From cd87d3eb612d5bc8a660a19e7a7bb9e1bf5c252b Mon Sep 17 00:00:00 2001 From: Robin Candau Date: Mon, 30 Mar 2026 13:14:59 +0200 Subject: [PATCH] WIP --- .gitlab-ci.yml | 6 ++++++ Makefile | 9 ++++++++- scripts/make-repro-image.sh | 17 +++++++++++++++++ 3 files changed, 31 insertions(+), 1 deletion(-) create mode 100755 scripts/make-repro-image.sh diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index a1f7a4a..ca46fce 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -122,6 +122,9 @@ image:build: - pacman -Syu --noconfirm podman - podman login -u "$CI_REGISTRY_USER" -p "$CI_REGISTRY_PASSWORD" "$CI_REGISTRY" - 'echo -e "default-docker:\n use-sigstore-attachments: true" > /etc/containers/registries.d/sigstore.yaml' + artifacts: + paths: + - output/* image:build:secure: extends: .image @@ -137,6 +140,9 @@ image:build:secure: - pacman -Syu --noconfirm podman - podman login -u "$CI_REGISTRY_USER" -p "$CI_REGISTRY_PASSWORD" "$CI_REGISTRY" - 'echo -e "default-docker:\n use-sigstore-attachments: true" > /etc/containers/registries.d/sigstore.yaml' + artifacts: + paths: + - output/* # Build and publish to the Arch Linux group namespaces: # https://hub.docker.com/r/archlinux/archlinux diff --git a/Makefile b/Makefile index 482707d..7304954 100644 --- a/Makefile +++ b/Makefile @@ -1,12 +1,14 @@ OCITOOL=podman # or docker BUILDDIR=$(shell pwd)/build +REPRO_BUILDDIR=$(shell pwd)/repro-build OUTPUTDIR=$(shell pwd)/output +REPRO_OUTPUTDIR=$(shell pwd)/repro-output ARCHIVE_SNAPSHOT=$(shell date -d "-1 day" +"%Y/%m/%d") SOURCE_DATE_EPOCH=$(shell date -u -d "$(echo "$ARCHIVE_SNAPSHOT")" +"%s") .PHONY: clean clean: - rm -rf $(BUILDDIR) $(OUTPUTDIR) + rm -rf $(BUILDDIR) $(REPRO_BUILDDIR) $(OUTPUTDIR) $(REPRO_OUTPUTDIR) .PRECIOUS: $(OUTPUTDIR)/%.tar.zst $(OUTPUTDIR)/%.tar.zst: @@ -16,6 +18,11 @@ $(OUTPUTDIR)/%.tar.zst: $(OUTPUTDIR)/Dockerfile.%: $(OUTPUTDIR)/%.tar.zst scripts/make-dockerfile.sh "$(*).tar.zst" $(*) $(OUTPUTDIR) "true" "Dev" +# The following aims to rebuild a "repro" tagged image and verify the reproducibility status + +repro: + scripts/make-repro.sh $(*) $(OUTPUTDIR) $(REPRO_BUILDDIR) $(REPRO_OUTPUTDIR) $(ARCHIVE_SNAPSHOT) $(SOURCE_DATE_EPOCH) + # The following is for local builds only, it is not used by the CI/CD pipeline all: image-base image-base-devel image-multilib-devel image-repro diff --git a/scripts/make-repro-image.sh b/scripts/make-repro-image.sh new file mode 100755 index 0000000..6a07da6 --- /dev/null +++ b/scripts/make-repro-image.sh @@ -0,0 +1,17 @@ +#!/bin/bash + +set -euo pipefail + +declare -r ORIG_OUTPUTDIR="$1" +declare -r REPRO_BUILDDIR="$2" +declare -r REPRO_OUTPUTDIR="$3" +declare -r ARCHIVE_SNAPSHOT="$4" +declare -rx SOURCE_DATE_EPOCH="$5" + +echo -e "\n-- Testing the image reproducibility --\n" +make BUILDDIR="$REPRO_BUILDDIR" OUTPUTDIR="$REPRO_OUTPUTDIR" ARCHIVE_SNAPSHOT="$ARCHIVE_SNAPSHOT" SOURCE_DATE_EPOCH="$SOURCE_DATE_EPOCH" +echo "The sha256 hash of the original image is:" +sha256sums "$ORIG_OUTPUTDIR/" +echo "The sha256 hash of the reproduced image is:" +sha256sums "$REPRO_OUTPUTDIR/" +diffoscope "$ORIG_OUTPUTDIR/" "$REPRO_OUTPUTDIR/" && echo -e "\nImage is reproducible!"