fix: make repo images reproducible

yaochao · yaochao · commit 9a8575060efa · 2026-04-04T19:47:20.000+08:00
diff --git a/images/hdc-0.12.img.xz b/images/hdc-0.12.img.xz
diff --git a/images/manifest.json b/images/manifest.json
@@ -5,8 +5,8 @@
       "size": 196769
     },
     "hdc-0.12.img.xz": {
-      "sha256": "8ac159be9cec2ab3fd1625fc725f0caedfaff47a7b0583229485128d22b6a670",
-      "size": 11692
+      "sha256": "d2c72fd2f4d58d8740e95480e2c4154ea9b61b09de5b23eeab3cf8dbf2ecfceb",
+      "size": 11676
     }
   },
   "download_base_url": "https://github.com/yaochao/linux-012/releases/download/v1.0.0",
diff --git a/rebuild/container/build_images.sh b/rebuild/container/build_images.sh
@@ -20,7 +20,10 @@ ROOTFS_TAR="$CONTAINER_WORK_ROOT/rootfs.tar"
 STAGING_DIR="$CONTAINER_WORK_ROOT/rootfs"
 USERLAND_BUILD="$CONTAINER_WORK_ROOT/userland"
 ROOT_PARTITION_IMAGE="$CONTAINER_WORK_ROOT/rootfs.img"
+REFERENCE_TIMESTAMP="$CONTAINER_WORK_ROOT/rootfs.timestamp"
 export LIBGUESTFS_BACKEND=direct
+export LC_ALL=C
+export TZ=UTC
 
 cleanup() {
     rm -rf "$CONTAINER_WORK_ROOT"
@@ -68,6 +71,7 @@ chmod 755 "$STAGING_DIR/bin/sh" "$STAGING_DIR/bin/ls"
 
 truncate -s 62447616 "$DISK_IMAGE"
 sfdisk "$DISK_IMAGE" < "$ROOTFS_DIR/layout.sfdisk" >>"$BUILD_LOG" 2>&1
+printf '\0\0\0\0' | dd of="$DISK_IMAGE" bs=1 seek=440 conv=notrunc >>"$BUILD_LOG" 2>&1
 ROOT_PARTITION_SECTORS=$(awk -F'[=, ]+' '/size=/{for (i = 1; i <= NF; i++) if ($i == "size") {print $(i + 1); exit}}' "$ROOTFS_DIR/layout.sfdisk")
 [ -n "$ROOT_PARTITION_SECTORS" ]
 truncate -s "$((ROOT_PARTITION_SECTORS * 512))" "$ROOT_PARTITION_IMAGE"
@@ -81,7 +85,10 @@ while IFS=' ' read -r kind mode major minor relative_path; do
     chmod "$mode" "$STAGING_DIR/$relative_path"
 done < "$DEVICES_FILE"
 
-tar -C "$STAGING_DIR" -cpf "$ROOTFS_TAR" . >>"$BUILD_LOG" 2>&1
+touch -t 199301010000.00 "$REFERENCE_TIMESTAMP"
+find "$STAGING_DIR" -exec touch -h -r "$REFERENCE_TIMESTAMP" {} +
+tar --sort=name --mtime="1993-01-01 00:00:00Z" --owner=0 --group=0 --numeric-owner \
+    -C "$STAGING_DIR" -cpf "$ROOTFS_TAR" . >>"$BUILD_LOG" 2>&1
 
 guestfish --format=raw -a "$ROOT_PARTITION_IMAGE" >>"$BUILD_LOG" 2>&1 <<EOF
 run
diff --git a/tests/test_rebuild_driver.py b/tests/test_rebuild_driver.py
@@ -262,6 +262,17 @@ def test_build_script_stages_rootfs_inside_container_workdir_for_device_nodes(se
         self.assertIn('STAGING_DIR="$CONTAINER_WORK_ROOT/rootfs"', text)
         self.assertIn('USERLAND_BUILD="$CONTAINER_WORK_ROOT/userland"', text)
 
+    def test_build_script_normalizes_rootfs_metadata_for_reproducible_images(self) -> None:
+        root = pathlib.Path(__file__).resolve().parents[1]
+        text = (root / "rebuild" / "container" / "build_images.sh").read_text()
+
+        self.assertIn('REFERENCE_TIMESTAMP="$CONTAINER_WORK_ROOT/rootfs.timestamp"', text)
+        self.assertIn('touch -t 199301010000.00 "$REFERENCE_TIMESTAMP"', text)
+        self.assertIn('find "$STAGING_DIR" -exec touch -h -r "$REFERENCE_TIMESTAMP" {} +', text)
+        self.assertIn('tar --sort=name --mtime="1993-01-01 00:00:00Z"', text)
+        self.assertIn('--owner=0 --group=0 --numeric-owner', text)
+        self.assertIn('printf \'\\0\\0\\0\\0\' | dd of="$DISK_IMAGE" bs=1 seek=440 conv=notrunc', text)
+
     def test_dockerfile_installs_multilib_userland_build_dependencies(self) -> None:
         root = pathlib.Path(__file__).resolve().parents[1]
         text = (root / "rebuild" / "Dockerfile").read_text()
