Skip to content

Commit

Permalink
feat: deterministic builds
Browse files Browse the repository at this point in the history 
Use SOURCE_DATE_EPOCH, explicit timestamp setting, and the cpio
--reproducible flag in order to get hash-for-hash identical builds
across multiple systems.

Signed-off-by: Lance R. Vick <lance@lrvick.net>
  • Loading branch information
@lrvick
lrvick committed Apr 30, 2021
1 parent e480fed commit a2bb390
Showing 1 changed file with 21 additions and 2 deletions.
23 changes: 21 additions & 2 deletions Dockerfile
View file
Original file line number Diff line number Diff line change
Expand Up @@ -119,6 +119,7 @@ ARG CGO_ENABLED
ENV CGO_ENABLED ${CGO_ENABLED}
ENV GOCACHE /.cache/go-build
ENV GOMODCACHE /.cache/mod
ENV SOURCE_DATE_EPOCH=0
WORKDIR /src

# The build-go target creates a container to build Go code with Go modules downloaded and verified.
Expand Down Expand Up @@ -389,9 +390,13 @@ RUN ln -s /etc/ssl /rootfs/etc/ca-certificates
FROM rootfs-base-${TARGETARCH} AS rootfs-base

FROM rootfs-base-arm64 AS rootfs-squashfs-arm64
RUN find /rootfs -print0 \
| xargs -0r touch --no-dereference --date="@${SOURCE_DATE_EPOCH}"
RUN mksquashfs /rootfs /rootfs.sqsh -all-root -noappend -comp xz -Xdict-size 100% -no-progress

FROM rootfs-base-amd64 AS rootfs-squashfs-amd64
RUN find /rootfs -print0 \
| xargs -0r touch --no-dereference --date="@${SOURCE_DATE_EPOCH}"
RUN mksquashfs /rootfs /rootfs.sqsh -all-root -noappend -comp xz -Xdict-size 100% -no-progress

FROM scratch AS squashfs-arm64
Expand All @@ -409,13 +414,27 @@ FROM build AS initramfs-archive-arm64
WORKDIR /initramfs
COPY --from=squashfs-arm64 /rootfs.sqsh .
COPY --from=init-build-arm64 /init .
RUN set -o pipefail && find . 2>/dev/null | cpio -H newc -o | xz -v -C crc32 -0 -e -T 0 -z >/initramfs.xz
RUN find . -print0 \
| xargs -0r touch --no-dereference --date="@${SOURCE_DATE_EPOCH}"
RUN set -o pipefail \
&& find . 2>/dev/null \
| LC_ALL=c sort \
| cpio --reproducible -H newc -o \
| xz -v -C crc32 -0 -e -T 0 -z \
> /initramfs.xz

FROM build AS initramfs-archive-amd64
WORKDIR /initramfs
COPY --from=squashfs-amd64 /rootfs.sqsh .
COPY --from=init-build-amd64 /init .
RUN set -o pipefail && find . 2>/dev/null | cpio -H newc -o | xz -v -C crc32 -0 -e -T 0 -z >/initramfs.xz
RUN find . -print0 \
| xargs -0r touch --no-dereference --date="@${SOURCE_DATE_EPOCH}"
RUN set -o pipefail \
&& find . 2>/dev/null \
| LC_ALL=c sort \
| cpio --reproducible -H newc -o \
| xz -v -C crc32 -0 -e -T 0 -z \
> /initramfs.xz

FROM initramfs-archive-${TARGETARCH} AS initramfs-archive

Expand Down

0 comments on commit a2bb390

Please sign in to comment.