Reproducible Builds regression: dns-fallback.json

[kpcyrd]

Using a supported version?

• I have searched searched open and closed issues for duplicates.
• I am using Signal-Desktop as provided by the Signal team, not a 3rd-party package.

Overall summary

Arch Linux is very far in implementing reproducible builds and has multiple independent groups that compare the official binaries with the binaries they compiled on their own computers.

This has been working fine for signal-desktop the last few years, today I noticed signal-desktop is currently listed as "not reproducible" on https://reproducible.archlinux.org/ (the instance that is run by Arch Linux staff):

The rebuilder has generated a semantic diff (although it doesn't understand .asar that well):

https://web.archive.org/web/20240311104937/https://reproducible.archlinux.org/api/v0/builds/594200/diffoscope

This might be somewhat difficult to read, most of the differences are an offset being off-by-one, but the first difference seems to be:

│ │  00072d70: 3238 3834 3634 3832 227d 2c22 646e 732d  28846482"},"dns-
│ │  00072d80: 6661 6c6c 6261 636b 2e6a 736f 6e22 3a7b  fallback.json":{
│ │ -00072d90: 2273 697a 6522 3a34 3530 312c 2269 6e74  "size":4501,"int
│ │ +00072d90: 2273 697a 6522 3a34 3530 322c 2269 6e74  "size":4502,"int
│ │  00072da0: 6567 7269 7479 223a 7b22 616c 676f 7269  egrity":{"algori
│ │  00072db0: 7468 6d22 3a22 5348 4132 3536 222c 2268  thm":"SHA256","h

So the content of dns-fallback.json became 1 byte larger in the second build.

Ater a quick search in the source code I found ts/scripts/generate-dns-fallback.ts which seems to define how this file is generated.

The content of build/dns-fallback.json as currently distributed by Arch Linux:

[
  {
    "domain": "cdn.signal.org",
    "endpoints": [
      {
        "family": "ipv4",
        "address": "52.85.243.122"
      },
      {
        "family": "ipv4",
        "address": "52.85.243.45"
      },
      {
        "family": "ipv4",
        "address": "52.85.243.48"
      },
      {
        "family": "ipv4",
        "address": "52.85.243.51"
      },
      {
        "family": "ipv6",
        "address": "2600:9000:20ab:0:1d:4f32:50c0:93a1"
      },
      {
        "family": "ipv6",
        "address": "2600:9000:20ab:3800:1d:4f32:50c0:93a1"
      },
      {
        "family": "ipv6",
        "address": "2600:9000:20ab:5a00:1d:4f32:50c0:93a1"
      },
      {
        "family": "ipv6",
        "address": "2600:9000:20ab:6000:1d:4f32:50c0:93a1"
      },
      {
        "family": "ipv6",
        "address": "2600:9000:20ab:6e00:1d:4f32:50c0:93a1"
      },
      {
        "family": "ipv6",
        "address": "2600:9000:20ab:ca00:1d:4f32:50c0:93a1"
      },
      {
        "family": "ipv6",
        "address": "2600:9000:20ab:d000:1d:4f32:50c0:93a1"
      },
      {
        "family": "ipv6",
        "address": "2600:9000:20ab:e800:1d:4f32:50c0:93a1"
      }
    ]
  },
  {
    "domain": "cdn2.signal.org",
    "endpoints": [
      {
        "family": "ipv4",
        "address": "104.18.37.148"
      },
      {
        "family": "ipv4",
        "address": "172.64.150.108"
      },
      {
        "family": "ipv6",
        "address": "2606:4700:4400::6812:2594"
      },
      {
        "family": "ipv6",
        "address": "2606:4700:4400::ac40:966c"
      }
    ]
  },
  {
    "domain": "cdn3.signal.org",
    "endpoints": [
      {
        "family": "ipv4",
        "address": "104.18.37.148"
      },
      {
        "family": "ipv4",
        "address": "172.64.150.108"
      },
      {
        "family": "ipv6",
        "address": "2606:4700:4400::6812:2594"
      },
      {
        "family": "ipv6",
        "address": "2606:4700:4400::ac40:966c"
      }
    ]
  },
  {
    "domain": "cdsi.signal.org",
    "endpoints": [
      {
        "family": "ipv4",
        "address": "40.122.45.194"
      },
      {
        "family": "ipv6",
        "address": "2603:1030:7::1"
      }
    ]
  },
  {
    "domain": "chat.signal.org",
    "endpoints": [
      {
        "family": "ipv4",
        "address": "13.248.212.111"
      },
      {
        "family": "ipv4",
        "address": "76.223.92.165"
      },
      {
        "family": "ipv6",
        "address": "2600:9000:a507:ab6d:4ce3:2f58:25d7:9cbf"
      },
      {
        "family": "ipv6",
        "address": "2600:9000:a61f:527c:d5eb:a431:5239:3232"
      }
    ]
  },
  {
    "domain": "create.signal.art",
    "endpoints": [
      {
        "family": "ipv4",
        "address": "3.212.48.146"
      },
      {
        "family": "ipv4",
        "address": "34.225.135.26"
      },
      {
        "family": "ipv4",
        "address": "34.237.179.85"
      },
      {
        "family": "ipv4",
        "address": "44.207.181.6"
      },
      {
        "family": "ipv4",
        "address": "52.204.93.252"
      },
      {
        "family": "ipv6",
        "address": "2600:1f18:3b01:a400:de47:813d:5ced:e4ad"
      },
      {
        "family": "ipv6",
        "address": "2600:1f18:3b01:a401:5c61:96fd:2912:fd11"
      },
      {
        "family": "ipv6",
        "address": "2600:1f18:3b01:a402:8d24:5bdf:4599:d940"
      },
      {
        "family": "ipv6",
        "address": "2600:1f18:3b01:a403:2b1b:7db6:c854:78e2"
      },
      {
        "family": "ipv6",
        "address": "2600:1f18:3b01:a404:6629:1881:83cc:3cfa"
      }
    ]
  },
  {
    "domain": "sfu.voip.signal.org",
    "endpoints": [
      {
        "family": "ipv4",
        "address": "35.244.140.160"
      },
      {
        "family": "ipv6",
        "address": "2600:1901:0:feb2::"
      }
    ]
  },
  {
    "domain": "storage.signal.org",
    "endpoints": [
      {
        "family": "ipv4",
        "address": "142.250.74.115"
      },
      {
        "family": "ipv6",
        "address": "2a00:1450:400f:805::2013"
      }
    ]
  },
  {
    "domain": "updates2.signal.org",
    "endpoints": [
      {
        "family": "ipv4",
        "address": "104.18.43.97"
      },
      {
        "family": "ipv4",
        "address": "172.64.144.159"
      },
      {
        "family": "ipv6",
        "address": "2606:4700:4400::6812:2b61"
      },
      {
        "family": "ipv6",
        "address": "2606:4700:4400::ac40:909f"
      }
    ]
  }
]

