Document how to verify reproducibility of build of a mullvad/tor browser release

About the project

• Contact: @boklm
• Chat: #tor-browser-dev on irc.oftc.net
• Video room: no

Participants

• @boklm

Summary

I think many users don't know that our builds are reproducible, or how they can rebuild to verify that they get a matching build.

We could generate a reproducible-build.txt file in the release directory containing the following informations:

• which git repository to clone
• which commit to checkout
• which command to use to start the build
• which sha256sums to expect after the build finished
• how to remove embedded signatures from exe and mar files we publish to check that they match the unsigned build

Skills

Need to know how to build Tor Browser.

Links

• tpo/applications/tor-browser-build#40997