Ensure reproducible builds on Linux (#1731)

mirror of https://github.com/veracrypt/VeraCrypt.git synced 2026-06-18 02:26:07 -05:00

* ensure reproducible builds

* improve patch

* improve patch

* Narrow reproducibility scope to legacy and DEB

Keep the verified Linux legacy Makefile and DEB reproducibility paths, but remove the unverified RPM/openSUSE timestamp changes and AppImage reproducibility behavior from this PR.

The CPack mtime/mode clamp is now installed only for Debian/Ubuntu packaging, matching the scope covered by the provided reproducibility logs.

Retain umask 022 in the RPM/openSUSE wrappers so staged package permissions do not depend on a restrictive caller umask.

* Harden reproducible build cleanup

Validate SOURCE_DATE_EPOCH before interpolating it into Make, CMake or shell packaging paths.

Refuse live DESTDIR values in the CPack mtime clamp and pass makeself options through normal argv construction instead of eval.

---------

Co-authored-by: curious-rabbit <curious-rabbit@local>
Co-authored-by: Mounir IDRASSI <mounir.idrassi@amcrypto.jp>

This commit is contained in:

curious-rabbit

2026-05-18 13:54:13 +02:00

committed by

GitHub

parent 8b1c668b77

commit 9535e65bd8

9 changed files with 402 additions and 6 deletions

									
										src/Build/build_cmake_rpm.sh
									
		+3
		
												View File
												
				@@ -9,6 +9,9 @@

				# Errors should cause script to exit

				set -e

				# Keep staged RPM payload permissions independent of the caller's umask.

				umask 022

				# Absolute path to this script

				export SCRIPT=$(readlink -f "$0")

				# Absolute path this script is in