Build from Source
You should not trust a binary you did not build yourself.
Prerequisites
| Dependency | Version | Purpose |
|---|---|---|
| Rust | 1.78+ | Core library compilation (install via rustup.rs) |
| Node.js | 20 LTS+ | Desktop UI build (React + Tauri) |
| protobuf | protoc 25+ | Protocol Buffer compilation |
| Xcode | 15+ | macOS/iOS only: native signing, Secure Enclave, frameworks |
| Android SDK | API 34+ | Android only: NDK for Rust cross-compilation |
Clone and Verify
# Clone the repository
git clone https://github.com/rvntos/rvnt.git
cd rvnt
# Verify the latest commit is signed
git log --show-signature -1
# You should see: "Good signature from RVNT Release Signing Key"
# If the signature is bad or missing, do not proceed.
# Verify you are on a tagged release (optional but recommended)
git tag --verify v1.0.0
# Verify the tag signature matches our release key
# Import our release signing key (if you haven't already)
curl -sL https://rvntos.io/keys/release.asc | gpg --import
gpg --fingerprint release@rvntos.io
# Cross-reference fingerprint with GitHub, Keybase, and websitemacOS
# Install system dependencies
brew install protobuf
# Verify Rust toolchain
rustc --version # Should be 1.78+
cargo --version
# Build the Rust core library (all crates)
cargo build --release
# This compiles: rvnt-crypto, rvnt-network, rvnt-storage,
# rvnt-identity, rvnt-protocol, rvnt-wallet, rvnt-ffi
# Run the test suite (recommended before building the app)
cargo test --release
# All tests should pass. If any fail, do not proceed.
# Build the desktop application (Tauri + React)
cd desktop
npm install
npm run build
# Tauri builds the Rust backend and React frontend together
# The .app bundle is at:
# desktop/src-tauri/target/release/bundle/macos/RVNT.app
# To build a distributable DMG:
npm run tauri build
# Output: desktop/src-tauri/target/release/bundle/dmg/RVNT_x.x.x_aarch64.dmgmacOS Code Signing (Optional)
# RVNT does not use Apple Developer ID signing by design.
# We do not want Apple to have a kill switch on our application.
#
# If you want to sign with your own Developer ID:
npm run tauri build -- --sign
# Requires APPLE_SIGNING_IDENTITY environment variable
# If you get "unidentified developer" warning:
# System Settings > Privacy & Security > Open AnywayLinux
# Install system dependencies
# Debian/Ubuntu:
sudo apt update
sudo apt install -y \
build-essential \
pkg-config \
libssl-dev \
protobuf-compiler \
libgtk-3-dev \
libwebkit2gtk-4.1-dev \
libappindicator3-dev \
librsvg2-dev \
libayatana-appindicator3-dev
# Fedora:
sudo dnf install -y \
gcc gcc-c++ \
openssl-devel \
protobuf-compiler \
gtk3-devel \
webkit2gtk4.1-devel \
libappindicator-gtk3-devel
# Arch Linux:
sudo pacman -S \
base-devel \
openssl \
protobuf \
gtk3 \
webkit2gtk-4.1 \
libappindicator-gtk3
# Build and test
cargo build --release
cargo test --release
# Build desktop app
cd desktop
npm install
npm run build
# Package as AppImage (runs on any Linux distro)
npm run tauri build
# Output: desktop/src-tauri/target/release/bundle/appimage/RVNT_x.x.x_amd64.AppImage
# Package as .deb (Debian/Ubuntu)
# Also produced by `npm run tauri build`
# Output: desktop/src-tauri/target/release/bundle/deb/rvnt_x.x.x_amd64.debWindows
# Prerequisites:
# 1. Install Visual Studio Build Tools
# https://visualstudio.microsoft.com/visual-cpp-build-tools/
# Select "Desktop development with C++" workload
#
# 2. Install Rust via rustup-init.exe
# https://rustup.rs
#
# 3. Install protobuf
# choco install protoc
# (or download from https://github.com/protocolbuffers/protobuf/releases)
#
# 4. Install Node.js 20 LTS
# https://nodejs.org
# Build and test
cargo build --release
cargo test --release
# Build desktop app
cd desktop
npm install
npm run tauri build
