# Tornado Cash Community Build ## TL;DR [ipfs://bafybeiguelxw5aanwnhvaea5vjhknmcdmwvujne36wgabnkmcbt3563toa](ipfs://bafybeiguelxw5aanwnhvaea5vjhknmcdmwvujne36wgabnkmcbt3563toa) If you don't yet have an IPFS enabled browser then you can use one of the following instead (not recommended): https://bafybeiguelxw5aanwnhvaea5vjhknmcdmwvujne36wgabnkmcbt3563toa.ipfs.tornadocash.is https://bafybeiguelxw5aanwnhvaea5vjhknmcdmwvujne36wgabnkmcbt3563toa.ipfs.cf-ipfs.com ### How To: IPFS Enabled Browser #### Brave 1. Navigate to [ipfs://bafybeiguelxw5aanwnhvaea5vjhknmcdmwvujne36wgabnkmcbt3563toa](ipfs://bafybeiguelxw5aanwnhvaea5vjhknmcdmwvujne36wgabnkmcbt3563toa) 2. When prompted, choose "Use a Brave local IPFS node". 3. Wait for it to setup/install. 4. Verify `Tornado.cash version: ea97a39` at the bottom of the page once it loads. 5. Securely access IPFS websites without needing to trust any third party gateway or centralized service! #### Firefox 1. Install [IPFS Desktop](https://docs.ipfs.io/install/ipfs-desktop/) 2. Install [IPFS Companion (browser extension)](https://addons.mozilla.org/en-US/firefox/addon/ipfs-companion/) 3. Navigate to [ipfs://bafybeiguelxw5aanwnhvaea5vjhknmcdmwvujne36wgabnkmcbt3563toa](ipfs://bafybeiguelxw5aanwnhvaea5vjhknmcdmwvujne36wgabnkmcbt3563toa) 4. Verify `Tornado.cash version: ea97a39` at the bottom of the page once it loads. 5. Stand proud as a 1337 h4x0 fighting against the chromium browser hegemony! #### Chrome 1. Install Brave. 2. See instructions for Brave above. 3. Rejoice in being part of the solution, rather than the problem. ## How To: Verification ### As a User Browse with IPFS and look to your trust network for verification that the IPFS hash above is legitimate. ### As a Developer 1. Create a `Dockerfile` in some directory with the following contents: ```dockerfile= # FROM node:14.20.0-bullseye-slim FROM node@sha256:bc3ba9f44ea24daa94dfecb8e3aec9ea58229e5cb6610b7739162a07f5995ee7 # install wget, git and necessary certificates so we can install IPFS below RUN apt update && apt install --yes --no-install-recommends wget git apt-transport-https ca-certificates && rm -rf /var/lib/apt/lists/* # install IPFS WORKDIR /home/root RUN wget -qO - https://dist.ipfs.tech/kubo/v0.14.0/kubo_v0.14.0_linux-amd64.tar.gz | tar -xvzf - \ && cd kubo \ && ./install.sh \ && cd .. \ && rm -rf kubo RUN ipfs init # clone the repository ARG GIT_REPOSITORY RUN git clone $GIT_REPOSITORY /app/ WORKDIR /app ARG GIT_COMMIT_HASH RUN git fetch --all RUN git reset $GIT_COMMIT_HASH --hard # install, build and prep for deployment RUN yarn install --frozen-lockfile --ignore-scripts RUN yarn build RUN yarn generate # add the build output to IPFS and write the hash to a file RUN ipfs add --cid-version 1 --quieter --only-hash --recursive ./dist > ipfs_hash.txt # print the hash for good measure in case someone is looking at the build logs RUN cat ipfs_hash.txt # this entrypoint file will execute `ipfs add` of the build output to the docker host's IPFS API endpoint, so we can easily extract the IPFS build out of the docker image RUN printf '#!