fix reproducible dpkg-deb

2024-12-13 11:14:13 +01:00 · 2024-12-13 11:14:13 +01:00 · 6b4e7b0521
commit 6b4e7b0521
parent cc083f9be6
2 changed files with 34 additions and 7 deletions
--- a/contrib/release/release.sh
+++ b/contrib/release/release.sh
@ -23,10 +23,21 @@ create_dir() {
    mkdir "$1"
 }

+
+
 # Determine the reference time used for determinism (overridable by environment)
-export SOURCE_DATE_EPOCH="${SOURCE_DATE_EPOCH:-$(git -c log.showSignature=false log --format=%at -1)}"
+export SOURCE_DATE_EPOCH="$(git -c log.showsignature=false log --format=%at -1)"
+export TZ=UTC
 export TAR_OPTIONS="--owner=0 --group=0 --numeric-owner --sort=name"

+zip_archive () {
+    local archive="$1"
+    shift
+    touch -d "@$SOURCE_DATE_EPOCH" "$@"
+    find "$@" -type f -exec touch -d "@$SOURCE_DATE_EPOCH" {} +
+    find "$@" -type f | sort | zip -oX "$archive" -@
+}
+
 # We'll use a folder for the builds output and another one for the final assets.
 RELEASE_DIR="$PWD/release_assets"
 BUILD_DIR="$PWD/release_build"
@ -51,7 +62,7 @@ NIX_BUILD_DIR="$(nix path-info .#release)"
    cp "$BUILD_DIR/x86_64-unknown-linux-gnu/release/lianad" "$BUILD_DIR/x86_64-unknown-linux-gnu/release/liana-cli" "$BUILD_DIR/x86_64-unknown-linux-gnu/release/liana-gui" ../README.md ./package/usr/bin/
    DIRNAME="liana_$VERSION-1_amd64"
    mv ./package "$DIRNAME"
-    dpkg-deb -Zxz --build "$DIRNAME"
+    dpkg-deb -Zxz --build --root-owner-group "$DIRNAME"
    mv "$DIRNAME.deb" "$RELEASE_DIR"
 )

@ -60,7 +71,7 @@ NIX_BUILD_DIR="$(nix path-info .#release)"
    cd "$BUILD_DIR"
    create_dir "$WINDOWS_DIR_NAME"
    cp "$NIX_BUILD_DIR/x86_64-pc-windows-gnu/liana-gui.exe" ../README.md "$WINDOWS_DIR_NAME"
-    zip -r "$WINDOWS_ARCHIVE" "$WINDOWS_DIR_NAME"
+    zip_archive "$WINDOWS_ARCHIVE" "$WINDOWS_DIR_NAME"
    mv "$WINDOWS_ARCHIVE" "$RELEASE_DIR"
    cp "$NIX_BUILD_DIR/x86_64-pc-windows-gnu/liana-gui.exe" "$RELEASE_DIR/$LIANA_PREFIX.exe"
 )
@ -76,11 +87,10 @@ NIX_BUILD_DIR="$(nix path-info .#release)"
    unzip ../contrib/release/macos/Liana.app.zip
    sed -i "s/VERSION_PLACEHOLDER/$VERSION/g" ./Liana.app/Contents/Info.plist
    cp "$NIX_BUILD_DIR/x86_64-apple-darwin/liana-gui" ./Liana.app/Contents/MacOS/Liana
-    chmod u+w ./Liana.app/Contents/MacOS/Liana
-    zip -ry "Liana-$VERSION-noncodesigned.zip" Liana.app
+    zip_archive "Liana-$VERSION-noncodesigned.zip" Liana.app
    mv "Liana-$VERSION-noncodesigned.zip" "$RELEASE_DIR/"
 )

-find "$RELEASE_DIR" -type f -exec sha256sum {} + | tee "$RELEASE_DIR/shasums.txt"
+find "$RELEASE_DIR" -type f ! -name "shasums.txt" -exec sha256sum {} + | tee "$RELEASE_DIR/shasums.txt"

 set +ex
--- a/contrib/release/sign.sh
+++ b/contrib/release/sign.sh
@ -26,6 +26,20 @@ absolute_path() {
    fi
 }

+# Determine the reference time used for determinism (overridable by environment)
+export SOURCE_DATE_EPOCH="$(git -c log.showsignature=false log --format=%at -1)"
+export TZ=UTC
+
+zip_archive () {
+    local archive="$1"
+    shift
+    touch -d "@$SOURCE_DATE_EPOCH" "$@"
+    find "$@" -type f -exec touch -d "@$SOURCE_DATE_EPOCH" {} +
+    zip -r -oX - "$@" > "$archive"
+}
+
+
+
 # Function to perform rcodesign signing
 sign_with_rcodesign() {
    # Ensure the correct number of arguments are provided
@ -56,6 +70,8 @@ sign_with_rcodesign() {
    fi

    cd "$RELEASE_BUILD_DIR"
+    chmod u+w ./Liana.app/Contents/MacOS/Liana
+
    rcodesign sign \
        --digest sha256 \
        --code-signature-flags runtime \
@ -68,8 +84,9 @@ sign_with_rcodesign() {
        --api-key-path "$NOTARY_API_CREDS_FILE" \
        --staple Liana.app

-    zip -ry "Liana-$VERSION.zip" Liana.app
+    zip_archive "Liana-$VERSION.zip" Liana.app
    mv "Liana-$VERSION.zip" "$RELEASE_DIR/"
+    sha256sum "$RELEASE_DIR/Liana-$VERSION.zip" | tee -a "$RELEASE_DIR/shasums.txt"
 }

 if [ "$#" -lt 1 ]; then