# Output: desktop\src-tauri\target\release\bundle\msi\RVNT_x.x.x_x64.msi
# Output: desktop\src-tauri\target\release\bundle\nsis\RVNT_x.x.x_x64-setup.exeMobile Builds
iOS
# Add iOS target
rustup target add aarch64-apple-ios
# Build the Rust static library for iOS
cargo build --release --target aarch64-apple-ios
# Generate UniFFI Swift bindings
cd crates/rvnt-ffi
cargo run --bin uniffi-bindgen generate --library ../../target/aarch64-apple-ios/release/librvnt_ffi.a --language swift --out-dir ../../mobile/ios/Generated
# Open the React Native project
cd mobile
npx react-native run-ios
# Or open mobile/ios/RVNT.xcworkspace in XcodeAndroid
# Add Android targets
rustup target add aarch64-linux-android armv7-linux-androideabi x86_64-linux-android
# Set NDK path
export ANDROID_NDK_HOME=$HOME/Android/Sdk/ndk/26.1.10909125
# Install cargo-ndk
cargo install cargo-ndk
# Build for all Android architectures
cargo ndk --target aarch64-linux-android --platform 34 build --release
cargo ndk --target armv7-linux-androideabi --platform 34 build --release
cargo ndk --target x86_64-linux-android --platform 34 build --release
# Generate UniFFI Kotlin bindings
cd crates/rvnt-ffi
cargo run --bin uniffi-bindgen generate --library ../../target/aarch64-linux-android/release/librvnt_ffi.so --language kotlin --out-dir ../../mobile/android/app/src/main/java/io/rvntos/core
# Build the APK
cd mobile
npx react-native run-android
# Or: cd android && ./gradlew assembleReleaseReproducible Builds
RVNT targets deterministic compilation. Given the same source code, toolchain version, and target platform, you should produce a byte-identical binary. This allows you to verify that the official release binary was built from the published source code.
# Reproducible build procedure:
# 1. Use the exact Rust toolchain version specified in rust-toolchain.toml
rustup show
# Should match the version in the repo's rust-toolchain.toml
# 2. Build with locked dependencies and path remapping
CARGO_BUILD_RUSTFLAGS="--remap-path-prefix=$HOME=~ --remap-path-prefix=$(pwd)=/build" \
cargo build --release --locked
# 3. Strip debug symbols (to match official build)
strip target/release/rvnt
# 4. Compute hash
shasum -a 256 target/release/rvnt
# 5. Compare with the official release hash
# Published at: https://rvntos.io/releases/SHA256SUMS
# Also in the GitHub release assets
# If hashes match: the official binary was built from this source.
# If hashes don't match: something is different. Investigate.Factors That Affect Reproducibility
Must match for identical output:
✓ Source code (same git commit)
✓ Rust toolchain version (pinned in rust-toolchain.toml)
✓ Cargo.lock (locked dependencies)
✓ Target triple (e.g., aarch64-apple-darwin)
✓ Build profile (--release)
✓ RUSTFLAGS (path remapping)
May cause differences:
✗ macOS SDK version (Xcode version)
✗ Linker version
✗ System library versions (OpenSSL, etc.)
To maximize reproducibility:
- Use the Docker build environment (planned)
- Pin all system dependencies
- Use the exact Xcode version specified in CIDependency Audit
# Check for known vulnerabilities in dependencies
cargo audit
# Check license compliance
cargo deny check licenses
# List all dependencies
cargo tree
# Verify that no unexpected dependencies were added
# Compare cargo tree output with the expected list in DEPENDENCIES.md Supply chain security matters. RVNT uses
cargo-audit and cargo-deny in CI to catch vulnerable or problematically-licensed dependencies. We pin all dependency versions via Cargo.lock and review all dependency updates before merging. If you find a suspicious dependency, report it via our security disclosure process.
Further Reading
- Verify Binary -- How to verify a downloaded binary matches the source
- Code Architecture -- Understand the crate structure you are building
- Contributing -- Set up a development environment