Add --verifiable flag to stellar contract build#2585
Draft
fnando wants to merge 19 commits into
Draft
Conversation
fnando
force-pushed
the
contract-build-verifiable
branch
from
bdca27b to
629046f
Compare
|
Review the following changes in direct dependencies. Learn more about Socket for GitHub.
|
fnando
force-pushed
the
contract-build-verifiable
branch
from
9765c11 to
557647b
Compare
fnando
force-pushed
the
contract-build-verifiable
branch
from
557647b to
6e7c125
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
Adds a
--verifiableflag tostellar contract buildthat performs a reproducible build inside a digest-pinned Docker container and stamps SEP-58 metadata (bldimg,source_uri,source_sha256,bldopt) into the resulting WASM so third parties can re-run the build and verify the output byte-for-byte.New flags, all grouped under a
Verifiablehelp section:--verifiable— opt in to the reproducible build mode; implies--locked, infers--package(the default-member cdylib contracts) when omitted, and requires a clean git working tree.--image— override the auto-selected container image. Must be digest-pinned (...@sha256:...); tag-only refs are rejected sobldimgstays content-addressed.--source-sha256— SEP-58 source identification: 64-char SHA-256 of the source. Optional — the archive is always generated and its SHA-256 computed for you. When supplied it acts as a pin: the build fails if it doesn't match the generated archive.--source-uri— SEP-58 source identification: URI where the source can be obtained (any scheme, e.g.https://example.com/src.tar.gz). Optional.-d/--docker-host(also readsDOCKER_HOST) — override the docker daemon endpoint.A
--verifiablebuild always generates the reproducible source archive, records its SHA-256 assource_sha256, writes a content-addressed copy to the data dir'sarchives/<sha256>.tar.gz, and builds from the extracted (permission-hardened) copy so the WASM comes from exactly the bytes that were hashed. In a git repo the archive isgit archive HEAD; otherwise the working directory is archived, skipping common build/VCS/editor/AI/secret entries.Each contract — explicit
--packageor inferred — is built with its own--package, which is forwarded to the build and recorded as abldopt, so every WASM is independently reproducible and stable even if the workspace's default members change later. Multi-contract workspaces build every contract in a single container so the crates download, compiled dependencies, andtarget/are shared.Every
bldoptis recorded as valid shell syntax: each build option is shell-escaped once at the source, quoting only the value side, so a verifier can join the recordedbldopts and replay the exact invocation through a shell. A flag like--env B='this is very nice'is stored as--env=B='this is very nice'(flag and key outside the quotes), which round-trips back to the original argument. Run with--verboseto print the fulldocker run …command the build executes (the same command surfaced in the error message if the container build fails).--env NAME=VALUESome contracts read environment variables at build time (build scripts, proc-macros,
env!).--env(repeatable) sets them for the build and lives on the shared build options, socontract build,deploy, anduploadall accept it:--verifiableit's set on the local build process.--verifiableit's passed to the container (docker-e) and recorded as its ownbldopt(shell-escaped, e.g.--env=B='this is very nice') so a verifier replays the same build. Because it's embedded in the WASM meta, avoid secrets here.Names are validated (
[A-Za-z_][A-Za-z0-9_]*); values are kept verbatim.stellar contract archiveA standalone command to generate — or inspect — the same reproducible archive a verifiable build uses, sharing the exact byte-generation logic so the output is identical:
-o/--out-file <PATH>— write the gzipped tarball. Must end in.tar.gzor.tgz. Required unless--dry-run.--manifest-path— locate the source root (its enclosing git repo, or the working directory).--dry-run— list the entries that would be archived plus the computedsource_sha256, without writing anything. Handy for confirming contents before a verifiable build, or for producing the artifact to host at a--source-uri.Why
SEP-58 defines how to verify that a deployed contract WASM came from a specific source built with a specific toolchain image. Until now the CLI had no built-in way to produce such a build — users had to assemble the docker invocation, run cargo inside it, and stamp the custom sections by hand. This makes it a first-class option on
stellar contract build, and the source archive (auto-generated on build, or produced/inspected viastellar contract archive) closes the loop by being the exact artifact thatsource_sha256refers to.Known limitations
source_uri, checksource_sha256, rebuild, byte-compare) is not part of this PR.