feat: Add docker reproducible builds (#6799)

Which issue # does this PR address? This PR addresses reproducible builds. The current dockerfile builds the lighthouse binary but not reproducibly. You can verify that by following these steps: ``` docker build --no-cache --output=. . mv usr/local/bin/lighthouse lighthouse1 rm usr/local/bin/lighthouse docker build --no-cache --output=. . mv usr/local/bin/lighthouse lighthouse2 sha256sum lighthouse1 lighthouse2 ``` You will notice that each one of the binaries has a different checksum upon each build. This is critical for systems that depends on requiring reproducible builds, such as running lighthouse in confidential computing, like Intel TDX. This PR adds a new build profile as well as a Dockerfile.reproducible that enables building the lighthouse binary reproducibly. By following the steps I listed above, you will be able to verify that the resulted binary has the same hash upon several subsequent builds for the same version. How to test it: ``` mkdir output1 output2 docker build --no-cache -f Dockerfile.reproducible --output=output1 . docker build --no-cache -f Dockerfile.reproducible --output=output2 . sha256sum output1/lighthouse output2/lighthouse # hashes should be identical rm -rf output1 output2 ```
2026-06-10 01:26:44 +00:00 · 2025-05-19 10:02:06 +02:00
parent 5393d33af8
commit 1e6cdeb88a
3 changed files with 82 additions and 0 deletions
--- a/31
+++ b/31
@@ -82,6 +82,37 @@ build-lcli-aarch64:
 build-lcli-riscv64:
 	cross build --bin lcli --target riscv64gc-unknown-linux-gnu --features "portable" --profile "$(CROSS_PROFILE)" --locked

+# extracts the current source date for reproducible builds
+SOURCE_DATE := $(shell git log -1 --pretty=%ct)
+
+# Default image for x86_64
+RUST_IMAGE_AMD64 ?= rust:1.82-bullseye@sha256:ac7fe7b0c9429313c0fe87d3a8993998d1fe2be9e3e91b5e2ec05d3a09d87128
+
+# Reproducible build for x86_64
+build-reproducible-x86_64:
+	DOCKER_BUILDKIT=1 docker build \
+		--build-arg RUST_TARGET="x86_64-unknown-linux-gnu" \
+		--build-arg RUST_IMAGE=$(RUST_IMAGE_AMD64) \
+		--build-arg SOURCE_DATE=$(SOURCE_DATE) \
+		-f Dockerfile.reproducible \
+		-t lighthouse:reproducible-amd64 .
+
+# Default image for arm64
+RUST_IMAGE_ARM64 ?= rust:1.82-bullseye@sha256:3c1b8b6487513ad4e753d008b960260f5bcc81bf110883460f6ed3cd72bf439b
+
+# Reproducible build for aarch64
+build-reproducible-aarch64:
+	DOCKER_BUILDKIT=1 docker build \
+		--platform linux/arm64 \
+		--build-arg RUST_TARGET="aarch64-unknown-linux-gnu" \
+		--build-arg RUST_IMAGE=$(RUST_IMAGE_ARM64) \
+		--build-arg SOURCE_DATE=$(SOURCE_DATE) \
+		-f Dockerfile.reproducible \
+		-t lighthouse:reproducible-arm64 .
+
+# Build both architectures
+build-reproducible-all: build-reproducible-x86_64 build-reproducible-aarch64
+
 # Create a `.tar.gz` containing a binary for a specific target.
 define tarball_release_binary
 	cp $(1)/lighthouse $(BIN_DIR)/lighthouse