feat(devops): Improve usability of the docker-build command (#13)

# Motivation
The `docker-build` command is used by many third parties, so needs to be
accessible and have good --help.

# Changes
- Add a Dockerfile and supporting scripts
- Add a README

# Tests
- The docker build is exercised in CI
- The command line tool for running docker has been tested manually.

Author: bitdivine

.github/actions/build/action.yaml

@@ -0,0 +1,31 @@
+name: 'Docker Build'
+description: |
+  Builds the artefacts for a standard release, including:
+          * `signer.wasm.gz` (for all networks)
+inputs:
+  no-cache:
+    description: 'no-cache'
+    default: false
+    type: boolean
+runs:
+  using: "composite"
+  steps:
+    - name: Set up docker buildx
+      uses: docker/setup-buildx-action@v3
+    - name: Build wasms
+      uses: docker/build-push-action@v5
+      with:
+        context: .
+        file: Dockerfile
+        cache-from: type=gha,scope=cached-stage
+        no-cache: ${{ inputs.no-cache || false }}
+        # Exports the artefacts from the final stage
+        outputs: out
+    - name: 'Record the git commit and any tags'
+      shell: bash
+      run: |
+        set -euxo pipefail
+        git log | head -n1 > out/commit.txt
+    - name: Hash artefacts
+      shell: bash
+      run: scripts/docker-hashes

.github/workflows/release.yml

@@ -0,0 +1,28 @@
+name: Release
+on:
+  push:
+    branches:
+      - setup-repo
+  workflow_dispatch:
+    inputs:
+      no_cache:
+        description: 'no-cache'
+        default: false
+        type: boolean
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+defaults:
+  run:
+    shell: bash -euxlo pipefail {0}
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    timeout-minutes: 45
+    env:
+      GH_TOKEN: ${{ github.token }}
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+      - name: Build
+        uses: ./.github/actions/build

Dockerfile

@@ -0,0 +1,88 @@
+#
+# Reproducible Builds
+#
+
+FROM ubuntu:22.04 AS base
+ENV TZ=UTC
+# Install basic tools
+RUN DEBIAN_FRONTEND=noninteractive apt update && apt install -y \
+    curl \
+    ca-certificates \
+    build-essential \
+    pkg-config \
+    libssl-dev \
+    llvm-dev \
+    liblmdb-dev \
+    clang \
+    cmake \
+    jq \
+    && rm -rf /var/lib/apt/lists/*
+
+
+# Gets dfx version
+#
+# Note: This can be done in the builder but is slow because unrelated changes to dfx.json can cause a rebuild.
+FROM base AS tool_versions
+SHELL ["bash", "-c"]
+RUN mkdir -p config
+COPY dfx.json dfx.json
+RUN jq -r .dfx dfx.json > config/dfx_version
+
+
+# Install tools && warm up the build cache
+FROM base AS builder
+SHELL ["bash", "-c"]
+# Install dfx
+# Note: dfx is installed in `$HOME/.local/share/dfx/bin` but we can't reference `$HOME` here so we hardcode `/root`.
+COPY --from=tool_versions /config/*_version config/
+ENV PATH="/root/.local/share/dfx/bin:${PATH}"
+RUN DFXVM_INIT_YES=true DFX_VERSION="$(cat config/dfx_version)" sh -c "$(curl -fsSL https://sdk.dfinity.org/install.sh)" && dfx --version
+# Install Rust
+COPY ./rust-toolchain.toml .
+ENV RUSTUP_HOME=/opt/rustup \
+    CARGO_HOME=/cargo \
+    PATH=/cargo/bin:$PATH
+COPY scripts/setup-rust scripts/setup-rust
+RUN scripts/setup-rust
+# Optional: Pre-build dependencies
+COPY Cargo.lock .
+COPY Cargo.toml .
+COPY src/signer/Cargo.toml src/signer/Cargo.toml
+COPY src/example-backend/Cargo.toml src/example-backend/Cargo.toml
+COPY src/shared/Cargo.toml src/shared/Cargo.toml
+ENV CARGO_TARGET_DIR=/cargo_target
+RUN mkdir -p src/signer/src \
+    && touch src/signer/src/lib.rs \
+    && mkdir -p src/shared/src \
+    && touch src/shared/src/lib.rs \
+    && mkdir -p src/example-backend/src \
+    && touch src/example-backend/src/lib.rs \
+    && cargo build --target wasm32-unknown-unknown \
+    && rm -rf src
+
+
+# Builds canister: example-backend
+FROM builder AS build-example-backend
+COPY src src
+COPY dfx.json dfx.json
+COPY canister_ids.json canister_ids.json
+RUN touch src/*/src/*.rs
+RUN dfx build --ic example-backend
+RUN cp .dfx/ic/canisters/example-backend/example-backend.wasm /example-backend.wasm.gz
+RUN sha256sum /example-backend.wasm.gz
+
+FROM scratch AS example-backend
+COPY --from=build-example-backend /example-backend.wasm.gz /
+
+# Builds canister: signer
+FROM builder AS build-signer
+COPY src src
+COPY dfx.json dfx.json
+COPY canister_ids.json canister_ids.json
+RUN touch src/*/src/*.rs
+RUN dfx build --ic signer
+RUN cp .dfx/ic/canisters/signer/signer.wasm.gz /signer.wasm.gz
+RUN sha256sum /signer.wasm.gz
+
+FROM scratch AS signer
+COPY --from=build-signer /signer.wasm.gz /

