[arch-projects] [devtools] [PATCH 0/3] New tool,
I've finally finished up this thing for testing if a package can be rebuilt reproducibly. It uses makechrootpkg/mkarchroot under the hood, and requires arch-install-scripts >= 23. This, and other commits recently submitted to the list, can be pulled directly from my repository at https://github.com/eli-schwartz/devtools/commits/arch-projects-review Eli Schwartz (3): mkarchroot: support wrapping pacstrap -U makerepropkg: add new program to try to reproducibly build a package doc: add manpage for the new makerepropkg tool Makefile | 2 + doc/makerepropkg.1.asciidoc | 38 ++++++++ doc/mkarchroot.1.asciidoc | 3 + makerepropkg.in | 186 ++++++++++++++++++++++++++++++++++++ mkarchroot.in | 13 ++- 5 files changed, 238 insertions(+), 4 deletions(-) create mode 100644 doc/makerepropkg.1.asciidoc create mode 100755 makerepropkg.in -- 2.24.0
Needed to support reproducible builds. Signed-off-by: Eli Schwartz <eschwartz@archlinux.org> --- doc/mkarchroot.1.asciidoc | 3 +++ mkarchroot.in | 13 +++++++++---- 2 files changed, 12 insertions(+), 4 deletions(-) diff --git a/doc/mkarchroot.1.asciidoc b/doc/mkarchroot.1.asciidoc index 03d032c..eb0670a 100644 --- a/doc/mkarchroot.1.asciidoc +++ b/doc/mkarchroot.1.asciidoc @@ -20,6 +20,9 @@ en_US.UTF-8 and de_DE.UTF-8 locale and a generated machine-id. Options ------- +*-U*:: + Use 'pacman -U' to install packages. + *-C* <file>:: Location of a pacman config file. diff --git a/mkarchroot.in b/mkarchroot.in index 6c42d3b..37f6802 100644 --- a/mkarchroot.in +++ b/mkarchroot.in @@ -18,6 +18,7 @@ m4_include(lib/archroot.sh) umask 0022 working_dir='' +umode='' files=() nspawn_args=() @@ -25,6 +26,7 @@ nspawn_args=() usage() { echo "Usage: ${0##*/} [options] working-dir package-list..." echo ' options:' + echo ' -U Use pacman -U to install packages' echo ' -C <file> Location of a pacman config file' echo ' -M <file> Location of a makepkg config file' echo ' -c <dir> Set pacman cache' @@ -34,8 +36,9 @@ usage() { exit 1 } -while getopts 'hC:M:c:f:s' arg; do +while getopts 'hUC:M:c:f:s' arg; do case "$arg" in + U) umode=U ;; C) pac_conf="$OPTARG" ;; M) makepkg_conf="$OPTARG" ;; c) cache_dirs+=("$OPTARG") ;; @@ -44,8 +47,10 @@ while getopts 'hC:M:c:f:s' arg; do h|?) usage ;; *) error "invalid argument '%s'" "$arg"; usage ;; esac - nspawn_args+=("-$arg") - [[ -v OPTARG ]] && nspawn_args+=("$OPTARG") + if [[ $arg != U ]]; then + nspawn_args+=("-$arg") + [[ -v OPTARG ]] && nspawn_args+=("$OPTARG") + fi done shift $((OPTIND - 1)) @@ -85,7 +90,7 @@ for file in "${files[@]}"; do cp "$file" "$working_dir$file" done -pacstrap -Mcd ${pac_conf:+-C "$pac_conf"} "$working_dir" \ +pacstrap -${umode}Mcd ${pac_conf:+-C "$pac_conf"} "$working_dir" \ "${cache_dirs[@]/#/--cachedir=}" "$@" || die 'Failed to install all packages' printf '%s.UTF-8 UTF-8\n' en_US de_DE > "$working_dir/etc/locale.gen" -- 2.24.0
This attempts to recreate a package that was probably created using makechrootpkg, and see if it conforms to the https://reproducible-builds.org/ specification. Signed-off-by: Eli Schwartz <eschwartz@archlinux.org> --- Makefile | 1 + makerepropkg.in | 186 ++++++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 187 insertions(+) create mode 100755 makerepropkg.in diff --git a/Makefile b/Makefile index 0eb7a88..090063d 100644 --- a/Makefile +++ b/Makefile @@ -14,6 +14,7 @@ IN_PROGS = \ finddeps \ find-libdeps \ lddd \ + makerepropkg \ mkarchroot \ makechrootpkg \ rebuildpkgs \ diff --git a/makerepropkg.in b/makerepropkg.in new file mode 100755 index 0000000..d1414d8 --- /dev/null +++ b/makerepropkg.in @@ -0,0 +1,186 @@ +#!