It seems storage.signal.org has changed from 142.250.74.115 to 142.250.181.211 (causing the 1 byte increase).

Embedding this kind of data is generally fine in Arch Linux, however could this file be attached to the github release as an artifact? The "official" dns-fallback.json is currently only available inside of the official signal-desktop .deb. :)

Currently these build instructions are used:

git lfs install
cd sticker-creator
yarn install
cd ..
yarn install --ignore-engines

Suggestions on how to edit this very welcome! 🫶

This is somewhat related to #6814.

Thanks!

Steps to reproduce

• Build from source code
• Wait for dns records to update
• Build from source again (same source code, same build environment)

Expected result

• Identical signal-desktop binaries

Actual result

• signal-desktop binaries differ

Screenshots

Signal version

7.1.1

Operating system

Arch Linux

Version of Signal on your phone

No response

Link to debug log

No response

[kpcyrd]

I've setup a project that automatically extracts the official dns-fallback.json from updates.signal.org and makes it available on github as a release artifact:

https://github.com/kpcyrd/signal-desktop-dns-fallback-extractor

The dns-fallback.json for each signal-desktop release can be downloaded like this:

https://raw.githubusercontent.com/kpcyrd/signal-desktop-dns-fallback-extractor/${pkgver}/dns-fallback.json

[hackerbirds]

I think this change was a mistake. While I understand manually updating the DNS fallback IPs is annoying for the devs, making builds reproducible/deterministic for users to verify should be considered way more important.

Further, the DNS fallback will end up being the same for everyone in that official build, and only changes weekly, so doing it dynamically as if they were pushing updates all the time doesn't really make sense I feel.

I suggest the following change for the Signal devs: remove the generated dns-fallback.json from the .gitignore, and if the file is present, use it when running npm run build-release. Then, users could use this pre-generated dns-fallback.json in their own builds, and compare it with the official version.

The only chore this would give the devs is having to run npm run build:dns-fallback before pushing their weekly updates to the main branch. Maybe this could even be done with CI/CD.

[kpcyrd]

Personally I'm fine with how things work at the moment, I'd gladly retire my signal-desktop-dns-fallback-extractor project as soon as it's not needed anymore, but keeping it around is fairly low-maintenance for me. There haven't been any reproducible builds issues since.

The only downside is how there's no checks/controls (that I'm aware of) to ensure the dns-fallback.json files I release match the files signal.org has released.

[hackerbirds]

hey, I have an update: this should no longer be an issue as of 620392e as part of work to make Linux builds reproducible

[kpcyrd]

This is fixed in the latest 7.21.0 release, thank you very much!