From f637ab780b4a1bac970cb012e1a294b70bd71005 Mon Sep 17 00:00:00 2001 From: edouardparis Date: Fri, 13 Dec 2024 11:14:13 +0100 Subject: [PATCH] fix reproducible dpkg-deb --- contrib/release/release.sh | 22 ++++++++++++++++------ contrib/release/sign.sh | 19 ++++++++++++++++++- 2 files changed, 34 insertions(+), 7 deletions(-) diff --git a/contrib/release/release.sh b/contrib/release/release.sh index 6d23d2477..fd4294fab 100755 --- a/contrib/release/release.sh +++ b/contrib/release/release.sh @@ -23,10 +23,21 @@ create_dir() { mkdir "$1" } + + # Determine the reference time used for determinism (overridable by environment) -export SOURCE_DATE_EPOCH="${SOURCE_DATE_EPOCH:-$(git -c log.showSignature=false log --format=%at -1)}" +export SOURCE_DATE_EPOCH="$(git -c log.showsignature=false log --format=%at -1)" +export TZ=UTC export TAR_OPTIONS="--owner=0 --group=0 --numeric-owner --sort=name" +zip_archive () { + local archive="$1" + shift + touch -d "@$SOURCE_DATE_EPOCH" "$@" + find "$@" -type f -exec touch -d "@$SOURCE_DATE_EPOCH" {} + + find "$@" -type f | sort | zip -r -oX "$archive" -@ +} + # We'll use a folder for the builds output and another one for the final assets. RELEASE_DIR="$PWD/release_assets" BUILD_DIR="$PWD/release_build" @@ -51,7 +62,7 @@ NIX_BUILD_DIR="$(nix path-info .#release)" cp "$BUILD_DIR/x86_64-unknown-linux-gnu/release/lianad" "$BUILD_DIR/x86_64-unknown-linux-gnu/release/liana-cli" "$BUILD_DIR/x86_64-unknown-linux-gnu/release/liana-gui" ../README.md ./package/usr/bin/ DIRNAME="liana_$VERSION-1_amd64" mv ./package "$DIRNAME" - dpkg-deb -Zxz --build "$DIRNAME" + dpkg-deb -Zxz --build --root-owner-group "$DIRNAME" mv "$DIRNAME.deb" "$RELEASE_DIR" ) @@ -60,7 +71,7 @@ NIX_BUILD_DIR="$(nix path-info .#release)" cd "$BUILD_DIR" create_dir "$WINDOWS_DIR_NAME" cp "$NIX_BUILD_DIR/x86_64-pc-windows-gnu/liana-gui.exe" ../README.md "$WINDOWS_DIR_NAME" - zip -r "$WINDOWS_ARCHIVE" "$WINDOWS_DIR_NAME" + zip_archive "$WINDOWS_ARCHIVE" "$WINDOWS_DIR_NAME" mv "$WINDOWS_ARCHIVE" "$RELEASE_DIR" cp "$NIX_BUILD_DIR/x86_64-pc-windows-gnu/liana-gui.exe" "$RELEASE_DIR/$LIANA_PREFIX.exe" ) @@ -76,11 +87,10 @@ NIX_BUILD_DIR="$(nix path-info .#release)" unzip ../contrib/release/macos/Liana.app.zip sed -i "s/VERSION_PLACEHOLDER/$VERSION/g" ./Liana.app/Contents/Info.plist cp "$NIX_BUILD_DIR/x86_64-apple-darwin/liana-gui" ./Liana.app/Contents/MacOS/Liana - chmod u+w ./Liana.app/Contents/MacOS/Liana - zip -ry "Liana-$VERSION-noncodesigned.zip" Liana.app + zip_archive "Liana-$VERSION-noncodesigned.zip" Liana.app mv "Liana-$VERSION-noncodesigned.zip" "$RELEASE_DIR/" ) -find "$RELEASE_DIR" -type f -exec sha256sum {} + | tee "$RELEASE_DIR/shasums.txt" +find "$RELEASE_DIR" -type f ! -name "shasums.txt" -exec sha256sum {} + | tee "$RELEASE_DIR/shasums.txt" set +ex diff --git a/contrib/release/sign.sh b/contrib/release/sign.sh index 055bef8b4..4e876f774 100755 --- a/contrib/release/sign.sh +++ b/contrib/release/sign.sh @@ -26,6 +26,20 @@ absolute_path() { fi } +# Determine the reference time used for determinism (overridable by environment) +export SOURCE_DATE_EPOCH="$(git -c log.showsignature=false log --format=%at -1)" +export TZ=UTC + +zip_archive () { + local archive="$1" + shift + touch -d "@$SOURCE_DATE_EPOCH" "$@" + find "$@" -type f -exec touch -d "@$SOURCE_DATE_EPOCH" {} + + zip -r -oX - "$@" > "$archive" +} + + + # Function to perform rcodesign signing sign_with_rcodesign() { # Ensure the correct number of arguments are provided @@ -56,6 +70,8 @@ sign_with_rcodesign() { fi cd "$RELEASE_BUILD_DIR" + chmod u+w ./Liana.app/Contents/MacOS/Liana + rcodesign sign \ --digest sha256 \ --code-signature-flags runtime \ @@ -68,8 +84,9 @@ sign_with_rcodesign() { --api-key-path "$NOTARY_API_CREDS_FILE" \ --staple Liana.app - zip -ry "Liana-$VERSION.zip" Liana.app + zip_archive "Liana-$VERSION.zip" Liana.app mv "Liana-$VERSION.zip" "$RELEASE_DIR/" + sha256sum "$RELEASE_DIR/Liana-$VERSION.zip" | tee -a "$RELEASE_DIR/shasums.txt" } if [ "$#" -lt 1 ]; then