[bisq-network/proposals] Deterministic build (#89)

[Manfred Karrer]

> _This is a Bisq Network proposal. Please familiarize yourself with the [submission and review process](https://docs.bisq.network/proposals.html)._

To increase security for the Bisq binary we should implement a deterministic build system similar to Gitian build used in Bitcoin. 

The jar file is already deterministic and we provide a hash at the releases so everyone can verify the jar. The java packager though does not created deterministic results by default. It needs more investigation to find out how to change the java packager setup and process to enable deterministic results there.

Another challenge is the code signing used for OSX (and should also be used for Windows in future). The signatures are part of the binary and without the private key nobody could generate the same signatures. We need to check out how Bitcoin has solved that problem. One option might be to extract the signatures when doing the verification, so one cannot verify the whole binary but only the binary excluding the signatures. That should not be a big problem as on OSX the binary is just a container and the signatures are files inside. It would only require a convenient tool to do that. 

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/bisq-network/proposals/issues/89
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.bisq.network/pipermail/bisq-github/attachments/20190513/ffedf060/attachment-0001.html>