sbt / sbt-native-packager

sbt Native Packager
https://sbt-native-packager.readthedocs.io/en/stable/
BSD 2-Clause "Simplified" License
1.59k stars 437 forks source link

Use SOURCE_DATE_EPOCH for zip, tar, xz, gzip, rpm, msi #1547

Closed stevedlawrence closed 1 year ago

stevedlawrence commented 1 year ago

SOURCE_DATE_EPOCH is a standardized environment variable that can be set to create reproducbile builds:

https://reproducible-builds.org/docs/source-date-epoch/

If the SOURCE_DATE_EPOCH environment variable is defined, its value is used during the creation of zip, tar, gzip, xz, rpm, and msi files in places where timestamp information is embedded in the resulting file.

To support this capability, a new sourceDateEpoch file utility is added which executes the touch command to set the mtime of the provided file/directory and all children. This utility is called on all source files for the listed packages.

For zip, this also adds the -o option to native zip, and calls setTime() for the non-native zip.

For rpm, this also sets the %use_source_date_epoch_as_buildtime and %clamp_mtime_to_source_date_epoch tunables to 1 to ensure the build time and timestamps embedded in the RPM are set to the epoch.

For msi, the SOURCE_DATE_EPOCH variable is also used to generate reproducible name-based UUIDs, using a combination of an identifier and the epoch value. Note that this does not change the "Product" GUID or the build time that is embedded in the MSI. There does not seem to be a way to change these, so MSI builds are not 100% reproducible. However, with these changes the output of tools like msidiff is much smaller and easier to confirm similar builds.

If SOURCE_DATE_EPOCH is not set then the current behavior is used. Archives and rpms use timestamps of when the files are modified/created, and MSI uses random GUIDs.

lightbend-cla-validator commented 1 year ago

Hi @stevedlawrence,

Thank you for your contribution! We really value the time you've taken to put this together.

We see that you have signed the Lightbend Contributors License Agreement before, however, the CLA has changed since you last signed it. Please review the new CLA and sign it before we proceed with reviewing this pull request:

https://www.lightbend.com/contribute/cla