Lunie: Create deterministic installers.

Tools that create installers for Electron applications:

| Name | Platforms | Reproducible Builds? |
| ------ | --------- | ---- |
| electron-builder | all | AppImage: no, Snap: maybe, Windows: no |
| Electron Forge | it uses other installers in this table |
| Electron Installer Grunt Plugin | Windows |
| electron-installer-debian | Debian |
| node-appdmg (electron-installer-dmg) | macOS | no, created issue and issue |
| electron-installer-flatpak | Flatpak |
| electron-installer-redhat | Red Hat |
| electron-installer-windows | Windows |
| electron-windows-store | Windows |
| electron-winstaller | Windows |
| electron-wix-msi | Windows |

Timebox 1d

@NodeGuy do you think we should also proceed with #908 either with electron-installer-zip or electron-installer-dmg ?

Note: Bitcoin Core uses the Gitian builder for deterministic builds. Here is the link to the setup instructions

But this is just the environment right? The build process also needs to be deterministic.

In the case of Linux, I'd definitely go for Flatpak. It has long list of advantages (see https://github.com/signalapp/Signal-Desktop/issues/1639#issuecomment-342422537) as well as an App store Flathub. There are other concerns related to Flathub's security stated in https://github.com/signalapp/Signal-Desktop/issues/1639#issuecomment-347410590 that we'd have to investigate.

About determinism:

Flatpak builds are reproducible, so anyone could download the build manifest and build the exact same binary. The flathub builders also run without network access.

Also,

Every commit to a Flatpak repository should be signed with a GPG signature.
See Signing

@NodeGuy do you think we should also proceed with #908 either with electron-installer-zip or electron-installer-dmg ?

electron-installer-zip doesn't create an installer so it doesn't seem very interesting.

electron-installer-dmg isn't deterministic (see my issue).

The owner of node-appdmg responded enthusiastically about working together to make it deterministic but we're now outside the time box of 1 day. @faboweb How should we reply?

This sounds like a longer endeavour. Let's respect the timebox and come back to it later. There are new proposals about handling this issue.

Blocked: waiting for @jessysaurusrex 's input on security

Where did the requirement for the installer to be deterministic come from? Given some of the constraints that are mentioned above, it seems like we should wait for electron-builder to mature a bit more since there are other ways to address the risks at hand.

In this case, especially since we are talking about code that includes Electron (which is a huge project that we absolutely do not want to fork/write a new library for right now), it would be best for us to move forward by signing our binaries so that third parties are able to verify that they're using what we've marked for distribution.

@jessysaurusrex if having non deterministic binaries is enough from a security perspective, let's only go with signing. how would you setup the process of signing the binaries?

On our end, we'll need to make sure that we have some infrastructure in place in the form of secure secure servers (Windows, Mac, Linux machines) that are offline or that we can run from an automated and reproducible state... and we'll need to store the signing cert offline to reduce risk (possibly on a Ledger). That's a bit of a operations work plus some planning in the certificate/key management realm, in addition to the actual process for signing our binary.

Is this something you'd just like a high level plan for, or should it be an end-to-end process? I can begin following up on the server/cert management piece tomorrow, @faboweb.

@jessysaurusrex thx for offering help. I will clarify some things today and ping you afterwards.

@faboweb Let's pick this conversation back up soon!

Closing this as we will no longer aim to deliver an installable application.