infrastructure for reproducible builds (#3770)

* Add deterministic buildsystem

* Update CircleCI config

* Enable build on all branches for testing purposes

* Revert "Enable build on all branches for testing purposes"

This reverts commit bf5cf66da94bf9c23787b42995b0409492805f03.

* Remove develop from branch filters

* Remove dangling reference to develop

* Upload binaries too

* Build for stable branches too

scripts/gitian-descriptors/gitian-darwin.yml

@@ -0,0 +1,111 @@
+---
+name: "tendermint-darwin"
+enable_cache: true
+distro: "ubuntu"
+suites:
+- "bionic"
+architectures:
+- "amd64"
+packages:
+- "bsdmainutils"
+- "build-essential"
+- "ca-certificates"
+- "curl"
+- "debhelper"
+- "dpkg-dev"
+- "devscripts"
+- "fakeroot"
+- "git"
+- "golang-any"
+- "xxd"
+- "quilt"
+remotes:
+- "url": "https://github.com/tendermint/tendermint.git"
+  "dir": "tendermint"
+files:
+- "golang-debian-1.12.5-1.tar.gz"
+script: |
+  set -e -o pipefail
+
+  GO_SRC_RELEASE=golang-debian-1.12.5-1
+  GO_SRC_TARBALL="${GO_SRC_RELEASE}.tar.gz"
+  # Compile go and configure the environment
+  export TAR_OPTIONS="--mtime="$REFERENCE_DATE\\\ $REFERENCE_TIME""
+  export BUILD_DIR=`pwd`
+  tar xf "${GO_SRC_TARBALL}"
+  rm -f "${GO_SRC_TARBALL}"
+  [ -d "${GO_SRC_RELEASE}/" ]
+  mv "${GO_SRC_RELEASE}/" go/
+  pushd go/
+  QUILT_PATCHES=debian/patches quilt push -a
+  fakeroot debian/rules build RUN_TESTS=false GOCACHE=/tmp/go-cache
+  popd
+
+  export GOOS=darwin
+  export GOROOT=${BUILD_DIR}/go
+  export GOPATH=${BUILD_DIR}/gopath
+  mkdir -p ${GOPATH}/bin
+
+  export PATH_orig=${PATH}
+  export PATH=$GOPATH/bin:$GOROOT/bin:$PATH
+
+  export ARCHS='386 amd64'
+  export GO111MODULE=on
+
+  # Make release tarball
+  pushd tendermint
+  VERSION=$(git describe --tags | sed 's/^v//')
+  COMMIT=$(git rev-parse --short=8 HEAD)
+  DISTNAME=tendermint-${VERSION}
+  git archive --format tar.gz --prefix ${DISTNAME}/ -o ${DISTNAME}.tar.gz HEAD
+  SOURCEDIST=`pwd`/`echo tendermint-*.tar.gz`
+  popd
+
+  # Correct tar file order
+  mkdir -p temp
+  pushd temp
+  tar xf $SOURCEDIST
+  rm $SOURCEDIST
+  find tendermint-* | sort | tar --no-recursion --mode='u+rw,go+r-w,a+X' --owner=0 --group=0 -c -T - | gzip -9n > $SOURCEDIST
+  popd
+
+  # Prepare GOPATH and install deps
+  distsrc=${GOPATH}/src/github.com/tendermint/tendermint
+  mkdir -p ${distsrc}
+  pushd ${distsrc}
+  tar --strip-components=1 -xf $SOURCEDIST
+  go mod download
+  popd
+
+  # Configure LDFLAGS for reproducible builds
+  LDFLAGS="-extldflags=-static -buildid=${VERSION} -s -w \
+    -X github.com/tendermint/tendermint/version.GitCommit=${COMMIT}"
+
+  # Extract release tarball and build
+  for arch in ${ARCHS}; do
+    INSTALLPATH=`pwd`/installed/${DISTNAME}-${arch}
+    mkdir -p ${INSTALLPATH}
+
+    # Build tendermint binary
+    pushd ${distsrc}
+    GOARCH=${arch} GOROOT_FINAL=${GOROOT} go build -a \
+      -gcflags=all=-trimpath=${GOPATH} \
+      -asmflags=all=-trimpath=${GOPATH} \
+      -mod=readonly -tags "tendermint" \
+      -ldflags="${LDFLAGS}" \
+      -o ${INSTALLPATH}/tendermint ./cmd/tendermint/
+
+    popd # ${distsrc}
+
+    pushd ${INSTALLPATH}
+    find -type f | sort | tar \
+      --no-recursion --mode='u+rw,go+r-w,a+X' \
+      --numeric-owner --sort=name \
+      --owner=0 --group=0 -c -T - | gzip -9n > ${OUTDIR}/${DISTNAME}-darwin-${arch}.tar.gz
+    popd  # installed
+  done
+
+  rm -rf ${distsrc}
+
+  mkdir -p $OUTDIR/src
+  mv $SOURCEDIST $OUTDIR/src

