ReproChecksum instead of TimeDateStamp

[VBoucher]

When I load a PE file, in the NT Header -> File Header, in the place where I should see TimeDateStamp, I see "ReproChecksum" in it's place and the value doesn't make sense.

Any idea why? And how to show the actual compilation date?

[hasherezade]

Hi @VBoucher ! This is not a bug. Actually, some of the PEs are build with /Brepro flag. This flag enables reproducible builds. It means, every build from the same code, with the same settings, must have identical hash. That would not be the case if the real timestamp of compilation was stored - on each build the current time will be taken, and this is going to cause a full PE having a new hash. That's why, in reproducible builds, the timestamps aren't stored. Instead of them, what is stored is the checksum (or a constant 0xFFFFFFFF). You can read more about it here: https://www.amossys.fr/fr/ressources/blog-technique/pe-timestamps-and-bepro-flag/ PE-bear displays this field as ReproChecksum, rather then TimeDateStamp, just to support this convention, and not to mislead the user, because it is not a timestamp in fact.

[VBoucher]

Interesting! I didn't know about that. Thanks for the information! One question in case you know, what would be the point of a build but no change in the code or settings?

[hasherezade]

Are you asking for the reason why reproducible builds are even needed? The same code can be built at different days, by different entities. Someone else can download your code, build it on their machine, with the same settings, and get the same hash of the executable.