Jump to content
TheDcoder

Reproducible Builds and compiling scripts without random tokenisation

Recommended Posts

TheDcoder

Hello Everyone :)

Been a while since I had any useful ideas for AutoIt. Today I was thinking about having an option to compile a script without any obfuscation or tokenisation, or atleast, an option to specify the seed for the randomness in the tokenisation process to produce identical executables every-time.

This would be very useful for Open Source software where anyone can compile to source to produce a bit to bit copy of the compiled version by the developer. Currently there is no legal way to verify if a build has been built from a specific source, with this option it will be easy as compiling the code and comparing the builds :D

Something like #pragma compile(Tokenise, false), we can set the proposed Tokenise directive to true as default to maintain backward compatibility and to somewhat protect closed source software.

What do you guys think about this?

TD :thumbsup:

Edited by TheDcoder
"form" to "from"

AutoIt.4.Life Clubrooms - Life is like a Donut (secret key)

Spoiler

My contributions to the AutoIt Community

If I have hurt or offended you in anyway, Please accept my apologies, I never (regardless of the situation) mean to do that to anybody!!!

3fHNZJ.gif

PLEASE JOIN ##AutoIt AND HELP THE IRC AUTOIT COMMUNITY!

Share this post


Link to post
Share on other sites
TheDcoder
Posted (edited)

Bump, almost 6 months and no reply :(

Edited by TheDcoder

AutoIt.4.Life Clubrooms - Life is like a Donut (secret key)

Spoiler

My contributions to the AutoIt Community

If I have hurt or offended you in anyway, Please accept my apologies, I never (regardless of the situation) mean to do that to anybody!!!

3fHNZJ.gif

PLEASE JOIN ##AutoIt AND HELP THE IRC AUTOIT COMMUNITY!

Share this post


Link to post
Share on other sites
TheSaint
Posted (edited)

You shouldn't have needed to bump. But clearly you did have to. :(

I am surprised you got no response, as I consider your request as quite worthwhile, going by our recent discussions.

Perhaps you should outlay your current situation, to make things perfectly clear to the powers-that-be, why this is needed.

Edited by TheSaint
  • Thanks 1

AutoIt.4.Life Clubrooms - Life is like a Donut (secret key)

Make sure brain is in gear before opening mouth!
Remember, what is not said, can be just as important as what is said.

Spoiler

What is the Secret Key? Life is like a Donut

If I put effort into communication, I expect you to read properly & fully, or just not comment.
Ignoring those who try to divert conversation with irrelevancies.
If I'm intent on insulting you or being rude, I will be obvious, not ambiguous about it.
I'm only big and bad, to those who have an over-active imagination.

I may have the Artistic Liesense ;) to disagree with you. TheSaint's Toolbox (be advised many downloads are not working due to ISP screwup with my storage)

userbar.png

Share this post


Link to post
Share on other sites
TheDcoder
Posted (edited)
36 minutes ago, TheSaint said:

Perhaps you should outlay your current situation, to make things perfectly clear to the powers-that-be, why this is needed.

I agree.

A practical example and the reason why I am looking forward to this feature is because I develop a program called ProxAllium, it is a frontend for Tor which is a security related software, I won't go into much detail, but I will say that users of Tor and the Tor project take security/trustworthiness somewhat more seriously than normal people. In order for a software to be accepted by the community, the binaries should ideally be reproducible, so that they can verify that it has indeed been compiled from the public source code. Unfortunately it is impossible to do this in AutoIt as tokenization adds a random factor to the compile process :(

That is only one of the many advantages of reproducible builds, more incentives and advantages can be found here: https://reproducible-builds.org/

Also, the wikipedia entry on this topic: https://en.wikipedia.org/wiki/Deterministic_compilation

 

It is a valuable technique which open source software can take advantage of :)

Edited by TheDcoder
  • Like 1

AutoIt.4.Life Clubrooms - Life is like a Donut (secret key)

Spoiler

My contributions to the AutoIt Community

If I have hurt or offended you in anyway, Please accept my apologies, I never (regardless of the situation) mean to do that to anybody!!!

3fHNZJ.gif

PLEASE JOIN ##AutoIt AND HELP THE IRC AUTOIT COMMUNITY!

