search

LinusU / node-appdmg

💾 Generate your app dmgs
MIT License
1.68k stars 152 forks source link

make reproducible builds #166

Open NodeGuy opened 6 years ago

NodeGuy commented 6 years ago

We need reproducible builds for a security-sensitive application. When I made a test DMG twice in a row I got different results:

{
  "title": "Test Application",
  "contents": [
    { "x": 448, "y": 344, "type": "link", "path": "/Applications" },
    { "x": 192, "y": 344, "type": "file", "path": "Cosmos Voyager.app" }
  ]
}
$ appdmg appdmg.json test1.dmg
[ 1/21] Looking for target...                [ OK ]
[ 2/21] Reading JSON Specification...        [ OK ]
[ 3/21] Parsing JSON Specification...        [ OK ]
[ 4/21] Validating JSON Specification...     [ OK ]
[ 5/21] Looking for files...                 [ OK ]
[ 6/21] Calculating size of image...         [ OK ]
[ 7/21] Creating temporary image...          [ OK ]
[ 8/21] Mounting temporary image...          [ OK ]
[ 9/21] Making hidden background folder...   [ OK ]
[10/21] Copying background...                [SKIP]
[11/21] Reading background dimensions...     [SKIP]
[12/21] Copying icon...                      [SKIP]
[13/21] Setting icon...                      [SKIP]
[14/21] Creating links...                    [ OK ]
[15/21] Copying files...                     [ OK ]
[16/21] Making all the visuals...            [ OK ]
[17/21] Blessing image...                    [ OK ]
[18/21] Unmounting temporary image...        [ OK ]
[19/21] Finalizing image...                  [ OK ]
[20/21] Signing image...                     [SKIP]
[21/21] Removing temporary image...          [ OK ]
[22/21] Removing target image...             [ OK ]

Your image is ready:
test1.dmg
$ appdmg appdmg.json test2.dmg
[ 1/21] Looking for target...                [ OK ]
[ 2/21] Reading JSON Specification...        [ OK ]
[ 3/21] Parsing JSON Specification...        [ OK ]
[ 4/21] Validating JSON Specification...     [ OK ]
[ 5/21] Looking for files...                 [ OK ]
[ 6/21] Calculating size of image...         [ OK ]
[ 7/21] Creating temporary image...          [ OK ]
[ 8/21] Mounting temporary image...          [ OK ]
[ 9/21] Making hidden background folder...   [ OK ]
[10/21] Copying background...                [SKIP]
[11/21] Reading background dimensions...     [SKIP]
[12/21] Copying icon...                      [SKIP]
[13/21] Setting icon...                      [SKIP]
[14/21] Creating links...                    [ OK ]
[15/21] Copying files...                     [ OK ]
[16/21] Making all the visuals...            [ OK ]
[17/21] Blessing image...                    [ OK ]
[18/21] Unmounting temporary image...        [ OK ]
[19/21] Finalizing image...                  [ OK ]
[20/21] Signing image...                     [SKIP]
[21/21] Removing temporary image...          [ OK ]
[22/21] Removing target image...             [ OK ]

Your image is ready:
test2.dmg
$ ls -l *.dmg
-rw-r--r--@ 1 david  staff  164625813 Aug 29 17:21 test1.dmg
-rw-r--r--@ 1 david  staff  164625850 Aug 29 17:30 test2.dmg
LinusU commented 6 years ago

I would love it if we could implement this!

It would probably involve clearing some mtimes/atimes, possibly also writing our own .ds_store writer to get full control over that.

I think a first step is to mount the two images that you got, and run a recursive diff on the two mounted folders. That should get us closer to figure out what parts needs to be fixed.

NodeGuy commented 5 years ago

Great, I appreciate your enthusiasm! Unfortunately I don't the resources to help right now but will circle back when I do.

dliessi commented 5 years ago

I created the test DMG twice: the results were different. I mounted the two images and ran a recursive diff: the only differing file was .DS_Store in the root of the DMG. You can find the two .DS_Store files at the following links: https://www.dropbox.com/s/2nhmtbys4ko4grt/DS_Store1?dl=0 https://www.dropbox.com/s/0kktid0r5hrjl2l/DS_Store2?dl=0