Description
We currently distribute binary releases that people can use to download and install MacVim. We should add reproducible builds so that the binary we release is deterministic and reproducible and can be easily built on a local machine by any third party in an identical fashion.
Some motivations include the fact that supply chain attacks are real and while MacVim is unlikely a high-value target, it's still useful to reduce the likelihood of such problem happening to begin with. Also, with the deprecation of the macos-12 GitHub Action runner we will need to find another way to build the legacy MacVim binaries (either via a custom VM, or another CI service like Circle CI), and it would be nice to have some standard way to compare the generated artifacts and to have trust in the process working.
Note that we distribute signed apps, which is signed by a private key that only the maintainer controls, so it's impossible to have an artifact (MacVim.app) that can be compared bit-by-bit to a local build. We will need to provide a script that could strip the app signature before comparing.
- Use relative paths for debug symbols and reproducible linker flags when building Vim
- Use
SOURCE_DATE_EPOCHto make builds not dependent on date/time. - Add documentation, and refactor build scripts (also necessary when adding another CI system) to make it more easily to build locally with the same flags.
- Add CI output artifacts that contain necessary environment info.
- Add user script that could compare two apps by stripping the signature and then compare the result binaries.
- CI test to validate reproducible builds.
- Test in older versions of Xcode to make sure didn't break anything.
Related:
- Add support for exporting dSYM files as part of build steps. These contain debug symbols and help diagnose crash issues for users. Make sure to use relative paths as it's necessary for reproducibility.