Share this post


Link to post
Share on other sites
Mobius

Autocamo is able to do this with its ability to seed the bulders token generator. 

Many moons ago ;)

  • Thanks 1

Share this post


Link to post
Share on other sites
TheDcoder

Good stuff @Mobius, I recall checking out AutoCamo a few years ago, but never downloaded it and had a proper look... until now that is, I see that you have discontinued it (which is sad), but we can salvage something from your project. Can you give us a brief explanation how you made it possible to have a custom seed?


AutoIt.4.Life Clubrooms - Life is like a Donut (secret key)

Spoiler

My contributions to the AutoIt Community

If I have hurt or offended you in anyway, Please accept my apologies, I never (regardless of the situation) mean to do that to anybody!!!

3fHNZJ.gif

PLEASE JOIN ##AutoIt AND HELP THE IRC AUTOIT COMMUNITY!

Share this post


Link to post
Share on other sites
Mobius
Posted (edited)
20 hours ago, TheDcoder said:

Good stuff @Mobius, I recall checking out AutoCamo a few years ago, but never downloaded it and had a proper look... until now that is, I see that you have discontinued it (which is sad), but we can salvage something from your project. Can you give us a brief explanation how you made it possible to have a custom seed?

That's ok @TheDcoder It's a fairly old tool (much like its creator) and not to everyone's taste (also like its creator ;) ) , what it does is fairly moot these days.

Unfortunately the token seeding process involved physically modifying the machinations of the builder and the interpreter on the fly to allow for this procedure to work, It could be built into the builder by the developer of course but I'm guessing there are numerous good reasons for him not doing so.

Edited by Mobius
Busted wink

Share this post


Link to post
Share on other sites
TheDcoder
2 hours ago, Mobius said:

That's ok @TheDcoder It's a fairly old tool (much like its creator) and not to everyone's taste (also like its creator ;)) , what it does is fairly moot these days.

:lol:

2 hours ago, Mobius said:

Unfortunately the token seeding process involved physically modifying the machinations of the builder and the interpreter on the fly to allow for this procedure to work

I see, quite advanced stuff then. I was kind of hoping there was an easier way.

 

Maybe I should open a ticket about this and see what the Devs think?


AutoIt.4.Life Clubrooms - Life is like a Donut (secret key)

Spoiler

My contributions to the AutoIt Community

If I have hurt or offended you in anyway, Please accept my apologies, I never (regardless of the situation) mean to do that to anybody!!!

3fHNZJ.gif

PLEASE JOIN ##AutoIt AND HELP THE IRC AUTOIT COMMUNITY!

Share this post


Link to post
Share on other sites
Mobius
24 minutes ago, TheDcoder said:

Maybe I should open a ticket about this and see what the Devs think?

Not to be cruel (rare) but given the lack of attention this thread generated i doubt it would be high on the todo list if at all. You are of course free to ask.

Share this post


Link to post
Share on other sites
TheDcoder
13 minutes ago, Mobius said:

Not to be cruel (rare)

No worries, didn't take offense :)

13 minutes ago, Mobius said:

given the lack of attention this thread generated i doubt it would be high on the todo list if at all. You are of course free to ask.

I think the same, but you can always try and see, would be nice if they implement it :)

  • Like 1

AutoIt.4.Life Clubrooms - Life is like a Donut (secret key)

Spoiler

My contributions to the AutoIt Community

If I have hurt or offended you in anyway, Please accept my apologies, I never (regardless of the situation) mean to do that to anybody!!!

3fHNZJ.gif

PLEASE JOIN ##AutoIt AND HELP THE IRC AUTOIT COMMUNITY!

Share this post


Link to post
Share on other sites
Earthshine
Posted (edited)

well, now I am reading all about Reproducible Builds, and, thanks, this is great stuff. Let me learn and get back here in time. Basically, I do this stuff, but I have found some great nuggets of wisdom here: https://reproducible-builds.org/docs/

i always snapshot every build, we can trace everything, but still much I need learn. I even have zipped archives of builds they use to debug with when problems come up, has all the pdbs and whatnot.

Edited by Earthshine

My resources are limited. You must ask the right questions

 

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×