scripts/gitian-descriptors/gitian-linux.yml

@@ -0,0 +1,110 @@
+---
+name: "tendermint-linux"
+enable_cache: true
+distro: "ubuntu"
+suites:
+- "bionic"
+architectures:
+- "amd64"
+packages:
+- "bsdmainutils"
+- "build-essential"
+- "ca-certificates"
+- "curl"
+- "debhelper"
+- "dpkg-dev"
+- "devscripts"
+- "fakeroot"
+- "git"
+- "golang-any"
+- "xxd"
+- "quilt"
+remotes:
+- "url": "https://github.com/tendermint/tendermint.git"
+  "dir": "tendermint"
+files:
+- "golang-debian-1.12.5-1.tar.gz"
+script: |
+  set -e -o pipefail
+
+  GO_SRC_RELEASE=golang-debian-1.12.5-1
+  GO_SRC_TARBALL="${GO_SRC_RELEASE}.tar.gz"
+  # Compile go and configure the environment
+  export TAR_OPTIONS="--mtime="$REFERENCE_DATE\\\ $REFERENCE_TIME""
+  export BUILD_DIR=`pwd`
+  tar xf "${GO_SRC_TARBALL}"
+  rm -f "${GO_SRC_TARBALL}"
+  [ -d "${GO_SRC_RELEASE}/" ]
+  mv "${GO_SRC_RELEASE}/" go/
+  pushd go/
+  QUILT_PATCHES=debian/patches quilt push -a
+  fakeroot debian/rules build RUN_TESTS=false GOCACHE=/tmp/go-cache
+  popd
+
+  export GOROOT=${BUILD_DIR}/go
+  export GOPATH=${BUILD_DIR}/gopath
+  mkdir -p ${GOPATH}/bin
+
+  export PATH_orig=${PATH}
+  export PATH=$GOPATH/bin:$GOROOT/bin:$PATH
+
+  export ARCHS='386 amd64 arm arm64'
+  export GO111MODULE=on
+
+  # Make release tarball
+  pushd tendermint
+  VERSION=$(git describe --tags | sed 's/^v//')
+  COMMIT=$(git rev-parse --short=8 HEAD)
+  DISTNAME=tendermint-${VERSION}
+  git archive --format tar.gz --prefix ${DISTNAME}/ -o ${DISTNAME}.tar.gz HEAD
+  SOURCEDIST=`pwd`/`echo tendermint-*.tar.gz`
+  popd
+
+  # Correct tar file order
+  mkdir -p temp
+  pushd temp
+  tar xf $SOURCEDIST
+  rm $SOURCEDIST
+  find tendermint-* | sort | tar --no-recursion --mode='u+rw,go+r-w,a+X' --owner=0 --group=0 -c -T - | gzip -9n > $SOURCEDIST
+  popd
+
+  # Prepare GOPATH and install deps
+  distsrc=${GOPATH}/src/github.com/tendermint/tendermint
+  mkdir -p ${distsrc}
+  pushd ${distsrc}
+  tar --strip-components=1 -xf $SOURCEDIST
+  go mod download
+  popd
+
+  # Configure LDFLAGS for reproducible builds
+  LDFLAGS="-extldflags=-static -buildid=${VERSION} -s -w \
+    -X github.com/tendermint/tendermint/version.GitCommit=${COMMIT}"
+
+  # Extract release tarball and build
+  for arch in ${ARCHS}; do
+    INSTALLPATH=`pwd`/installed/${DISTNAME}-${arch}
+    mkdir -p ${INSTALLPATH}
+
+    # Build tendermint binary
+    pushd ${distsrc}
+    GOARCH=${arch} GOROOT_FINAL=${GOROOT} go build -a \
+      -gcflags=all=-trimpath=${GOPATH} \
+      -asmflags=all=-trimpath=${GOPATH} \
+      -mod=readonly -tags "tendermint" \
+      -ldflags="${LDFLAGS}" \
+      -o ${INSTALLPATH}/tendermint ./cmd/tendermint/
+
+    popd # ${distsrc}
+
+    pushd ${INSTALLPATH}
+    find -type f | sort | tar \
+      --no-recursion --mode='u+rw,go+r-w,a+X' \
+      --numeric-owner --sort=name \
+      --owner=0 --group=0 -c -T - | gzip -9n > ${OUTDIR}/${DISTNAME}-linux-${arch}.tar.gz
+    popd  # installed
+  done
+
+  rm -rf ${distsrc}
+
+  mkdir -p $OUTDIR/src
+  mv $SOURCEDIST $OUTDIR/src

