Verifying and reproducing release builds
+ +Obtain release signing key
+To verify the signature of _sha256sums or apks you need to obtain the signing key. You can do it from keyservers:
gpg --keyserver hkps://keys.openpgp.org --search build@simplex.chat
+gpg --keyserver hkps://keyserver.ubuntu.com --search build@simplex.chat
+gpg --list-keys build@simplex.chat
+Once you obtain the signing key, verify that its fingerprint is:
+BBDF 7BDA D154 8B16 836A F5B9 D53B DFD1 53C3 66BA
+Additionally, compare the key fingerprint with:
+-
+
- simplexchat.eth (release key record) +
- Mastodon (profile) +
- Reddit (side panel) +
You can set the imported key as "ultimately trusted":
+echo -e "trust\n5\ny\nquit" | gpg --command-fd 0 --edit-key build@simplex.chat
+Verify release signature
+Linux dekstop apps and CLI:
+Download the file with executable hashes and the signature. For example, to verify the v6.5.0-beta.3 release:
curl -LO 'https://github.com/simplex-chat/simplex-chat/releases/download/v6.5.0-beta.3/_sha256sums.asc'
+curl -LO 'https://github.com/simplex-chat/simplex-chat/releases/download/v6.5.0-beta.3/_sha256sums'
+Verify the signature:
+gpg --verify _sha256sums.asc _sha256sums
+Android APKs:
+Download the APK files and signatures. For example, to verify the v6.5.0-beta.3 release:
curl -LO 'https://github.com/simplex-chat/simplex-chat/releases/download/v6.5.0-beta.3/simplex-aarch64.apk'
+curl -LO 'https://github.com/simplex-chat/simplex-chat/releases/download/v6.5.0-beta.3/_simplex-aarch64.apk.asc'
+curl -LO 'https://github.com/simplex-chat/simplex-chat/releases/download/v6.5.0-beta.3/simplex-armv7a.apk'
+curl -LO 'https://github.com/simplex-chat/simplex-chat/releases/download/v6.5.0-beta.3/_simplex-armv7a.apk.asc'
+Verify the signatures:
+gpg --verify _simplex-armv7a.apk.asc simplex-armv7a.apk
+gpg --verify _simplex-aarch64.apk.asc simplex-aarch64.apk
+How to reproduce builds
+To reproduce the build you must have:
+-
+
- Linux machine +
x86-64architecture
+- Installed
docker,curlandgit
+
Server binaries
+-
+
-
+
Download script:
+
+curl -LO 'https://raw.githubusercontent.com/simplex-chat/simplexmq/refs/heads/master/scripts/simplexmq-reproduce-builds.sh' +
+ -
+
Make it executable:
+
+chmod +x simplexmq-reproduce-builds.sh +
+ -
+
Execute the script with the required tag:
+
+./simplexmq-reproduce-builds.sh 'v6.3.1' +The script executes these steps (please review the script to confirm):
+-
+
- builds all server binaries for the release in docker container. +
- downloads binaries from the same GitHub release and compares them with the built binaries. +
- if they all match, generates _sha256sums file with their checksums. +
This will take a while.
+
+ -
+
After compilation, you should see the folder named as the tag and repository name (e.g.,
+v6.3.1-simplexmq) with two subfolders:
+ls v6.3.1-simplexmq +
+from-source prebuilt _sha256sums +The file _sha256sums contains the hashes of all builds - you can compare it with the same file in GitHub release.
+
+
Linux desktop apps and CLI
+-
+
-
+
Download script:
+
+curl -LO 'https://raw.githubusercontent.com/simplex-chat/simplex-chat/refs/heads/master/scripts/simplex-chat-reproduce-builds.sh' +
+ -
+
Make it executable:
+
+chmod +x simplex-chat-reproduce-builds.sh +
+ -
+
Execute the script with the required tag:
+
+./simplex-chat-reproduce-builds.sh 'v6.4.8' +The script executes these steps (please review the script to confirm):
+-
+
- builds all Linux CLI and Dekstop binaries for the release in docker container. +
- downloads binaries from the same GitHub release and compares them with the built binaries. +
- if they all match, generates _sha256sums file with their checksums. +
This will take a while.
+
+ -
+
After compilation, you should see the folder named as the tag and reprository name (e.g.,
+v6.4.8-simplex-chat) with two subfolders:
+ls v6.4.8-simplex-chat +
+from-source prebuilt _sha256sums +The file _sha256sums contains the hashes of all builds - you can compare it with the same file in GitHub release.
+
+
Android apps
+In addition to basic requirments, Android build will:
+-
+
- Take ~150gb of disc space +
- Take ~20h to build all the architectures (depends on core count) +
- Require at least 16gb of RAM +
-
+
-
+
Download script:
+
+curl -LO 'https://raw.githubusercontent.com/simplex-chat/simplex-chat/refs/heads/master/scripts/simplex-chat-reproduce-builds-android.sh' +
+ -
+
Make it executable:
+
+chmod +x simplex-chat-reproduce-builds-android.sh +
+ -
+
Execute the script with the required tag:
+
+./simplex-chat-reproduce-builds-android.sh 'v6.5.0-beta.3' +The script executes these steps (please review the script to confirm):
+-
+
- Downloads and checks that APKs from GitHub are signed with valid key. +
- Builds Android APKs in a docker container. +
- Compares the releases by copying the signature from downloaded APKs to locally built APKs. +
- If the resulting build is bit-by-bit identical, prints the message that this tag was reproduced. +
This will take a while.
+
+