Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Make goreleaser archives reproducible #6299

Merged
merged 1 commit into from
Dec 23, 2024
Merged

Make goreleaser archives reproducible #6299

merged 1 commit into from
Dec 23, 2024

Conversation

alexbozhenko
Copy link
Contributor

@alexbozhenko alexbozhenko commented Dec 23, 2024
edited
Loading

Use commit time in mod_timestamp, as documented in:
https://goreleaser.com/customization/builds/#reproducible-builds
https://goreleaser.com/blog/reproducible-builds/
https://goreleaser.com/customization/templates/?h=templates#common-fields

Test plan:

Before.

Build two times:

goreleaser release --snapshot --clean -f .goreleaser.yml
mv dist/ ~/tmp/dist_before
goreleaser release --snapshot --clean -f .goreleaser.yml 
vimdiff dist/SHA256SUMS ~/tmp/dist_before/SHA256SUMS

Observe all the shasums are different:
image

After:

Do the build two times,

goreleaser release --snapshot --clean -f .goreleaser.yml
mv dist/ ~/tmp/dist_after
goreleaser release --snapshot --clean -f .goreleaser.yml 
vimdiff dist/SHA256SUMS ~/tmp/dist_after/SHA256SUMS

Observe that only rpm and deb packages are different
image

There was a feature added to goreleaser to make packages reproducible too, but I haven't figured out how to use it yet:
goreleaser/nfpm#748
I asked in Discord. We can tackle that separately

Signed-off-by: Alex Bozhenko [email protected]

@alexbozhenko alexbozhenko force-pushed the goreleaser_reproducible branch from a6e8d60 to 48d31ed Compare December 23, 2024 20:04
@alexbozhenko alexbozhenko force-pushed the goreleaser_reproducible branch from 48d31ed to 7751bc9 Compare December 23, 2024 20:06
@alexbozhenko alexbozhenko changed the title use commit time in mod_timestamp Make goreleaser archives reproducible Dec 23, 2024
@alexbozhenko alexbozhenko marked this pull request as ready for review December 23, 2024 20:15
@alexbozhenko alexbozhenko requested a review from a team as a code owner December 23, 2024 20:15
wallyqs
wallyqs approved these changes Dec 23, 2024
View reviewed changes
Copy link
Member

@wallyqs wallyqs left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, the binary is already reproducible but this would make the tarballs from the release reproducible as well.

@derekcollison derekcollison merged commit c4b778c into nats-io:main Dec 23, 2024
2 checks passed
@alexbozhenko alexbozhenko mentioned this pull request Jan 10, 2025
Merged
derekcollison added a commit that referenced this pull request Jan 23, 2025
@derekcollison
[v2.11] Make RPMs and DEBs reproducible (#6359)
dec670a 
Similar to #6299
Make packages set mtime to `commitdate`.

Upgrade goreleaser to the latest 2.6.1, which includes the feature used
in this PR: goreleaser/goreleaser#5392

```
go install github.com/goreleaser/goreleaser/[email protected]
goreleaser release --snapshot --clean -f .goreleaser.yml
mv dist/ ~/tmp/dist_before
goreleaser release --snapshot --clean -f .goreleaser.yml 

# now, all the artifacts of the two builds are exactly the same. Only sbom files are different(because those include timestamps)
vimdiff dist/SHA256SUMS ~/tmp/dist_before/SHA256SUMS
```

![image](https://github.com/user-attachments/assets/6ca9bc37-301a-4cda-b4ab-4d724762a31c)



Signed-off-by: Alex Bozhenko <[email protected]>
@alexbozhenko alexbozhenko mentioned this pull request Jan 29, 2025
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@wallyqs wallyqs wallyqs approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@alexbozhenko @wallyqs @derekcollison