/bin/sh\nipfs --api /ip4/`getent ahostsv4 host.docker.internal | grep STREAM | head -n 1 | cut -d \ -f 1`/tcp/5001 add --cid-version 1 -r ./dist' >> entrypoint.sh RUN chmod u+x entrypoint.sh ENTRYPOINT [ "./entrypoint.sh" ] ``` 2. Run the following command: ```bash docker image build --file Dockerfile.ipfs --build-arg GIT_REPOSITORY=https://development.tornadocash.community/tornadocash/classic-ui.git --build-arg GIT_COMMIT_HASH=ea97a39aff1a79a5fbb497c7310ab23678d8668d --progress plain --tag tornado-classic-ui . ``` 3. Look for the IPFS hash printed out on step 17, or run the following command to print it out from an already built image: ```bash docker container run --rm -it --entrypoint cat tornado-classic-ui /app/ipfs_hash.txt ``` 4. Verify that the hash printed matches the one in the links above. 5. If you have IPFS installed with default configuration (e.g., IPFS Desktop) on the Docker host then run the following command to add it to that host's IPFS node: ```bash docker container run --rm tornado-classic-ui ``` 6. Review the diff from the previous deployment at https://development.tornadocash.community/tornadocash/classic-ui/compare/a83fae0772c8da084c0e76b3a756b456f5b9f5bb...ea97a39aff1a79a5fbb497c7310ab23678d8668d and make sure nothing nefarious is included. 7. Tell all of your friends that the build appears to be legitimate! ### As an Auditor 1. Use https://app.ens.domains (or tool of your choice) to verify that `tornadocash.eth` points at `bafybeicu2anhh7cxbeeakzqjfy3pisok2nakyiemm3jxd66ng35ib6y5ri`. 2. Navigate to [ipfs://bafybeicu2anhh7cxbeeakzqjfy3pisok2nakyiemm3jxd66ng35ib6y5ri](ipfs://bafybeicu2anhh7cxbeeakzqjfy3pisok2nakyiemm3jxd66ng35ib6y5ri) and verify that the footer says `Tornado.cash version: a83fae0` (this is the git commit hash of this deployment). 3. `git clone https://development.tornadocash.community/tornadocash/classic-ui.git` 4. Check the changes between the commit hash `a83fae0772c8da084c0e76b3a756b456f5b9f5bb` (build pointed to by tornadocash.eth) and the commit hash `ea97a39aff1a79a5fbb497c7310ab23678d8668d` (the build that is used to generated the IPFS hash referenced at the top of this page). 5. Upon noticing that one dependency has changed (websnark) review the changes for that dependency by cloning https://development.tornadocash.community/tornadocash/websnark.git and comparing the hashes listed in `package.json` of the `classic-ui` repository. 6. `docker image pull node:14.20.0-bullseye-slim` and make sure it matches `sha256:bc3ba9f44ea24daa94dfecb8e3aec9ea58229e5cb6610b7739162a07f5995ee7`. 7. Verify that dist.ipfs.tech is a legitimate source for IPFS binary distributions. 8. Create a `Dockerfile` in a folder somewhere with the `Dockerfile` found in the [As a Developer](#As-a-Developer) section above. 9. Review the contents of the Dockerfile to make sure there is no funny business. Bonus points if you can figure out WTF the `entrypoint.sh` is doing! 10. Verify URL/commit hash in the following command and then run it: ```bash docker image build --file Dockerfile.ipfs --build-arg GIT_REPOSITORY=https://development.tornadocash.community/tornadocash/classic-ui.git --build-arg GIT_COMMIT_HASH=ea97a39aff1a79a5fbb497c7310ab23678d8668d --progress plain --tag tornado-classic-ui . ``` 11. Follow instructions 3 through 5 in the [As a Developer](#As-a-Developer) section above. 12. Flex your auditing superpowers on all of your social networks by telling people that you have thoroughly reviewed the content of [ipfs://bafybeiguelxw5aanwnhvaea5vjhknmcdmwvujne36wgabnkmcbt3563toa](ipfs://bafybeiguelxw5aanwnhvaea5vjhknmcdmwvujne36wgabnkmcbt3563toa) and can confirm that it is as legitimate as the deployment found at [ipfs://tornadocash.eth](ipfs://tornadocash.eth)!