internal/relui: improve reproducibility of signed tarballs

heschi · gopherbot · commit e32031f9d66e · 2023-07-21T21:11:10.000Z
When we get the signed binaries back, the signing process has modified the tarball somewhat. We want the files to match as much as possible, so undo those changes. (And avoid making one change ourselves.) - Don't add a directory entry for the go/ root dir. It's unnecessary and not included in distpacks. This will affect non-distpack builds, but nobody is scrutinizing those. - Remove all other the directory entries too, which were inserted by the signing process. - Set the timestamps back to the distribution's timestamps. - Clear the user information on the modified files. For golang/go#61513 Change-Id: I0b3508bc2547364e2a2b49e1c6ea7be8fe92b308 Reviewed-on: https://go-review.googlesource.com/c/build/+/511759 Reviewed-by: Dmitri Shuralyov <dmitshur@google.com> Auto-Submit: Heschi Kreinick <heschi@google.com> Run-TryBot: Heschi Kreinick <heschi@google.com> Reviewed-by: Dmitri Shuralyov <dmitshur@golang.org> TryBot-Result: Gopher Robot <gobot@golang.org>
diff --git a/internal/relui/workflows.go b/internal/relui/workflows.go
@@ -524,7 +524,7 @@ func (tasks *BuildReleaseTasks) addBuildTasks(wd *wf.Definition, major int, vers
 		case "darwin":
 			pkg := wf.Task2(wd, "Build PKG installer", tasks.buildDarwinPKG, version, tar)
 			signedPKG := wf.Task2(wd, "Sign PKG installer", tasks.signArtifact, pkg, wf.Const(sign.BuildMacOS))
-			signedTGZ := wf.Task1(wd, "Convert to .tgz", tasks.convertPKGToTGZ, signedPKG)
+			signedTGZ := wf.Task2(wd, "Convert to .tgz", tasks.convertPKGToTGZ, timestamp, signedPKG)
 			mod = wf.Task4(wd, "Merge signed files into module zip", tasks.mergeSignedToModule, version, timestamp, mod, signedTGZ)
 			artifacts = append(artifacts, signedPKG, signedTGZ)
 		case "windows":
@@ -889,10 +889,10 @@ func (b *BuildReleaseTasks) buildDarwinPKG(ctx *wf.TaskContext, version string,
 		return bs.BuildDarwinPKG(ctx, r, version, w)
 	})
 }
-func (b *BuildReleaseTasks) convertPKGToTGZ(ctx *wf.TaskContext, pkg artifact) (tgz artifact, _ error) {
+func (b *BuildReleaseTasks) convertPKGToTGZ(ctx *wf.TaskContext, timestamp time.Time, pkg artifact) (tgz artifact, _ error) {
 	bc := dashboard.Builders[pkg.Target.Builder]
 	return b.runBuildStep(ctx, pkg.Target, bc, pkg, "tar.gz", func(bs *task.BuildletStep, r io.Reader, w io.Writer) error {
-		return bs.ConvertPKGToTGZ(ctx, r, w)
+		return bs.ConvertPKGToTGZ(ctx, r, timestamp, w)
 	})
 }
 
diff --git a/internal/task/buildrelease.go b/internal/task/buildrelease.go
@@ -87,14 +87,7 @@ func adjustTar(reader *tar.Reader, writer *tar.Writer, prefixDir string, adjusts
 	if !strings.HasSuffix(prefixDir, "/") {
 		return fmt.Errorf("prefix dir %q must have a trailing /", prefixDir)
 	}
-	writer.WriteHeader(&tar.Header{
-		Name:       prefixDir,
-		Typeflag:   tar.TypeDir,
-		Mode:       0755,
-		ModTime:    time.Now(),
-		AccessTime: time.Now(),
-		ChangeTime: time.Now(),
-	})
+
 file:
 	for {
 		header, err := reader.Next()
@@ -210,6 +203,36 @@ func fixupCrossCompile(target *releasetargets.Target) adjustFunc {
 	}
 }
 
+// dropDirs drops all directory entries.
+func dropDirs() adjustFunc {
+	return func(h *tar.Header) *tar.Header {
+		if h.Typeflag == tar.TypeDir {
+			return nil
+		}
+		return h
+	}
+}
+
+// clearUserFields empties out all user and group fields.
+func clearUserFields() adjustFunc {
+	return func(h *tar.Header) *tar.Header {
+		h.Uid, h.Gid, h.Uname, h.Gname = 0, 0, "", ""
+		return h
+	}
+}
+
+// setTimes sets all timestamps to t.
+func setTimes(t time.Time) adjustFunc {
+	return func(h *tar.Header) *tar.Header {
+		h.ModTime = t
+		// Access/ChangeTime are only supported on PAX and GNU tar.
+		if h.Format != tar.FormatUSTAR {
+			h.AccessTime, h.ChangeTime = t, t
+		}
+		return h
+	}
+}
+
 const (
 	goDir = "go"
 	go14  = "go1.4"
@@ -460,7 +483,7 @@ type darwinDistData struct {
 }
 
 // ConvertPKGToTGZ converts a macOS installer (.pkg) to a .tar.gz tarball.
-func (b *BuildletStep) ConvertPKGToTGZ(ctx *workflow.TaskContext, in io.Reader, out io.Writer) error {
+func (b *BuildletStep) ConvertPKGToTGZ(ctx *workflow.TaskContext, in io.Reader, timestamp time.Time, out io.Writer) error {
 	if err := b.Buildlet.Put(ctx, in, "go.pkg", 0400); err != nil {
 		return err
 	}
@@ -485,7 +508,11 @@ func (b *BuildletStep) ConvertPKGToTGZ(ctx *workflow.TaskContext, in io.Reader,
 	reader := tar.NewReader(gzReader)
 	gzWriter := gzip.NewWriter(out)
 	writer := tar.NewWriter(gzWriter)
-	if err := adjustTar(reader, writer, "go/", nil); err != nil {
+	if err := adjustTar(reader, writer, "go/", []adjustFunc{
+		dropDirs(),
+		clearUserFields(),
+		setTimes(timestamp),
+	}); err != nil {
 		return err
 	}
 	if err := writer.Close(); err != nil {