README.md

@@ -1,3 +1,73 @@
-# chain-fusion-signer
+![alt text](image.png)
 
-A canister that does nothing but sign transactions for use on other blockchains.
+<br/>
+<br/>
+
+[![Internet Computer portal](https://img.shields.io/badge/Internet-Computer-grey?logo=internet%20computer)](https://internetcomputer.org)
+[![Code checks](https://github.com/dfinity/chain-fusion-signer/actions/workflows/check.yml/badge.svg)](https://github.com/dfinity/chain-fusion-signer/actions/workflows/check.yml)
+
+</div>
+
+---
+
+# What is the Chain Fusion Signer
+
+The Internet Computer provides an API that allows any canister to hold decentralised public-private key pairs. These keys can be used to sign messages for any system that uses compatible elliptic curves. Popular use cases are signing Bitcoin and Ethereum transactions. However, accessing this API requires developing a backend canister, which may be an unnecessary hurdle. The Chain Fusion Signer makes the Internet Computer threshold signature APIs directly accessible to web apps and to command line users.
+
+## Use Cases
+
+### Front-end application development
+
+A front end web developer can now develop a multi-chain web app using the following generic components:
+
+- An asset canister, for serving HTML, images and Javascript.
+- An identity provider for login.
+- The Chain Fusion Signer to interact with blockchains.
+- A generic data store for user profiles; developers have a wide choice of SQL and NoSQL databases that run on the Internet Computer.
+
+### Command Line
+
+Users can now hold keys on-chain and sign with the command line with a simple `dfx canister call`, without having to deploy or maintain their own signing canister.
+
+# Governance
+
+### Ownership
+
+The Chain Fusion Signer is intended to have ownership equivalent to the Internet Computer threshold signing APIs. The purpose of the Chain Fusion Signer is ONLY to make the Internet Computer signing APIs more accessible.
+
+### Payment
+
+Threshold signatures require cycles. As such, API users must attach cycles for their calls, either directly or via a payment protocol.
+
+### Update Cadence
+
+The chain fusion signer is made to be very stable. It would be black-holed but the requirement to be able to make security updates precludes that. However, after an initial teething phase, updates should be very rare and performed only with strong community support, similar to the support required to add the threshold signing APIs in the first place. Upgrade should occur ONLY when:
+
+- There is a security flaw that needs to be addressed.
+- The Internet Computer threshold signing APIs change. For example, if the Internet Computer adds support for an additional elliptic curve, the Chain Fusion Signer should make that improvement available to web developers.
+- In very limited cases, utilities may be added to the Chain Fusion Signer to support common use cases. Restraint should be exercised here. Convenience functions that can be implemented in the browser should be implemented in the browser. Convenience functions should address only very common, well established use cases.
+
+### Maintainance
+
+The Chain Fusion Signer code should be very simple and maintaible, so that any developer with a strong record of making trustworthy, secure cryptographic applications can maintain it.
+
+Any developer who wishes to make changes to the Chain Fusion Signer SHOULD:
+
+- Communicate with the community, e.g. via the forums, to verify that their intended changes have support.
+- Communicate with other maintainers, to ensure that changes do not conflict.
+- Submit changes in small units, ideally of under 100 lines per change.
+- Ensure that a well known and trusted auditor checks the code.
+
+### Verifiability
+
+The code can be built reproducibly with:
+
+```
+./scripts/docker-build
+```
+
+# Usage
+
+Please refer to the canister .did file to the API.
+
+TODO: Examples and developer-friendly documentation.

