GCC: (Debian 12.2.0-14) 12.2.0
│ +GCC: (Debian 13.2.0-13) 13.2.0
│  __abi_tag
│  crtstuff.c
│  deregister_tm_clones
│  __do_global_dtors_aux
│  completed.0
│  __do_global_dtors_aux_fini_array_entry
│  frame_dummy
├── readelf --wide --decompress --hex-dump=.dynstr {}
│ @@ -1,12 +1,12 @@
│
│  Hex dump of section '.dynstr':
│ -  0x00000458 005f5f6c 6962635f 73746172 745f6d61 .__libc_start_ma
│ -  0x00000468 696e005f 5f637861 5f66696e 616c697a in.__cxa_finaliz
│ -  0x00000478 65006c69 62632e73 6f2e3600 474c4942 e.libc.so.6.GLIB
│ +  0x00000458 005f5f63 78615f66 696e616c 697a6500 .__cxa_finalize.
│ +  0x00000468 5f5f6c69 62635f73 74617274 5f6d6169 __libc_start_mai
│ +  0x00000478 6e006c69 62632e73 6f2e3600 474c4942 n.libc.so.6.GLIB
│    0x00000488 435f322e 322e3500 474c4942 435f322e C_2.2.5.GLIBC_2.
│    0x00000498 3334005f 49544d5f 64657265 67697374 34._ITM_deregist
│    0x000004a8 6572544d 436c6f6e 65546162 6c65005f erTMCloneTable._
│    0x000004b8 5f676d6f 6e5f7374 6172745f 5f005f49 _gmon_start__._I
│    0x000004c8 544d5f72 65676973 74657254 4d436c6f TM_registerTMClo
│    0x000004d8 6e655461 626c6500                   neTable.
├── readelf --wide --decompress --string-dump=.comment {}
│ @@ -1,4 +1,4 @@
│
│  String dump of section '.comment':
│ -  [     0]  GCC: (Debian 12.2.0-14) 12.2.0
│ +  [     0]  GCC: (Debian 13.2.0-13) 13.2.0
@seankhliao seankhliao changed the title Make the ‎src/debug/buildinfo/testdata/ binaries included in the go 1.24 release easier to reproduce/verify debug/buildinfo/testdata: test binaries should be more reproducible Feb 13, 2025
@ianlancetaylor
Copy link
Member

CC @prattmic

@gabyhelp
Copy link

Related Issues

Related Documentation

Related Discussions

(Emoji vote if this was helpful or unhelpful; more detailed feedback welcome in this discussion.)

@gabyhelp gabyhelp added the Other None of the above. label Feb 13, 2025
@prattmic
Copy link
Member

Sure, I probably should have checked in the source file and used -trimpath. I can do that.

To be clear, any Go 1.17 binary is sufficient for this test, it doesn't need to be a perfect reproduction.

The notgo one is trickier, as reproducible C binaries are trickier. Maybe it would be more straightforward to use some binary very likely to exist on the system (e.g., /bin/ls). Though that is likely bad for debugging failures, if any occur, as CI vs local versions of /bin/ls will differ.

@prattmic prattmic self-assigned this Feb 14, 2025
@seankhliao seankhliao mentioned this issue Feb 18, 2025
Closed
@prattmic
Copy link
Member

In https://go.dev/cl/651175 I checked in the source files plus more explicit instructions. This should make it easy to reproduce the Go binary. The C binary is likely still difficult to reproduce, as you'll need to get exactly the correct gcc version (and libc?), but I'm not sure it is worth more effort.

@gopherbot
Copy link
Contributor

Change https://go.dev/cl/651175 mentions this issue: debug/buildinfo: base64-encode test binaries

gopherbot pushed a commit that referenced this issue Feb 20, 2025
@prattmic @gopherbot
debug/buildinfo: base64-encode test binaries
af00524 
Overzealous security scanners don't like the Go 1.17 binary because they
think it has every 1.17 security vulnerability. base64-encode the binary
to hide from them.

I've also extended the instructions to make the binary easier to
reproduce.

Since we do the Go binary, we might as well do the C binary too, as it
apparently makes some virus scanners unhappy.

Fixes #71753.
For #71734.
For #71821.

Change-Id: I6a6a636cccbf5312522f52f27f74eded64048fb7
Reviewed-on: https://go-review.googlesource.com/c/go/+/651175
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Auto-Submit: Michael Pratt <mpratt@google.com>
Reviewed-by: Ian Lance Taylor <iant@google.com>
Reviewed-by: Cherry Mui <cherryyz@google.com>
@gopherbot
Copy link
Contributor

Change https://go.dev/cl/651235 mentions this issue: [release-branch.go1.24] debug/buildinfo: base64-encode test binaries

@seankhliao seankhliao added the NeedsFix The path to resolution is known, but the work has not been done. label Feb 23, 2025
gopherbot pushed a commit that referenced this issue Feb 26, 2025
@prattmic
[release-branch.go1.24] debug/buildinfo: base64-encode test binaries
e4ef833 
Overzealous security scanners don't like the Go 1.17 binary because they
think it has every 1.17 security vulnerability. base64-encode the binary
to hide from them.

I've also extended the instructions to make the binary easier to
reproduce.

Since we do the Go binary, we might as well do the C binary too, as it
apparently makes some virus scanners unhappy.

Fixes #71858.
For #71753.
For #71734.
For #71821.

Change-Id: I6a6a636cccbf5312522f52f27f74eded64048fb7
Reviewed-on: https://go-review.googlesource.com/c/go/+/651175
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Auto-Submit: Michael Pratt <mpratt@google.com>
Reviewed-by: Ian Lance Taylor <iant@google.com>
Reviewed-by: Cherry Mui <cherryyz@google.com>
(cherry picked from commit af00524)
Reviewed-on: https://go-review.googlesource.com/c/go/+/651235
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@prattmic prattmic

Labels
NeedsFix The path to resolution is known, but the work has not been done. Other None of the above.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@yosifkit @prattmic @ianlancetaylor @gopherbot @seankhliao @gabyhelp