Developer Information ##################### Reproducible Builds ******************* This section describes how to reproduce the official released binaries for restic for version 0.10.0 and later. For restic versions down to 0.9.3 please refer to the documentation for the respective version. The binary produced depends on the following things: * The source code for the release * The exact version of the official `Go compiler <https://go.dev>`__ used to produce the binaries (running ``restic version`` will print this) * The architecture and operating system the Go compiler runs on (Linux, ``amd64``) * The build tags (for official binaries, it's the tag ``selfupdate``) * The path where the source code is extracted to (``/restic``) * The path to the Go compiler (``/usr/local/go``) * The path to the Go workspace (``GOPATH=/home/build/go``) * Other environment variables (mostly ``$GOOS``, ``$GOARCH``, ``$CGO_ENABLED``) In addition, The compressed ZIP files for Windows depends on the modification timestamp and filename of the binary contained in it. In order to reproduce the exact same ZIP file every time, we update the timestamp of the file ``VERSION`` in the source code archive and set the timezone to Europe/Berlin. In the following example, we'll use the file ``restic-0.14.0.tar.gz`` and Go 1.19 to reproduce the released binaries. 1. Determine the Go compiler version used to build the released binaries, then download and extract the Go compiler into ``/usr/local/go``: .. code:: $ restic version restic 0.14.0 compiled with go1.19 on linux/amd64 $ cd /usr/local $ curl -L https://dl.google.com/go/go1.19.linux-amd64.tar.gz | tar xz 2. Extract the restic source code into ``/restic`` .. code:: $ mkdir /restic $ cd /restic $ TZ=Europe/Berlin curl -L https://github.com/restic/restic/releases/download/v0.14.0/restic-0.14.0.tar.gz | tar xz --strip-components=1 3. Build the binaries for Windows and Linux: .. code:: $ export PATH=/usr/local/go/bin:$PATH $ export GOPATH=/home/build/go $ go version go version go1.19 linux/amd64 $ GOOS=linux GOARCH=amd64 CGO_ENABLED=0 go build -ldflags "-s -w" -tags selfupdate -o restic_linux_amd64 ./cmd/restic $ bzip2 restic_linux_amd64 $ GOOS=windows GOARCH=amd64 CGO_ENABLED=0 go build -ldflags "-s -w" -tags selfupdate -o restic_0.14.0_windows_amd64.exe ./cmd/restic $ touch --reference VERSION restic_0.14.0_windows_amd64.exe $ TZ=Europe/Berlin zip -q -X restic_0.14.0_windows_amd64.zip restic_0.14.0_windows_amd64.exe Building the Official Binaries ****************************** The released binaries for restic are built using a Docker container. You can find it on `Docker Hub <https://hub.docker.com/r/restic/builder>`__ as ``restic/builder``, the ``Dockerfile`` and instructions on how to build the container can be found in the `GitHub repository <https://github.com/restic/builder>`__ The container serves the following goals: * Have a very controlled environment which is independent from the local system * Make it easy to have the correct version of the Go compiler at the right path * Make it easy to pass in the source code to build at a well-defined path The following steps are necessary to build the binaries: 1. Either build the container (see the instructions in the `repository's README <https://github.com/restic/builder>`__). Alternatively, download the container from the hub: .. code:: docker pull restic/builder 2. Extract the source code somewhere: .. code:: tar xvzf restic-0.14.0.tar.gz 3. Create a directory to place the resulting binaries in: .. code:: mkdir output 3. Mount the source code and the output directory in the container and run the default command, which starts ``helpers/build-release-binaries/main.go``: .. code:: docker run --rm \ --volume "$PWD/restic-0.14.0:/restic" \ --volume "$PWD/output:/output" \ restic/builder \ go run helpers/build-release-binaries/main.go --version 0.14.0 4. If anything goes wrong, you can enable debug output like this: .. code:: docker run --rm \ --volume "$PWD/restic-0.14.0:/restic" \ --volume "$PWD/output:/output" \ restic/builder \ go run helpers/build-release-binaries/main.go --version 0.14.0 --verbose Verifying the Official Binaries ******************************* To verify the official binaries, you can either build them yourself using the above instructions or use the ``helpers/verify-release-binaries.sh`` script from the restic repository. Run it as ``helpers/verify-release-binaries.sh restic_version go_version``. The specified go compiler version must match the one used to build the official binaries. For example, for restic 0.16.2 the command would be ``helpers/verify-release-binaries.sh 0.16.2 1.21.3``. The script requires bash, curl, docker (version >= 25.0), git, gpg, shasum and tar. The script first downloads all release binaries, checks the SHASUM256 file and its signature. Afterwards it checks that the tarball matches the restic git repository contents, before first reproducing the builder docker container and finally the restic binaries. As final step, the restic binary in both the docker hub images and the GitHub container registry is verified. If any step fails, then the script will issue a warning. Prepare a New Release ********************* Publishing a new release of restic requires many different steps. We've automated this in the Go program ``helpers/prepare-release/main.go`` which also includes checking that e.g. the changelog is correctly generated. The only required argument is the new version number (in `Semantic Versioning <https://semver.org/>`__ format ``MAJOR.MINOR.PATCH``): .. code:: go run helpers/prepare-release/main.go 0.14.0 Checks can be skipped on demand via flags, please see ``--help`` for details. The build process requires ``docker``, ``docker-buildx`` and ``qemu-user-static-binfmt``.