Verify module build

sderuiter · November 28, 2024, 9:03am

Looking into the verify-build command for cargo concordium. It seems that modules need to be built using verifiable builds for this to work? (concordium-smart-contract-tools/cargo-concordium at main · Concordium/concordium-smart-contract-tools · GitHub). If so, do you know of a module that can be verified? If so, how can I get the source for this module?

Doris · November 28, 2024, 10:34am

If the smart contract developer has published the sources and edited the build-info, you can see the Link to source code with the command

cargo concordium print-build-info --module contract.wasm.v1

An example response:

    - Build image used: docker.io/concordium/verifiable-sc:1.73.0
    - Build command used: cargo --locked build --target wasm32-unknown-unknown --release --target-dir /b/t
    - Hash of the archive: 383f4923e6a53424d0fb860f3bec8c3860e692d45115a0f117e41a58b992a8fd9
    - Link to source code: https://your.domain.where.file.is.uploaded.com/contract.wasm.v1.tar

sderuiter · November 28, 2024, 1:09pm

Thank you. Do you know of a contract that can be verified?

Doris · November 28, 2024, 6:49pm

If you have the source files of a smart contract, you can build a verifiable build locally of that smart contract and then verify it.

td202 · November 29, 2024, 11:47am

Here’s an example, scraped from mainnet.

$ concordium-client --grpc-ip grpc.mainnet.concordium.software --secure module show c14efbca1dcf314c73cc294cbbf1bd63e3906b20d35442943eb92f52e383fc38 --out c14efbca1dcf314c73cc294cbbf1bd63e3906b20d35442943eb92f52e383fc38.wasm.v1
WASM Version of module: V1.
Wrote module source to the file 'c14efbca1dcf314c73cc294cbbf1bd63e3906b20d35442943eb92f52e383fc38.wasm.v1'.
$ cargo concordium print-build-info --module c14efbca1dcf314c73cc294cbbf1bd63e3906b20d35442943eb92f52e383fc38.wasm.v1
    - Build image used: docker.io/concordium/verifiable-sc:1.70.0
    - Build command used: cargo --locked build --target wasm32-unknown-unknown --release --target-dir /b/t
    - Hash of the archive: 8a2c51e163f344ba0dde5f02c19dabaf6c08beb8d795346060c776f69b6b2320
$ cargo concordium verify-build --module c14efbca1dcf314c73cc294cbbf1bd63e3906b20d35442943eb92f52e383fc38.wasm.v1
Downloading source from https://github.com/Concordium/concordium-governance-committee-voting/releases/download/gc-election-contract%2F1.0.0/module.wasm.v1.tar
Building source and checking ...
[...]
    Finished release [optimized] target(s) in 13.22s

Source and module match.

sderuiter · November 29, 2024, 9:24pm

Finally succeeded in getting this working. Is this expected to run for quite a while? As in, on first run it downloads and creates a docker container and updates crates and compiles, while on subsequent runs it only updates crates and compiles, but on an M1 Mac mini that still takes 25 sec? Is that expected?

sderuiter · December 2, 2024, 7:37am

Can I expect all links to source code to be a link to a .tar file?

td202 · December 2, 2024, 12:30pm

25 seconds seems in line with my experience. cargo-concordium always produces a .tar file for verifiable builds. According to the docs, the link embedded in the contract should be either the tar file or a gzipped tar file:

optionally the link to the sources if the --source flag is provided. If this is not provided the link can be embedded later. The source link should point either to the tar file directly, or to a gzipped version of the file.

sderuiter · December 2, 2024, 1:22pm

Thanks. If using the tar file option, can I assume there is always a src folder with a file called lib.rs that contains the source to display?

td202 · December 2, 2024, 1:48pm

I think in pretty much all cases, there will be a src/lib.rs. However, to be fully general you should check Cargo.toml for a lib.path, which would override it.