Feat: Deterministic builds (#4)

* Update README.md Fix wrong sentence * Update action - Should create reproducible builds now * Update main.yml * fix: Fill random seed with individual filenames - The frandom-seed value should be different for each compiled file - see <https://gcc.gnu.org/onlinedocs/gcc/Developer-Options.html> for details * Update Dockerfile to Fedora 41 - More recent packages - Ignore weak dependencies to speed up installation * Update GH action to use Fedora 41 as well - Also skip weak dependencies there
maweil · Dec 3, 2024 · 7317f0e · 7317f0e
1 parent bffcbe1
commit 7317f0e
Show file tree

Hide file tree

Showing 4 changed files with 13 additions and 35 deletions.
diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
@@ -1,18 +1,19 @@
 name: Build make for Windows (x86_64)
 
 on:
+  workflow_dispatch:
   push:
-    branches: [ "main" ]
+    branches: [ "main", "feat/deterministic-builds" ]
 
 jobs:
   build:
     runs-on: ubuntu-latest
-    container: registry.fedoraproject.org/fedora:37
+    container: registry.fedoraproject.org/fedora:41
     steps:
       - name: Install Dependencies
-        run: dnf install -y -q mingw64-gcc make wget tar
+        run: dnf install --setopt=install_weak_deps=False -y -q mingw64-gcc make wget tar
 
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
 
       - name: Download make release tar.gz file
         run: wget "https://ftpmirror.gnu.org/make/$(cat build_version.sha256sum | cut -d ' ' -f3)"
@@ -26,7 +27,7 @@ jobs:
       - name: Hash the built binaries
         run: sha256sum make-*/dist/*
 
-      - uses: actions/upload-artifact@v3
+      - uses: actions/upload-artifact@v4
         with:
           name: make-bin-win64
           path: ./make-*/dist/
diff --git a/Dockerfile b/Dockerfile
@@ -1,2 +1,2 @@
-FROM registry.fedoraproject.org/fedora:37
-RUN dnf install -y mingw64-gcc wine-core
+FROM registry.fedoraproject.org/fedora:41
+RUN dnf --setopt=install_weak_deps=False install -y mingw64-gcc make wine-core
diff --git a/README.md b/README.md
@@ -18,7 +18,7 @@ This part was tested on Fedora 37 only so far, so you may have to adapt the pack
 
 4. (Optional, but recommended): Verify the integrity of the downloaded file
 
-   Download the corresponding by downloading the corresponding `tar.gz.sig` file as well.
+   Download the corresponding `tar.gz.sig` file as well, which contains the signature of the tarball.
    Import the public key of the developer who signed the file. As of writing, the latest key for signing the releases was announced [here](https://lists.gnu.org/archive/html/bug-make/2016-12/msg00002.html). You can now verify the signature by running `gpg --verify make-*.tar.gz.sig`.
 
 5. (Optional): Update the `build_version.sha256sum` file

diff --git a/cross_build_w64.sh b/cross_build_w64.sh
@@ -1,22 +1,5 @@
 #!/usr/bin/bash
 set -e
-copy_dependent_dlls(){
-  local parent_exe_or_dll="$1"
-  local dll_source_dir="/usr/$host_triplet"
-  local all_dlls=($(x86_64-w64-mingw32-objdump -p "$parent_exe_or_dll" | grep 'DLL Name:' | sed -e "s/\t*DLL Name: //g"))
-  for dll_name in ${all_dlls[@]}
-  do
-    echo "Searching $dll_name" in $dll_source_dir
-    find "$dll_source_dir" -name "$dll_name" -exec cp "{}" ./dist \;
-    dist_dll_path="./dist/$dll_name"
-    if [[ -f "$dist_dll_path" ]]
-    then
-      copy_dependent_dlls "$dist_dll_path"
-    fi
-  done
-}
-
-
 
 # Verify tarball integrity first
 echo "##############################"
@@ -40,19 +23,13 @@ mkdir -p install_target
 echo "##########################################"
 echo "Building $make_version for $host_triplet"
 echo "##########################################"
-# By default, --export-dynamic is used which is not supported for PE binaries. 
-# Therefore override the LDFLAGS accordingly
-LDFLAGS='-Wl,--export-all-symbols -fstack-protector -lssp' mingw64-configure --without-guile
+mingw64-configure --without-guile LDFLAGS='-Wl,--no-insert-timestamp' CFLAGS='-frandom-seed=$@'
 mingw64-make && mv make.exe ./dist
+
 if [[ $? -eq 0 ]]
 then
-  echo "#######################################"
-  echo "Copying needed shared libraries to dist"
-  echo "#######################################"
-
-  copy_dependent_dlls ./dist/make.exe
-
   echo "################################"
-  echo "Build complete. Result in ./dist"
+  echo "Build complete. Result in ./$make_version/dist"
+  echo "SHA256 hash of the built binary: $(sha256sum ./dist/make.exe)"
   echo "################################"
 fi