Fix Wasm module reproducibility

Update hashes Use fake user ID in Docker Update Aggregator hash TEST_CI: chwon oak files TEST_CI: add ci_init TEST_CI: change order TEST_CI: check user TEST_CI: check user TEST_CI: check user TEST_CI: check user TEST_CI: check user TEST_CI: check user TEST_CI: check user TEST_CI: chown oak
project-oak · Jan 19, 2021 · 6f86775 · 6f86775
1 parent e808e16
commit 6f86775
Show file tree

Hide file tree

Showing 9 changed files with 48 additions and 13 deletions.
diff --git a/cloudbuild.yaml b/cloudbuild.yaml
@@ -1,10 +1,17 @@
 # Reference: https://cloud.google.com/cloud-build/docs/build-config
 
 steps:
+  - name: 'gcr.io/cloud-builders/docker'
+    id: ci_init
+    waitFor: ['-']
+    timeout: 1m
+    entrypoint: 'bash'
+    args: ['./scripts/ci_init']
+
   # Pull pre-existing latest Docker image.
   - name: 'gcr.io/cloud-builders/docker'
     id: pull_image
-    waitFor: ['-']
+    waitFor: ['ci_init']
     timeout: 10m
     args: ['pull', 'gcr.io/oak-ci/oak:latest']
   # Build Docker image based on current Dockerfile, if necessary.

diff --git a/examples/aggregator/client/android/cpp/client.cc b/examples/aggregator/client/android/cpp/client.cc
@@ -55,7 +55,7 @@ JNIEXPORT void JNICALL Java_com_google_oak_aggregator_MainActivity_createChannel
   // The particular value corresponds to the hash on the `aggregator.wasm` line in
   // https://github.com/project-oak/oak/blob/hashes/reproducibility_index.
   oak::label::Label label = oak::WebAssemblyModuleHashLabel(
-      absl::HexStringToBytes("29fbf24bb76ab71b81bee0ce9cc1d995191a5f814ee7e5a1e04e227176779ffe"));
+      absl::HexStringToBytes("4919f4c644d85eb9354e878d08f7d1f2fbd1db3079f3bb234bcfd45c65bc2242"));
   kChannel = Aggregator::NewStub(oak::ApplicationClient::CreateChannel(
       address, oak::ApplicationClient::GetTlsChannelCredentials(ca_cert), label));
   JNI_LOG("gRPC channel has been created");

diff --git a/examples/aggregator/client/cpp/aggregator.cc b/examples/aggregator/client/cpp/aggregator.cc
@@ -80,7 +80,7 @@ int main(int argc, char** argv) {
   // https://github.com/project-oak/oak/blob/hashes/reproducibility_index.
   // TODO(#1674): Add appropriate TLS endpoint tag to the label as well.
   oak::label::Label label = oak::WebAssemblyModuleHashLabel(
-      absl::HexStringToBytes("29fbf24bb76ab71b81bee0ce9cc1d995191a5f814ee7e5a1e04e227176779ffe"));
+      absl::HexStringToBytes("4919f4c644d85eb9354e878d08f7d1f2fbd1db3079f3bb234bcfd45c65bc2242"));
   // Connect to the Oak Application.
   auto stub = Aggregator::NewStub(oak::ApplicationClient::CreateChannel(
       address, oak::ApplicationClient::GetTlsChannelCredentials(ca_cert), label));

diff --git a/examples/aggregator/config.toml b/examples/aggregator/config.toml
@@ -1,3 +1,3 @@
 grpc_server_listen_address = "[::]:8080"
 backend_server_address = "https://localhost:8888"
-aggregator_module_hash = "29fbf24bb76ab71b81bee0ce9cc1d995191a5f814ee7e5a1e04e227176779ffe"
+aggregator_module_hash = "4919f4c644d85eb9354e878d08f7d1f2fbd1db3079f3bb234bcfd45c65bc2242"
diff --git a/examples/aggregator/oak_app_manifest.toml b/examples/aggregator/oak_app_manifest.toml
@@ -1,4 +1,4 @@
 name = "aggregator"
 