scripts/gitian-descriptors/gitian-windows.yml

@@ -0,0 +1,111 @@
+---
+name: "tendermint-windows"
+enable_cache: true
+distro: "ubuntu"
+suites:
+- "bionic"
+architectures:
+- "amd64"
+packages:
+- "bsdmainutils"
+- "build-essential"
+- "ca-certificates"
+- "curl"
+- "debhelper"
+- "dpkg-dev"
+- "devscripts"
+- "fakeroot"
+- "git"
+- "golang-any"
+- "xxd"
+- "quilt"
+remotes:
+- "url": "https://github.com/tendermint/tendermint.git"
+  "dir": "tendermint"
+files:
+- "golang-debian-1.12.5-1.tar.gz"
+script: |
+  set -e -o pipefail
+
+  GO_SRC_RELEASE=golang-debian-1.12.5-1
+  GO_SRC_TARBALL="${GO_SRC_RELEASE}.tar.gz"
+  # Compile go and configure the environment
+  export TAR_OPTIONS="--mtime="$REFERENCE_DATE\\\ $REFERENCE_TIME""
+  export BUILD_DIR=`pwd`
+  tar xf "${GO_SRC_TARBALL}"
+  rm -f "${GO_SRC_TARBALL}"
+  [ -d "${GO_SRC_RELEASE}/" ]
+  mv "${GO_SRC_RELEASE}/" go/
+  pushd go/
+  QUILT_PATCHES=debian/patches quilt push -a
+  fakeroot debian/rules build RUN_TESTS=false GOCACHE=/tmp/go-cache
+  popd
+
+  export GOOS=windows
+  export GOROOT=${BUILD_DIR}/go
+  export GOPATH=${BUILD_DIR}/gopath
+  mkdir -p ${GOPATH}/bin
+
+  export PATH_orig=${PATH}
+  export PATH=$GOPATH/bin:$GOROOT/bin:$PATH
+
+  export ARCHS='386 amd64'
+  export GO111MODULE=on
+
+  # Make release tarball
+  pushd tendermint
+  VERSION=$(git describe --tags | sed 's/^v//')
+  COMMIT=$(git rev-parse --short=8 HEAD)
+  DISTNAME=tendermint-${VERSION}
+  git archive --format tar.gz --prefix ${DISTNAME}/ -o ${DISTNAME}.tar.gz HEAD
+  SOURCEDIST=`pwd`/`echo tendermint-*.tar.gz`
+  popd
+
+  # Correct tar file order
+  mkdir -p temp
+  pushd temp
+  tar xf $SOURCEDIST
+  rm $SOURCEDIST
+  find tendermint-* | sort | tar --no-recursion --mode='u+rw,go+r-w,a+X' --owner=0 --group=0 -c -T - | gzip -9n > $SOURCEDIST
+  popd
+
+  # Prepare GOPATH and install deps
+  distsrc=${GOPATH}/src/github.com/tendermint/tendermint
+  mkdir -p ${distsrc}
+  pushd ${distsrc}
+  tar --strip-components=1 -xf $SOURCEDIST
+  go mod download
+  popd
+
+  # Configure LDFLAGS for reproducible builds
+  LDFLAGS="-extldflags=-static -buildid=${VERSION} -s -w \
+    -X github.com/tendermint/tendermint/version.GitCommit=${COMMIT}"
+
+  # Extract release tarball and build
+  for arch in ${ARCHS}; do
+    INSTALLPATH=`pwd`/installed/${DISTNAME}-${arch}
+    mkdir -p ${INSTALLPATH}
+
+    # Build tendermint binary
+    pushd ${distsrc}
+    GOARCH=${arch} GOROOT_FINAL=${GOROOT} go build -a \
+      -gcflags=all=-trimpath=${GOPATH} \
+      -asmflags=all=-trimpath=${GOPATH} \
+      -mod=readonly -tags "tendermint" \
+      -ldflags="${LDFLAGS}" \
+      -o ${INSTALLPATH}/tendermint.exe ./cmd/tendermint/
+
+    popd # ${distsrc}
+
+    pushd ${INSTALLPATH}
+    find -type f | sort | tar \
+      --no-recursion --mode='u+rw,go+r-w,a+X' \
+      --numeric-owner --sort=name \
+      --owner=0 --group=0 -c -T - | gzip -9n > ${OUTDIR}/${DISTNAME}-windows-${arch}.tar.gz
+    popd  # installed
+  done
+
+  rm -rf ${distsrc}
+
+  mkdir -p $OUTDIR/src
+  mv $SOURCEDIST $OUTDIR/src