/bin/bash +# makerepropkg - rebuild a package to see if it is reproducible +# +# Copyright (c) 2019 by Eli Schwartz <eschwartz@archlinux.org> +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 2 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see <https://www.gnu.org/licenses/>. +# + +m4_include(lib/common.sh) +m4_include(lib/archroot.sh) + +source /usr/share/makepkg/util/config.sh +source /usr/share/makepkg/util/message.sh + +declare -A buildinfo +declare -a buildenv buildopts installed installpkgs + +archiveurl='https://archive.archlinux.org/packages' +buildroot=/var/lib/archbuild/reproducible +chroot=testenv + +parse_buildinfo() { + local line var val + + while read -r line; do + var="${line%% = *}" + val="${line#* = }" + case ${var} in + buildenv) + buildenv+=("${val}") + ;; + options) + buildopts+=("${val}") + ;; + installed) + installed+=("${val}") + ;; + *) + buildinfo["${var}"]="${val}" + ;; + esac + done +} + +get_pkgfile() { + local cdir=${cache_dirs[0]} + local pkgfilebase=${1} + local pkgname=${pkgfilebase%-*-*-*} + local pkgfile ext + + for ext in .xz .zstd ''; do + pkgfile=${pkgfilebase}.pkg.tar${ext} + + for c in "${cache_dirs[@]}"; do + if [[ -f ${c}/${pkgfile} ]]; then + cdir=${c} + break + fi + done + + for f in "${pkgfile}" "${pkgfile}.sig"; do + if [[ ! -f "${cdir}/${f}" ]]; then + msg2 "retrieving '%s'..." "${f}" >&2 + curl -Llf -# -o "${cdir}/${f}" "${archiveurl}/${pkgname:0:1}/${pkgname}/${f}" || continue 2 + fi + done + printf '%s\n' "file://${cdir}/${pkgfile}" + return 0 + done + + return 1 +} + +usage() { + cat << __EOF__ +usage: ${BASH_SOURCE[0]##*/} [options] <package_file> + +Run this script in a PKGBUILD dir to build a package inside a +clean chroot while attempting to reproduce it. The package file +will be used to derive metadata needed for reproducing the +package, including the .PKGINFO as well as the buildinfo. + +For more details see https://reproducible-builds.org/ + +OPTIONS + -c <dir> Set pacman cache + -M <file> Location of a makepkg config file + -h Show this usage message +__EOF__ +} + +while getopts 'M:c:h' arg; do + case "$arg" in + M) archroot_args+=(-M "$OPTARG") ;; + c) cache_dirs+=("$OPTARG") ;; + h) usage; exit 0 ;; + *|?) usage; exit 1 ;; + esac +done +shift $((OPTIND - 1)) + +check_root + +if [[ -n $1 ]]; then + pkgfile="$1" +else + error "no package file specified. Try '${BASH_SOURCE[0]##*/} -h' for more information. " + exit 1 +fi + +if (( ${#cache_dirs[@]} == 0 )); then + mapfile -t cache_dirs < <(pacman-conf CacheDir) +fi + +ORIG_HOME=${HOME} +IFS=: read -r _ _ _ _ _ HOME _ < <(getent passwd "${SUDO_USER:-$USER}") +load_makepkg_config +HOME=${ORIG_HOME} +[[ -d ${SRCDEST} ]] || SRCDEST=${PWD} + +parse_buildinfo < <(bsdtar -xOqf "${pkgfile}" .BUILDINFO) +export SOURCE_DATE_EPOCH="${buildinfo[builddate]}" +PACKAGER="${buildinfo[packager]}" +BUILDDIR="${buildinfo[builddir]}" + +# nuke and restore reproducible testenv +for copy in "${buildroot}"/*/; do + [[ -d ${copy} ]] || continue + subvolume_delete_recursive "${copy}" +done +rm -rf --one-file-system "${buildroot}" +(umask 0022; mkdir -p "${buildroot}") + +for fname in "${installed[@]}"; do + if ! allpkgfiles+=("$(get_pkgfile "${fname}")"); then + error "failed to retrieve ${fname}" + exit 1 + fi +done +printf '%s\n' "${allpkgfiles[@]}" | mkarchroot -U "${archroot_args[@]}" "${buildroot}"/root - || exit 1 + + +# use makechrootpkg to prep the build directory +makechrootpkg -r "${buildroot}" -l "${chroot}" -- --packagelist || exit 1 + +# set detected makepkg.conf options +{ + for var in PACKAGER