Developer Information

Reproducible Builds

This section describes how to reproduce the official released binaries for restic for version 0.10.0 and later. For restic versions down to 0.9.3 please refer to the documentation for the respective version. The binary produced depends on the following things:

  • The source code for the release

  • The exact version of the official Go compiler used to produce the binaries (running restic version will print this)

  • The architecture and operating system the Go compiler runs on (Linux, amd64)

  • The build tags (for official binaries, it’s the tag selfupdate)

  • The path where the source code is extracted to (/restic)

  • The path to the Go compiler (/usr/local/go)

  • The path to the Go workspace (GOPATH=/home/build/go)

  • Other environment variables (mostly $GOOS, $GOARCH, $CGO_ENABLED)

In addition, The compressed ZIP files for Windows depends on the modification timestamp and filename of the binary contained in it. In order to reproduce the exact same ZIP file every time, we update the timestamp of the file VERSION in the source code archive and set the timezone to Europe/Berlin.

In the following example, we’ll use the file restic-0.14.0.tar.gz and Go 1.19 to reproduce the released binaries.

  1. Determine the Go compiler version used to build the released binaries, then download and extract the Go compiler into /usr/local/go:

$ restic version
restic 0.14.0 compiled with go1.19 on linux/amd64
$ cd /usr/local
$ curl -L | tar xz
  1. Extract the restic source code into /restic

$ mkdir /restic
$ cd /restic
$ TZ=Europe/Berlin curl -L | tar xz --strip-components=1
  1. Build the binaries for Windows and Linux:

$ export PATH=/usr/local/go/bin:$PATH
$ export GOPATH=/home/build/go
$ go version
go version go1.19 linux/amd64

$ GOOS=linux GOARCH=amd64 CGO_ENABLED=0 go build -ldflags "-s -w" -tags selfupdate -o restic_linux_amd64 ./cmd/restic
$ bzip2 restic_linux_amd64

$ GOOS=windows GOARCH=amd64 CGO_ENABLED=0 go build -ldflags "-s -w" -tags selfupdate -o restic_0.14.0_windows_amd64.exe ./cmd/restic
$ touch --reference VERSION restic_0.14.0_windows_amd64.exe
$ TZ=Europe/Berlin zip -q -X restic_0.14.0_windows_amd64.exe

Building the Official Binaries

The released binaries for restic are built using a Docker container. You can find it on Docker Hub as restic/builder, the Dockerfile and instructions on how to build the container can be found in the GitHub repository

The container serves the following goals: * Have a very controlled environment which is independent from the local system * Make it easy to have the correct version of the Go compiler at the right path * Make it easy to pass in the source code to build at a well-defined path

The following steps are necessary to build the binaries:

  1. Either build the container (see the instructions in the repository’s README). Alternatively, download the container from the hub:

docker pull restic/builder
  1. Extract the source code somewhere:

tar xvzf restic-0.14.0.tar.gz
  1. Create a directory to place the resulting binaries in:

mkdir output
  1. Mount the source code and the output directory in the container and run the default command, which starts helpers/build-release-binaries/main.go:

docker run --rm \
    --volume "$PWD/restic-0.14.0:/restic" \
    --volume "$PWD/output:/output" \
    restic/builder \
    go run helpers/build-release-binaries/main.go --version 0.14.0
  1. If anything goes wrong, you can enable debug output like this:

docker run --rm \
    --volume "$PWD/restic-0.14.0:/restic" \
    --volume "$PWD/output:/output" \
    restic/builder \
    go run helpers/build-release-binaries/main.go --version 0.14.0 --verbose

Verifying the Official Binaries

To verify the official binaries, you can either build them yourself using the above instructions or use the helpers/ script from the restic repository. Run it as helpers/ restic_version go_version. The specified go compiler version must match the one used to build the official binaries. For example, for restic 0.16.2 the command would be helpers/ 0.16.2 1.21.3.

The script requires bash, curl, docker (version >= 25.0), git, gpg, shasum and tar.

The script first downloads all release binaries, checks the SHASUM256 file and its signature. Afterwards it checks that the tarball matches the restic git repository contents, before first reproducing the builder docker container and finally the restic binaries. As final step, the restic binary in both the docker hub images and the GitHub container registry is verified. If any step fails, then the script will issue a warning.

Prepare a New Release

Publishing a new release of restic requires many different steps. We’ve automated this in the Go program helpers/prepare-release/main.go which also includes checking that e.g. the changelog is correctly generated. The only required argument is the new version number (in Semantic Versioning format MAJOR.MINOR.PATCH):

go run helpers/prepare-release/main.go 0.14.0

Checks can be skipped on demand via flags, please see --help for details.

The build process requires docker, docker-buildx and qemu-user-static-binfmt.