Affects Version/s: EJBCA 7.0.0
Fix Version/s: None
Epic Name:Reproducable Builds
Issue discovered during:Integration
Being able to reproduce an exact build of an application from its sources allows third party to sample and verify that we are not cheating.
For deliveries where the same EJBCA library appear multiple times, having the exact same files allows better compression of the overall delivery or sym-linking instead of copying.
SignServer has come a long way on the subject: DSS-1042
Java itself is deterministic and will produce the same bytes in each .class-file each time a .java-file is compiled as long as the JDK is sufficiently similar.
JARs are zip-files. Files needs to always be added in the same order and additionally each entry has a timestamp that needs to stay the same.
(Same applies for WARs, the EAR and the RAR.)
When unzipping an EJBCA release, timestamps are preserved and will stay the same when included in JARs.
Built classes and generated files are however not.
Ant's touch task https://ant.apache.org/manual/Tasks/touch.html can be used to modify timestamps.
Since we use inner classes, the following would not be sufficient (which has the benefit of simply re-using the timestamp of the source for the compiled class):
Instead we need a solution where we provide the timestamp and also modify the timestamp of created directories (which are also entries in the zipfile):
Ant's manifest task https://
https://ant.apache.org/manual/Tasks/manifest.html can be used to generate a MANIFEST.MF before the assembling the JAR, so the timestamp can be modified using touch.
We can use sort https://ant.apache.org/manual/Types/resources.html#sort to ensure that files are always added in the same order if we sort by name:
One option is to use the timestamp of src/internal.properties which is modified at the time of release:
With more static (build time) configuration and defined release build JDK, this will probably get us pretty close to being reproducable.
Once the pattern to use has been decided on, implementing this is not a huge task.