BUILDDIR; do + printf '%s=%s\n' "${var}" "${!var@Q}" + done + printf 'OPTIONS=(%s)\n' "${buildopts[*]@Q}" + printf 'BUILDENV=(%s)\n' "${buildenv[*]@Q}" +} >> "${buildroot}/${chroot}"/etc/makepkg.conf >> "${buildroot}/${chroot}"/etc/makepkg.conf +install -d -o "${SUDO_UID:-$UID}" -g "$(id -g "${SUDO_UID:-$UID}")" "${buildroot}/${chroot}/${BUILDDIR}" + +# kick off the build +arch-nspawn "${buildroot}/${chroot}" \ + --bind="${PWD}:/startdir" \ + --bind="${SRCDEST}:/srcdest" \ + /chrootbuild -C --noconfirm --log --holdver --skipinteg + +if (( $? == 0 )); then + msg2 "built succeeded! built packages can be found in ${buildroot}/${chroot}/pkgdest" + msg "comparing artifacts..." + if cmp -s "${pkgfile}" "${buildroot}/${chroot}/pkgdest/${pkgfile##*/}"; then + msg2 "Package successfully reproduced!" + exit 0 + else + warning "Package is not reproducible. :(" + sha256sum "${pkgfile}" "${buildroot}/${chroot}/pkgdest/${pkgfile##*/}" + fi +fi + +# the package either failed to build, or was unreproducible +exit 1 -- 2.24.0
Signed-off-by: Eli Schwartz <eschwartz@archlinux.org> --- Makefile | 1 + doc/makerepropkg.1.asciidoc | 38 +++++++++++++++++++++++++++++++++++++ 2 files changed, 39 insertions(+) create mode 100644 doc/makerepropkg.1.asciidoc diff --git a/Makefile b/Makefile index 090063d..4ca7155 100644 --- a/Makefile +++ b/Makefile @@ -72,6 +72,7 @@ MANS = \ doc/checkpkg.1 \ doc/offload-build.1 \ doc/sogrep.1 \ + doc/makerepropkg.1 \ doc/mkarchroot.1 \ doc/find-libdeps.1 \ doc/find-libprovides.1 diff --git a/doc/makerepropkg.1.asciidoc b/doc/makerepropkg.1.asciidoc new file mode 100644 index 0000000..7d68e5e --- /dev/null +++ b/doc/makerepropkg.1.asciidoc @@ -0,0 +1,38 @@ +makerepropkg(1) +================ + +Name +---- +makerepropkg - Rebuild a package to see if it is reproducible + +Synopsis +-------- +makerepropkg [OPTIONS] <package_file> + +Description +----------- + +Given the path to a built pacman package, attempt to rebuild it using the +PKGBUILD in the current directory. The package will be built in an environment +as closely matching the environment of the initial package as possible, by +building up a chroot to match the information exposed in the package's +linkman:BUILDINFO[5] manifest. On success, the resulting package will be +compared to the input package, and makerepropkg will report whether the +artifacts are identical. + +This implements a verifier for pacman/libalpm packages in accordance with the +link:https://reproducible-builds.org/[Reproducible Builds] project. + +Options +------- + +*-c*:: + Set the pacman cache directory. + +*-M* <file>:: + Location of a makepkg config file. + +*-h*:: + Show this usage message + +include::footer.asciidoc[] -- 2.24.0
On 17.11.2019 21:32, Eli Schwartz via arch-projects wrote:
I've finally finished up this thing for testing if a package can be rebuilt reproducibly. It uses makechrootpkg/mkarchroot under the hood, and requires arch-install-scripts >= 23.
I have been testing this locally along with others in #archlinux-reproducible on Freenode and it works well for me; we have a bunch of packages now building reproducibly. I've also pulled in this patch on my local box and reviewed the code briefly, LGTM. Cheers --- Daniel Edgecumbe | esotericnonsense SE +46 10 195 6918 (no SMS) | UK +44 7723 432110 email@esotericnonsense.com | https://esotericnonsense.com
On 17.11.2019 21:32, Eli Schwartz via arch-projects wrote:
I've finally finished up this thing for testing if a package can be rebuilt reproducibly. It uses makechrootpkg/mkarchroot under the hood, and requires arch-install-scripts >= 23.
