From 67209f36152af2386c72612d04c1204282491d74 Mon Sep 17 00:00:00 2001
From: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
Date: Sun, 18 Aug 2024 04:56:14 +0900
Subject: [PATCH] Set rewrite-timestamp=true

Part of docker-library/official-images issue 16044

This exporter option rewrites the timestamps of the files inside image layers
to use $SOURCE_DATE_EPOCH so as to increase reproducibility.

https://github.com/moby/buildkit/blob/v0.15.2/docs/build-repro.md#source_date_epoch

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
---
 .test/meta-commands/out.sh | 2 +-
 helpers/oci-sbom.sh        | 2 +-
 meta.jq                    | 1 +
 3 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/.test/meta-commands/out.sh b/.test/meta-commands/out.sh
index bdc4008..a63a3a9 100644
--- a/.test/meta-commands/out.sh
+++ b/.test/meta-commands/out.sh
@@ -6,7 +6,7 @@
 SOURCE_DATE_EPOCH=1700741054 \
 	docker buildx build --progress=plain \
 	--provenance=mode=max,builder-id='https://github.com/docker-library' \
-	--output '"type=oci","dest=temp.tar"' \
+	--output '"type=oci","dest=temp.tar","rewrite-timestamp=true"' \
 	--annotation 'org.opencontainers.image.source=https://github.com/docker-library/docker.git#6d541d27b5dd12639e5a33a675ebca04d3837d74:24/cli' \
 	--annotation 'org.opencontainers.image.revision=6d541d27b5dd12639e5a33a675ebca04d3837d74' \
 	--annotation 'org.opencontainers.image.created=2023-11-23T12:04:14Z' \
diff --git a/helpers/oci-sbom.sh b/helpers/oci-sbom.sh
index 51eea2b..b3f5314 100755
--- a/helpers/oci-sbom.sh
+++ b/helpers/oci-sbom.sh
@@ -76,7 +76,7 @@ args=(
 	--load=false --provenance=false # explicitly disable a few features we want to avoid
 	--build-arg BUILDKIT_DOCKERFILE_CHECK=skip=all # disable linting (https://github.com/moby/buildkit/pull/4962)
 	--sbom=generator="$BASHBREW_BUILDKIT_SBOM_GENERATOR"
-	--output "type=oci,tar=false,dest=."
+	--output "type=oci,tar=false,dest=.,rewrite-timestamps=true"
 	# TODO also add appropriate "--tag" lines (which would give us a mostly correct "subject" block in the generated SBOM, but we'd then need to replace instances of $sbomImageManifest with $imageManifest for their values to be correct)
 	--platform "$platform"
 	--build-context "fake=oci-layout://$input@$imageManifest"
diff --git a/meta.jq b/meta.jq
index bb1c2d9..e7fd7b0 100644
--- a/meta.jq
+++ b/meta.jq
@@ -149,6 +149,7 @@ def build_command:
 						[
 							"type=oci",
 							"dest=temp.tar",
+							"rewrite-timestamp=true",
 							empty
 						]
 						| @csv