Page MenuHomeFreeBSD

Set PE/COFF timestamps to known value for reproducible builds

Authored by emaste on Aug 24 2016, 2:38 PM.
Referenced Files
F88357980: D7633.id19895.diff
Sun, Jul 14, 7:16 AM
Unknown Object (File)
Tue, Jul 2, 4:55 PM
Unknown Object (File)
Tue, Jul 2, 4:07 PM
Unknown Object (File)
Tue, Jul 2, 3:49 PM
Unknown Object (File)
Tue, Jul 2, 2:09 AM
Unknown Object (File)
Fri, Jun 28, 8:35 AM
Unknown Object (File)
Thu, Jun 27, 3:19 AM
Unknown Object (File)
Tue, Jun 25, 7:11 PM



As reported on the freebsd-security mailing list the EFI loader components are identified by freebsd-update builds as having changed on every build. This is due to timestamps embedded in the PE/COFF headers in the EFI files.

Use SOURCE_DATE_EPOCH to set the timestamps to a known value, arbitrarily chosen as Fri 1 Jan 2016 00:00:00 UTC.


Diff Detail

Lint Skipped
Tests Skipped

Event Timeline

emaste retitled this revision from to Set PE/COFF timestamps to known value for reproducible builds.
emaste updated this object.
emaste edited the test plan for this revision. (Show Details)
emaste added reviewers: cperciva, glebius.
emaste added a subscriber: bapt.

Add a comment explaining the SOURCE_DATE_EPOCH timestamp based on IRC discussion with @bapt

Timestamps can be checked with objdump -p boot1.efi

Time/Date               Fri Jan  1 00:00:00 2016

I'm not sure how to easily test the end-to-end process with freebsd-update though.

sys/conf/ also uses SOURCE_DATE_EPOCH, but it allows it to be passed in (via environment?); it only sets SOURCE_DATE_EPOCH explicitly if it's not passed in. For the sake of consistency between parts of the build, shouldn't this do the same thing, and honor SOURCE_DATE_EPOCH if it's already set?

Take SOURCE_DATE_EPOCH from the build environment if set, using our arbitrary Jan 1 2016 timestamp if not

This revision is now accepted and ready to land.Aug 31 2016, 1:21 AM
This revision was automatically updated to reflect the committed changes.