Public/VeraCrypt
1
0
Fork 0
mirror of https://github.com/veracrypt/VeraCrypt.git synced 2026-06-19 02:56:07 -05:00
Code Activity

Build: extend reproducible packaging to RPM

Browse Source 
Run the install(SCRIPT) mtime/mode clamp for every CPack generator instead of
only the DEB branch, so the RPM payload staging tree is normalised the same way
before rpmbuild sees it. Payload file timestamps and permissions are therefore
reproducible on any rpm version.

For the RPM header, set the spec %defines that pin BuildTime to
SOURCE_DATE_EPOCH (use_source_date_epoch_as_buildtime, which consumes the
exported environment variable) and BuildHost to a fixed value (_buildhost), and
clamp payload mtimes through both the legacy clamp_mtime_to_source_date_epoch
macro and its modern build_mtime_policy replacement. source_date_epoch_from_changelog
is disabled so CPack's placeholder changelog date cannot hijack the epoch.

These macros only exist on rpm >= 4.14 (buildtime/mtime) and >= 4.18
(buildhost). To make the two header fields reproducible on older rpm as well
(CentOS/RHEL 7, rpm < 4.14), add a small libc-interposition shim
(Build/Tools/repro_buildstamp.c) that pins time() and the build hostname,
LD_PRELOAD'ed onto cpack's rpmbuild child by the RPM packaging wrappers. The
shim calls the real uname() and overwrites only nodename, leaving architecture
detection intact, never overrides monotonic clocks, and defers to the real
time() when SOURCE_DATE_EPOCH is unset so a missing epoch is a no-op rather than
a frozen 1970 clock. It is enabled only after it compiles and loads cleanly;
otherwise packaging proceeds without it, because a preload that fails to load
would emit an ld.so error that rpm's check-buildroot script turns into a fatal
%install error.

Derive and export SOURCE_DATE_EPOCH in the rpm and openSUSE wrappers the same
way the deb wrapper already does, mark both wrappers executable, and note in the
README that .deb and .rpm packages are reproducible including on older rpm.
This commit is contained in:
Mounir IDRASSI
2026-06-06 09:54:32 +09:00
parent f77d0c0760
commit e349c76686
7 changed files with 259 additions and 30 deletions
Download Patch File Download Diff File Expand all files Collapse all files
src/Main/Main.make
+4 -7
View File
@@ -459,12 +459,12 @@ endif
# Normalise modification times of every staged file. cp preserves the
# checkout-time mtimes of the source tree, which would otherwise leak
# into the tar/makeself archives and break reproducibility.
# Only run when GNU touch supports the option set. Keep AppImage
# outside this narrowed reproducibility scope: appimagetool is not
# verified here, so do not pre-clamp veracrypt.AppDir for that target.
# Only run when GNU touch supports the option set. AppImage staging is
# clamped too; appimagetool honours SOURCE_DATE_EPOCH for its SquashFS
# metadata, and the AppDir input should not leak checkout/build mtimes.
ifeq "$(TOUCH_REPRODUCIBLE)" "yes"
_appdir="$(BASE_DIR)/Setup/Linux/veracrypt.AppDir"; \
if [ -n "$(filter appimage,$(MAKECMDGOALS))" ] || [ ! -d "$$_appdir" ]; then \
if [ ! -d "$$_appdir" ]; then \
_appdir=""; \
fi; \
find $(BASE_DIR)/Setup/Linux/usr $$_appdir \
@@ -587,9 +587,6 @@ appimage: prepare
wget --quiet -O "$${_appimagetool_executable_path}" "$${_appimagetool_url}"; \
chmod +x "$${_appimagetool_executable_path}"; \
echo "Creating AppImage $${_final_appimage_path}..."; \
if [ "$(VC_SOURCE_DATE_EPOCH_AUTO)" = "1" ]; then \
unset SOURCE_DATE_EPOCH; \
fi; \
ARCH="$${_final_appimage_arch_suffix}" "$${_appimagetool_executable_path}" "$(BASE_DIR)/Setup/Linux/veracrypt.AppDir" "$${_final_appimage_path}"; \
echo "AppImage created: $${_final_appimage_path}"; \
echo "Cleaning up appimagetool..."; \