canister_ids.json

@@ -2,5 +2,8 @@
 	"signer": {
 		"ic": "grghe-syaaa-aaaar-qabyq-cai",
 		"staging": "tdxud-2yaaa-aaaad-aadiq-cai"
+	},
+	"example-backend": {
+		"ic": "2vxsx-fae"
 	}
 }

image.png

@@ -15,6 +15,6 @@ function generate_did() {
 
 CANISTERS=signer
 
-for canister in $(echo $CANISTERS | sed "s/,/ /g"); do
+for canister in ${CANISTERS//,/ }; do
   generate_did "$canister"
 done

scripts/did.sh

@@ -0,0 +1,62 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+(("${BASH_VERSINFO[0]}" >= 5)) || {
+  echo "ERROR:  Please use a newer version of bash.  The minimum supported bash version is 5.  Yours appears to be '${BASH_VERSINFO[0]}'" >&2
+  exit 1
+}
+
+if test -d scripts && test -e Dockerfile; then
+  : "OK: We appear to be in the root of the repo."
+else
+  echo "ERROR: Please run from the root of the chain-fusion-signer git repository." >&2
+  exit 1
+fi
+
+DFX_TARGET=signer
+OUTDIR=out
+PROGRESS="--progress=auto"
+image_name="chain-fusion-signer"
+
+print_help() {
+  cat <<-"EOF"
+
+	Build signer.wasm.gz inside docker. This creates:
+	- An "out" directory in the project directory containing all build artefacts.
+	  Note: If the "out" directory already exists, it will be deleted and replaced.
+
+	EOF
+}
+
+print_docker_help() {
+  cat <<-"EOF"
+	Note: If the docker build fails, it may help to build from a clean cache:
+
+	  ./scripts/docker-build -- --no-cache
+
+	EOF
+}
+
+if [[ "${1:-}" == "--help" ]]; then
+  print_help
+  exit 0
+fi
+
+if DOCKER_BUILDKIT=1 docker build \
+  --target "$DFX_TARGET" \
+  "$PROGRESS" \
+  -t "$image_name" \
+  -o "$OUTDIR" . \
+  "${@+${@}}"; then
+  echo "SUCCESS: Docker build has succeeded."
+  scripts/docker-hashes
+else
+  set +x
+  {
+    echo "ERROR: Docker build failed."
+    print_docker_help
+    exit 1
+  } >&2
+fi
+
+echo FIN

scripts/docker-build

@@ -0,0 +1,8 @@
+#!/usr/bin/env bash
+# Note:
+# * `sha256sum` prints the hash of each file;
+# * The `wc -c` in the awk code gets the size in bytes of each file;
+# * The AWK code also adds a header and footer;
+# * `column -t` formats the data as a table;
+# * `tee` saves a copy of the printout in a file; that file will be included in releases.
+find out/ -type f -print0 | xargs sha256sum | awk '{"wc -c " $2 | getline size; print $1, size}BEGIN{print "===START_ARTEFACTS===\nsha256 size filename"}END{print "==END_ARTEFACTS=="}' | column -t | tee out/filelist.txt

scripts/docker-hashes

@@ -0,0 +1,27 @@
+#!/usr/bin/env bash
+# Installs rust
+
+set -euo pipefail
+
+SCRIPTS_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+cd "$SCRIPTS_DIR/.."
+
+function run() {
+  echo 1>&2 "running $*"
+  rc=0 && "$@" || rc="$?"
+  if ! [ "$rc" -eq 0 ]; then
+    echo 1>&2 "Bootstrap command failed: $*"
+    exit "$rc"
+  fi
+}
+
+rust_version=$(sed -n 's/^channel[[:space:]]*=[[:space:]]"\(.*\)"/\1/p' rust-toolchain.toml)
+echo "using rust version '$rust_version'"
+
+# here we set the toolchain to 'none' and rustup will pick up on ./rust-toolchain.toml
+run curl --fail https://sh.rustup.rs -sSf | run sh -s -- -y --default-toolchain "none" --no-modify-path
+
+# make sure the packages are actually installed (rustup waits for the first invoke to lazyload)
+cargo --version
+cargo clippy --version
+cargo fmt --version