The verification script makes sure the hashes of the binaries inside of
a docker image match those of an official release.
The script first downloads all signatures, validates them, then compares
the hashes of the installed binaries to those contained in the detached
signature files.
We add a new make goal called release-install that creates the same
reproducible binaries as the release script would create, but only for
the current OS/architecture. It then installs those binaries to the
system's GOBIN directory.
To allow easy verification of individual binaries (instead of just the
packag tarballs/zips), we also add the hashes of lnd and lncli binaries
to the manifest. We do the same in the docker build.
This commit satisfies the auto-build functionality desired in #722 without changing anything in the docker folder. This allows development and testing to continue to build and use images locally, but external users get a very lean Docker image they can use. The size difference is appreciable.
REPOSITORY TAG IMAGE ID CREATED SIZE
lnd latest 3634dcf5df68 17 seconds ago 1.19GB
lnd-single latest b295cc248447 30 minutes ago 56MB
Right before merging this PR, an Automated Build repository should be configured on the appropriate account (lightningnetwork?) on Docker Hub with the name of lnd in order to match documentation.
I see there are already some repositories created, however I think best practice for Docker is to have a single repository and different tags for different architectures. The included image is based off of Alpine, but in the future we could extend into multiple Dockerfiles (example: ARM support, or being Ubuntu based).
So in this proposed scenario, lightningnetwork/lnd:latest would be alpine, but lightningnetwork/lnd:ubuntu would be an ubuntu-based image, for example.
(With thanks to @alingenhag for https://github.com/f-u-z-z-l-e/docker-lnd/ from which I borrowed heavily)