 [modules]
-app = { external = { url = "https://storage.googleapis.com/oak-modules/aggregator/29fbf24bb76ab71b81bee0ce9cc1d995191a5f814ee7e5a1e04e227176779ffe", sha256 = "29fbf24bb76ab71b81bee0ce9cc1d995191a5f814ee7e5a1e04e227176779ffe" } }
+app = { path = "examples/aggregator/bin/aggregator.wasm" }
diff --git a/examples/private_set_intersection/oak_app_manifest.toml b/examples/private_set_intersection/oak_app_manifest.toml
@@ -5,5 +5,4 @@ signature_manifests = [
 
 [modules]
 app = { path = "examples/private_set_intersection/bin/private_set_intersection.wasm" }
-# TODO(865): Use locally built module once reproducibility is fixed.
-handler = { external = { url = "https://storage.googleapis.com/oak-modules/private_set_intersection_handler/08ac29c2e8fc7de860750457f1e97decc3f0089711e5efd574453085706b0a42", sha256 = "08ac29c2e8fc7de860750457f1e97decc3f0089711e5efd574453085706b0a42" } }
+handler = { path = "examples/private_set_intersection/bin/private_set_intersection_handler.wasm" }
diff --git a/examples/private_set_intersection/private_set_intersection_handler.sign b/examples/private_set_intersection/private_set_intersection_handler.sign
@@ -3,10 +3,10 @@ f41SClNtR4i46v2Tuh1fQLbt/ZqRr1lENajCW92jyP4=
 -----END PUBLIC KEY-----
 
 -----BEGIN SIGNATURE-----
-OHHEdnjxlKwAQU6dwiI8ZVRfSZ4VOttRWvube1z+/E78ey0NDLwqtfRJ1ZoNc0oY
-ufKZSPJZsUG0spGOYd7qBQ==
+wr3uFBcYPA/ha88rNBSAVBkAX4G86aAftbtjAqY6PeRnVRBDij4hRcVFXpXyf7/f
+XDRbz7BeFMpxGrt1iSr3BQ==
 -----END SIGNATURE-----
 
 -----BEGIN HASH-----
-CKwpwuj8fehgdQRX8el97MPwCJcR5e/VdEUwhXBrCkI=
+2yapRu9wQJ5lP+vwnvs+NjsTKTb8sMBMA2uwvMH6Dls=
 -----END HASH-----
diff --git a/scripts/ci_init b/scripts/ci_init
@@ -0,0 +1,18 @@
+#!/usr/bin/env bash
+
+readonly SCRIPTS_DIR="$(dirname "$0")"
+# shellcheck source=scripts/common
+source "$SCRIPTS_DIR/common"
+
+whoami
+echo "UID" $UID
+id -g
+ls -la
+
+# Create a dedicated user for building Oak.
+adduser --disabled-password --uid 10000 --no-create-home --gecos "" oak
+
+# Change source files owner.
+chown -R oak .
+# chown -R oak $(ls -I ./scripts/docker_*)
+ls -la
diff --git a/scripts/docker_build b/scripts/docker_build
@@ -9,9 +9,20 @@ source "$SCRIPTS_DIR/common"
 # ID, if known.
 # See
 # https://github.com/googleapis/google-cloud-cpp/blob/a186208b79d900b4ec71c6f9df3acf7638f01dc6/ci/kokoro/docker/build.sh#L147-L152
-readonly DOCKER_UID="${UID:-0}"
-readonly DOCKER_GID="$(id -g)"
-readonly DOCKER_USER="${USER:-root}"
+if (( ${UID:-0} != 0 )); then
+  readonly DOCKER_UID=$UID
+else
+  readonly DOCKER_UID=10000
+fi
+# readonly DOCKER_GID="$(id -g)"
+if (( $(id -g) != 0 )); then
+  readonly DOCKER_GID=$(id -g)
+else
+  readonly DOCKER_GID=10000
+fi
+# We use the `oak` Docker user in order to maintain library paths on different
+# machines and to make Wasm modules reproducible.
+readonly DOCKER_USER="oak"
 
 docker build \
   --cache-from="$DOCKER_IMAGE_NAME:latest" \