Tooling for verifying wasm was compiled from the public source

[vorner]

Hello

Maybe this is just a paranoia on my side. However, currently if I want to do an audit of my dependencies, I can download and extract the crate source downloaded from crates.io and read it. There are even tools promoting such approach, like cargo-crev.

But if the crate contains the binary wasm code, reading it and understanding what it does gets much harder. I understand that the compiled code can't do arbitrary stuff to the system itself, but it could still produce malicious code into its output, or simply be buggy and produce wrong code.

So I wonder, would it be possible to somehow make it possible (by some tooling) to automatically bundle both the original source code and the wasm and have a way to opt into the longer compile time, but making sure it is indeed from the given sources?

[dtolnay]

Absolutely -- this is along the lines of what I called out in the readme:

including easy tooling for doing reproducible builds of the Wasm artifact for confirming that it was indeed compiled from the publicly available sources.

[est31]

This feature would be useful: https://github.com/rust-lang/rust/issues/41555

[jakobhellermann]

I made this tool: cargo watt.

Currently it can verify that a given .wasm file was compiled from a specified source, but it only works if both the compilation and verification are done on the same OS.

Compiling on linux vs on macOS leads to this difference (diff of strings file.wasm): https://gist.github.com/jakobhellermann/da18d6f2da58414e0fd9c06ae708d2c1.

If anyone knows why this is or how to debug it please let me know :)