diff --git a/Makefile.am b/Makefile.am
index ab9e6c0c24..5f8591e9f5 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -9,13 +9,21 @@ masterfilesdir=$(prefix)/masterfiles
 
 EXTRA_DIST = README.md inventory/README.md lib/README.md CONTRIBUTING.md LICENSE CFVERSION modules/promises
 
-# Do not reveal usernames of the buildslave
-TAR_OPTIONS = --owner=0 --group=0
+# Do not reveal usernames of the buildslave, and emit members in a stable
+# order so two builds of the same source tree produce an identical tarball.
+TAR_OPTIONS = --owner=0 --group=0 --sort=name
 export TAR_OPTIONS
 
-# Store the permissions properly in the tarball for acceptance tests to succeed
+# Store the permissions properly in the tarball for acceptance tests to succeed.
+# Also normalize directory permissions (which otherwise leak the builder's
+# umask) and, when SOURCE_DATE_EPOCH is set, clamp every mtime to it so the
+# "make dist" source tarball is reproducible.
 dist-hook:
 	find $(distdir) -name '*.cf*' | xargs chmod go-w
+	find $(distdir) -type d -exec chmod 755 {} +
+	if [ -n "$$SOURCE_DATE_EPOCH" ]; then \
+	    find $(distdir) -exec touch -d @$$SOURCE_DATE_EPOCH {} + ; \
+	fi
 
 tar-package:
 	pkgdir=`mktemp -d`  &&  export pkgdir  &&  \
@@ -24,8 +32,11 @@ tar-package:
 	$(MAKE) prefix=$$pkgdir install  &&  \
 	(   cd $$pkgdir  &&  \
             find . -name '*.cf*' | xargs -n1 chmod go-w  &&  \
+	    if [ -n "$$SOURCE_DATE_EPOCH" ]; then \
+	        find . -exec touch -d @$$SOURCE_DATE_EPOCH {} + ; \
+	    fi  &&  \
 	    tardir=.  &&  $(am__tar) |  \
-	        GZIP=$(GZIP_ENV) gzip -c  \
+	        GZIP=$(GZIP_ENV) gzip -nc  \
 	        > "$$origdir"/$(PACKAGE)-$(VERSION)-$(RELEASE).pkg.tar.gz  \
 	)  ;  \
 	[ x$$pkgdir != x ]  &&  rm -rf $$pkgdir