Public/VeraCrypt
1
0
Fork 0
mirror of https://github.com/veracrypt/VeraCrypt.git synced 2026-06-17 01:56:10 -05:00
Code Activity

Ensure reproducible builds on Linux (#1731)

Browse Source 
* ensure reproducible builds

* improve patch

* improve patch

* Narrow reproducibility scope to legacy and DEB

Keep the verified Linux legacy Makefile and DEB reproducibility paths, but remove the unverified RPM/openSUSE timestamp changes and AppImage reproducibility behavior from this PR.

The CPack mtime/mode clamp is now installed only for Debian/Ubuntu packaging, matching the scope covered by the provided reproducibility logs.

Retain umask 022 in the RPM/openSUSE wrappers so staged package permissions do not depend on a restrictive caller umask.

* Harden reproducible build cleanup

Validate SOURCE_DATE_EPOCH before interpolating it into Make, CMake or shell packaging paths.

Refuse live DESTDIR values in the CPack mtime clamp and pass makeself options through normal argv construction instead of eval.

---------

Co-authored-by: curious-rabbit <curious-rabbit@local>
Co-authored-by: Mounir IDRASSI <mounir.idrassi@amcrypto.jp>
This commit is contained in:
curious-rabbit
2026-05-18 13:54:13 +02:00
committed by GitHub
parent 8b1c668b77
commit 9535e65bd8
9 changed files with 402 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files
src/Build/Include/Makefile.inc
+13 -2
View File
@@ -119,7 +119,18 @@ TR_SED_BIN := tr '\n' ' ' | tr -s ' ' ',' | sed -e 's/^,//g' -e 's/,$$/n/' | tr
-include $(OBJS:.o=.d) $(OBJSEX:.oo=.d) $(OBJSNOOPT:.o0=.d) $(OBJSHANI:.oshani=.d) $(OBJAESNI:.oaesni=.d) $(OBJSSSE41:.osse41=.d) $(OBJSSSSE3:.ossse3=.d) $(OBJSAVX2:.oavx2=.d) $(OBJARMV8CRYPTO:.oarmv8crypto=.d)
# Deterministic static library: the 'D' modifier zeroes member mtime/uid/gid
# and 'ranlib -D' writes a deterministic index. Both are probed functionally
# (running them on a throwaway archive) rather than by parsing --help, whose
# wording varies between binutils versions. Very old binutils that lack the
# feature simply falls back to a normal, still-correct archive.
# Probe also covers BSD ar / macOS libtool ar (neither supports -D): both
# variables come out empty there and the original ar/ranlib calls are used.
AR_DETERMINISTIC := $(shell t=$$(mktemp); rm -f $$t.a; $(AR) Drc $$t.a $$t >/dev/null 2>&1 && echo D; rm -f $$t $$t.a)
RANLIB_DETERMINISTIC := $(shell t=$$(mktemp); rm -f $$t.a; $(AR) rc $$t.a $$t >/dev/null 2>&1; $(RANLIB) -D $$t.a >/dev/null 2>&1 && echo -D; rm -f $$t $$t.a)
$(NAME).a: $(OBJS) $(OBJSEX) $(OBJSNOOPT) $(OBJSHANI) $(OBJAESNI) $(OBJSSSE41) $(OBJSSSSE3) $(OBJSAVX2) $(OBJARMV8CRYPTO)
@echo Updating library $@
$(AR) $(AFLAGS) -rc $@ $(OBJS) $(OBJSEX) $(OBJSNOOPT) $(OBJSHANI) $(OBJAESNI) $(OBJSSSE41) $(OBJSSSSE3) $(OBJSAVX2) $(OBJARMV8CRYPTO)
$(RANLIB) $@
rm -f $@
$(AR) $(AFLAGS) $(AR_DETERMINISTIC)rc $@ $(OBJS) $(OBJSEX) $(OBJSNOOPT) $(OBJSHANI) $(OBJAESNI) $(OBJSSSE41) $(OBJSSSSE3) $(OBJSAVX2) $(OBJARMV8CRYPTO)
$(RANLIB) $(RANLIB_DETERMINISTIC) $@