compiling `bun_shim_impl.exe` is not reproducible / can triggers anti-virus

[paperdave]

dumpbin /all .\zig-out\bun_shim_impl.exe > out2.txt

Dump of file .\zig-out\bun_shim_impl.exe

PE signature found

File Type: EXECUTABLE IMAGE

FILE HEADER VALUES
            8664 machine (x64)
               3 number of sections
        6674BAC3 time date stamp Thu Jun 20 16:26:59 2024
               0 file pointer to symbol table
               0 number of symbols
              F0 size of optional header
              22 characteristics
                   Executable
                   Application can handle large (>2GB) addresses

That is a timestamp embedded in the file. ......... yeah unfortunate.

I know that the Zig compiler has tests that make sure that compiling itself is reproducible, so this has to be possible.

Then, once bun_shim_impl.exe has a static hash, we should add an assertion that the hash continues to stay the same.

After all of that is done, this binary will have a stable hash and can be properly added to anti-virus exclusion lists. It's been brought to my attention that this executable trips a Malwarebytes heuristic. We cannot possibly fix that if each build of Bun from CI changes this file.

For the rest of us, AV seems pretty friendly to this exe, as I have not seen anything flag it yet.

[Jarred-Sumner]

can be properly added to anti-virus exclusion lists

why can’t we have CI push it up to them?

[ezShroom]

can be properly added to anti-virus exclusion lists

why can’t we have CI push it up to them?

Malwarebytes doesn't have any method for that, I think. So it's just two methods to resolve the problem that I can see, either signing the exe or putting the one version you'll use forever and ever on the forums (which isn't possible right now because the builds aren't reproducible)