Adjust tarball creation to be reproducible

Author: tianon

Dockerfile-builder.template

@@ -13,6 +13,8 @@ RUN set -eux; \
 		musl-dev \
 		patch \
 		tzdata \
+# busybox's tar ironically does not maintain mtime of directories correctly (which we need for SOURCE_DATE_EPOCH / reproducibility)
+		tar \
 	;
 {{ ) else ( -}}
 FROM debian:bookworm-slim
@@ -234,22 +236,36 @@ RUN set -eux; \
 	curl -fL -o busybox.tar.bz2 "https://busybox.net/downloads/$tarball"; \
 	echo "$BUSYBOX_SHA256 *busybox.tar.bz2" | sha256sum -c -; \
 	gpg --batch --verify busybox.tar.bz2.sig busybox.tar.bz2; \
-	mkdir -p /usr/src/busybox; \
-	tar -xf busybox.tar.bz2 -C /usr/src/busybox --strip-components 1; \
-	rm busybox.tar.bz2*
+# Alpine... 😅
+	mkdir -p /usr/src; \
+	tar -xf busybox.tar.bz2 -C /usr/src "busybox-$BUSYBOX_VERSION"; \
+	mv "/usr/src/busybox-$BUSYBOX_VERSION" /usr/src/busybox; \
+	rm busybox.tar.bz2*; \
+	\
+# save the tarball's filesystem timestamp persistently (in case building busybox modifies it) so we can use it for reproducible rootfs later
+	SOURCE_DATE_EPOCH="$(stat -c '%Y' /usr/src/busybox | tee /usr/src/busybox.SOURCE_DATE_EPOCH)"; \
+	date="$(date -d "@$SOURCE_DATE_EPOCH" '+%Y%m%d%H%M.%S')"; \
+	touch -t "$date" /usr/src/busybox.SOURCE_DATE_EPOCH; \
+# for logging validation/edification
+	date --date "@$SOURCE_DATE_EPOCH" --rfc-2822
 
 WORKDIR /usr/src/busybox
 
 RUN set -eux; \
 	\
+# build date/time gets embedded in the BusyBox binary -- SOURCE_DATE_EPOCH should override that
+	SOURCE_DATE_EPOCH="$(cat /usr/src/busybox.SOURCE_DATE_EPOCH)"; \
+	export SOURCE_DATE_EPOCH; \
+# (has to be set in the config stage for making sure "AUTOCONF_TIMESTAMP" is embedded correctly)
+	\
 	setConfs=' \
 		CONFIG_AR=y \
 		CONFIG_FEATURE_AR_CREATE=y \
 		CONFIG_FEATURE_AR_LONG_FILENAMES=y \
 # CONFIG_LAST_SUPPORTED_WCHAR: see https://github.com/docker-library/busybox/issues/13 (UTF-8 input)
 		CONFIG_LAST_SUPPORTED_WCHAR=0 \
 {{ if env.variant == "glibc" then ( -}}
-# As long as we rely on libnss (see below), we have to have libc.so anyhow, so we've removed CONFIG_STATIC here... :cry:
+# As long as we rely on libnss (see below), we have to have libc.so anyhow, so we've removed CONFIG_STATIC here... 😭
 {{ ) else ( -}}
 		CONFIG_STATIC=y \
 {{ ) end -}}
@@ -361,6 +377,7 @@ RUN set -eux; \
 {{ ) else "" end -}}
 	chroot rootfs /bin/getconf _NPROCESSORS_ONLN; \
 	\
+# TODO make this create symlinks instead so the output tarball is cleaner (but "-s" outputs absolute symlinks which is kind of annoying to deal with -- we should also consider letting busybox determine the "install paths"; see "busybox --list-full")
 	chroot rootfs /bin/busybox --install /bin
 
 # install a few extra files from buildroot (/etc/passwd, etc)

build.sh

@@ -13,7 +13,17 @@ for dir; do
 	(
 		set -x
 		docker build -t "$base-builder" -f "$dir/Dockerfile.builder" "$dir"
-		docker run --rm "$base-builder" tar cC rootfs . | xz -T0 -z9 > "$dir/busybox.tar.xz"
+		docker run --rm "$base-builder" \
+			tar \
+				--create \
+				--directory rootfs \
+				--numeric-owner \
+				--transform 's,^./,,' \
+				--sort name \
+				--mtime /usr/src/busybox.SOURCE_DATE_EPOCH --clamp-mtime \
+				. \
+			| xz -T0 -z9 > "$dir/busybox.tar.xz"
+		sha256sum "$dir/busybox.tar.xz"
 		docker build -t "$base-test" "$dir"
 		docker run --rm "$base-test" sh -xec 'true'