Developer Information
Reproducible Builds
This section describes how to reproduce the official released binaries for restic for version 0.10.0 and later. For restic versions down to 0.9.3 please refer to the documentation for the respective version. The binary produced depends on the following things:
The source code for the release
The exact version of the official Go compiler used to produce the binaries (running
restic version
will print this)The architecture and operating system the Go compiler runs on (Linux,
amd64
)The build tags (for official binaries, it’s the tag
selfupdate
)The path where the source code is extracted to (
/restic
)The path to the Go compiler (
/usr/local/go
)The path to the Go workspace (
GOPATH=/home/build/go
)Other environment variables (mostly
$GOOS
,$GOARCH
,$CGO_ENABLED
)
In addition, The compressed ZIP files for Windows depends on the modification
timestamp and filename of the binary contained in it. In order to reproduce the
exact same ZIP file every time, we update the timestamp of the file VERSION
in the source code archive and set the timezone to Europe/Berlin.
In the following example, we’ll use the file restic-0.14.0.tar.gz
and Go
1.19 to reproduce the released binaries.
Determine the Go compiler version used to build the released binaries, then download and extract the Go compiler into
/usr/local/go
:
$ restic version
restic 0.14.0 compiled with go1.19 on linux/amd64
$ cd /usr/local
$ curl -L https://dl.google.com/go/go1.19.linux-amd64.tar.gz | tar xz
Extract the restic source code into
/restic
$ mkdir /restic
$ cd /restic
$ TZ=Europe/Berlin curl -L https://github.com/restic/restic/releases/download/v0.14.0/restic-0.14.0.tar.gz | tar xz --strip-components=1
Build the binaries for Windows and Linux:
$ export PATH=/usr/local/go/bin:$PATH
$ export GOPATH=/home/build/go
$ go version
go version go1.19 linux/amd64
$ GOOS=linux GOARCH=amd64 CGO_ENABLED=0 go build -ldflags "-s -w" -tags selfupdate -o restic_linux_amd64 ./cmd/restic
$ bzip2 restic_linux_amd64
$ GOOS=windows GOARCH=amd64 CGO_ENABLED=0 go build -ldflags "-s -w" -tags selfupdate -o restic_0.14.0_windows_amd64.exe ./cmd/restic
$ touch --reference VERSION restic_0.14.0_windows_amd64.exe
$ TZ=Europe/Berlin zip -q -X restic_0.14.0_windows_amd64.zip restic_0.14.0_windows_amd64.exe
Building the Official Binaries
The released binaries for restic are built using a Docker container. You can
find it on Docker Hub as
restic/builder
, the Dockerfile
and instructions on how to build the
container can be found in the GitHub repository
The container serves the following goals: * Have a very controlled environment which is independent from the local system * Make it easy to have the correct version of the Go compiler at the right path * Make it easy to pass in the source code to build at a well-defined path
The following steps are necessary to build the binaries:
Either build the container (see the instructions in the repository’s README). Alternatively, download the container from the hub:
docker pull restic/builder
Extract the source code somewhere:
tar xvzf restic-0.14.0.tar.gz
Create a directory to place the resulting binaries in:
mkdir output
Mount the source code and the output directory in the container and run the default command, which starts
helpers/build-release-binaries/main.go
:
docker run --rm \
--volume "$PWD/restic-0.14.0:/restic" \
--volume "$PWD/output:/output" \
restic/builder \
go run helpers/build-release-binaries/main.go --version 0.14.0
If anything goes wrong, you can enable debug output like this:
docker run --rm \
--volume "$PWD/restic-0.14.0:/restic" \
--volume "$PWD/output:/output" \
restic/builder \
go run helpers/build-release-binaries/main.go --version 0.14.0 --verbose
Verifying the Official Binaries
To verify the official binaries, you can either build them yourself using the above
instructions or use the helpers/verify-release-binaries.sh
script from the restic
repository. Run it as helpers/verify-release-binaries.sh restic_version go_version
.
The specified go compiler version must match the one used to build the official
binaries. For example, for restic 0.16.2 the command would be
helpers/verify-release-binaries.sh 0.16.2 1.21.3
.
The script requires bash, curl, docker (version >= 25.0), git, gpg, shasum and tar.
The script first downloads all release binaries, checks the SHASUM256 file and its signature. Afterwards it checks that the tarball matches the restic git repository contents, before first reproducing the builder docker container and finally the restic binaries. As final step, the restic binary in both the docker hub images and the GitHub container registry is verified. If any step fails, then the script will issue a warning.
Prepare a New Release
Publishing a new release of restic requires many different steps. We’ve
automated this in the Go program helpers/prepare-release/main.go
which also
includes checking that e.g. the changelog is correctly generated. The only
required argument is the new version number (in Semantic Versioning format MAJOR.MINOR.PATCH
):
go run helpers/prepare-release/main.go 0.14.0
Checks can be skipped on demand via flags, please see --help
for details.
The build process requires docker
, docker-buildx
and qemu-user-static-binfmt
.