You may wish to include `makerepropkg` in .gitignore --- Daniel Edgecumbe | esotericnonsense SE +46 10 195 6918 (no SMS) | UK +44 7723 432110 email@esotericnonsense.com | https://esotericnonsense.com
This attempts to recreate a package that was probably created using makechrootpkg, and see if it conforms to the https://reproducible-builds.org/ specification. Signed-off-by: Eli Schwartz <eschwartz@archlinux.org> --- v2: add .gitignore bits .gitignore | 1 + Makefile | 1 + makerepropkg.in | 186 ++++++++++++++++++++++++++++++++++++++++++++++++ 3 files changed, 188 insertions(+) create mode 100755 makerepropkg.in diff --git a/.gitignore b/.gitignore index 6a1d1e4..7844219 100644 --- a/.gitignore +++ b/.gitignore @@ -9,6 +9,7 @@ commitpkg finddeps lddd makechrootpkg +makerepropkg mkarchroot rebuildpkgs zsh_completion diff --git a/Makefile b/Makefile index 0eb7a88..090063d 100644 --- a/Makefile +++ b/Makefile @@ -14,6 +14,7 @@ IN_PROGS = \ finddeps \ find-libdeps \ lddd \ + makerepropkg \ mkarchroot \ makechrootpkg \ rebuildpkgs \ diff --git a/makerepropkg.in b/makerepropkg.in new file mode 100755 index 0000000..d1414d8 --- /dev/null +++ b/makerepropkg.in @@ -0,0 +1,186 @@ +#!/bin/bash +# makerepropkg - rebuild a package to see if it is reproducible +# +# Copyright (c) 2019 by Eli Schwartz <eschwartz@archlinux.org> +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 2 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see <https://www.gnu.org/licenses/>. +# + +m4_include(lib/common.sh) +m4_include(lib/archroot.sh) + +source /usr/share/makepkg/util/config.sh +source /usr/share/makepkg/util/message.sh + +declare -A buildinfo +declare -a buildenv buildopts installed installpkgs + +archiveurl='https://archive.archlinux.org/packages' +buildroot=/var/lib/archbuild/reproducible +chroot=testenv + +parse_buildinfo() { + local line var val + + while read -r line; do + var="${line%% = *}" + val="${line#* = }" + case ${var} in + buildenv) + buildenv+=("${val}") + ;; + options) + buildopts+=("${val}") + ;; + installed) + installed+=("${val}") + ;; + *) + buildinfo["${var}"]="${val}" + ;; + esac + done +} + +get_pkgfile() { + local cdir=${cache_dirs[0]} + local pkgfilebase=${1} + local pkgname=${pkgfilebase%-*-*-*} + local pkgfile ext + + for ext in .xz .zstd ''; do + pkgfile=${pkgfilebase}.pkg.tar${ext} + + for c in "${cache_dirs[@]}"; do + if [[ -f ${c}/${pkgfile} ]]; then + cdir=${c} + break + fi + done + + for f in "${pkgfile}" "${pkgfile}.sig"; do + if [[ ! -f "${cdir}/${f}" ]]; then + msg2 "retrieving '%s'..." "${f}" >&2 + curl -Llf -# -o "${cdir}/${f}" "${archiveurl}/${pkgname:0:1}/${pkgname}/${f}" || continue 2 + fi + done + printf '%s\n' "file://${cdir}/${pkgfile}" + return 0 + done + + return 1 +} + +usage() { + cat << __EOF__ +usage: ${BASH_SOURCE[0]##*/} [options] <package_file> + +Run this script in a PKGBUILD dir to build a package inside a +clean chroot while attempting to reproduce it. The package file +will be used to derive metadata needed for reproducing the +package, including the .PKGINFO as well as the buildinfo. + +For more details see https://reproducible-builds.org/ + +OPTIONS + -c <dir> Set pacman cache + -M <file> Location of a makepkg config file + -h Show this usage message +__EOF__ +} + +while getopts 'M:c:h' arg; do + case "$arg" in + M) archroot_args+=(-M "$OPTARG") ;; + c) cache_dirs+=("$OPTARG") ;; + h) usage; exit 0 ;; + *|?) usage; exit 1 ;; + esac +done +shift $((OPTIND - 1)) + +check_root + +if [[ -n $1 ]]; then + pkgfile="$1" +else + error "no package file specified. Try '${BASH_SOURCE[0]##*/} -h' for more information. " + exit 1 +fi + +if (( ${#cache_dirs[@]} == 0 )); then + mapfile -t cache_dirs < <(pacman-conf CacheDir) +fi + +ORIG_HOME=${HOME} +IFS=: read -r _ _ _ _ _ HOME _ < <(getent passwd "${SUDO_USER:-$USER}") +load_makepkg_config +HOME=${ORIG_HOME} +[[ -d ${SRCDEST} ]] || SRCDEST=${PWD} + +parse_buildinfo < <(bsdtar -xOqf "${pkgfile}" .BUILDINFO) +export SOURCE_DATE_EPOCH="${buildinfo[builddate]}" +PACKAGER="${buildinfo[packager]}" +BUILDDIR="${buildinfo[builddir]}" + +# nuke and restore reproducible testenv +for copy in "${buildroot}"/*/; do + [[ -d ${copy} ]] || continue + subvolume_delete_recursive "${copy}" +done +rm -rf --one-file-system "${buildroot}" +(umask 0022; mkdir -p "${buildroot}") + +for fname in "${installed[@]}"; do + if ! allpkgfiles+=("$(get_pkgfile "${fname}")"); then + error "failed to retrieve ${fname}" + exit 1 + fi +done +printf '%s\n' "${allpkgfiles[@]}" | mkarchroot -U "${archroot_args[@]}" "${buildroot}"/root - || exit 1 + + +# use makechrootpkg to prep the build directory +makechrootpkg -r "${buildroot}" -l "${chroot}" -- --packagelist || exit 1 + +# set detected makepkg.conf options +{ + for var in PACKAGER BUILDDIR; do + printf '%s=%s\n' "${var}" "${!var@Q}" + done + printf 'OPTIONS=(%s)\n' "${buildopts[*]@Q}" + printf 'BUILDENV=(%s)\n' "${buildenv[*]@Q}" +} >> "${buildroot}/${chroot}"/etc/makepkg.conf >> "${buildroot}/${chroot}"/etc/makepkg.conf +install -d -o "${SUDO_UID:-$UID}" -g "$(id -g "${SUDO_UID:-$UID}")" "${buildroot}/${chroot}/${BUILDDIR}" + +# kick off the build +arch-nspawn "${buildroot}/${chroot}" \ + --bind="${PWD}:/startdir" \ + --bind="${SRCDEST}:/srcdest" \ + /chrootbuild -C --noconfirm --log --holdver --skipinteg + +if (( $? == 0 )); then + msg2 "built succeeded! built packages can be found in ${buildroot}/${chroot}/pkgdest" + msg "comparing artifacts..." + if cmp -s "${pkgfile}" "${buildroot}/${chroot}/pkgdest/${pkgfile##*/}"; then + msg2 "Package successfully reproduced!" + exit 0 + else + warning "Package is not reproducible. :(" + sha256sum "${pkgfile}" "${buildroot}/${chroot}/pkgdest/${pkgfile##*/}" + fi +fi + +# the package either failed to build, or was unreproducible +exit 1 -- 2.24.0
This attempts to recreate a package that was probably created using makechrootpkg, and see if it conforms to the https://reproducible-builds.org/ specification. Signed-off-by: Eli Schwartz <eschwartz@archlinux.org> --- v3: make sure the pkgfile is actually a valid pkgfile .gitignore | 1 + Makefile | 1 + makerepropkg.in | 190 ++++++++++++++++++++++++++++++++++++++++++++++++ 3 files changed, 192 insertions(+) create mode 100755 makerepropkg.in diff --git a/.gitignore b/.gitignore index 6a1d1e4..7844219 100644 --- a/.gitignore +++ b/.gitignore @@ -9,6 +9,7 @@ commitpkg finddeps lddd makechrootpkg +makerepropkg mkarchroot rebuildpkgs zsh_completion diff --git a/Makefile b/Makefile index 0eb7a88..090063d 100644 --- a/Makefile +++ b/Makefile @@ -14,6 +14,7 @@ IN_PROGS = \ finddeps \ find-libdeps \ lddd \ + makerepropkg \ mkarchroot \ makechrootpkg \ rebuildpkgs \ diff --git a/makerepropkg.in b/makerepropkg.in new file mode 100755 index 0000000..710f3ca --- /dev/null +++ b/makerepropkg.in @@ -0,0 +1,190 @@ +#!/bin/bash +# makerepropkg - rebuild a package to see if it is reproducible +# +# Copyright (c) 2019 by Eli Schwartz <eschwartz@archlinux.org> +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 2 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see <https://www.gnu.org/licenses/>. +# + +m4_include(lib/common.sh) +m4_include(lib/archroot.sh) + +source /usr/share/makepkg/util/config.sh +source /usr/share/makepkg/util/message.sh + +declare -A buildinfo +declare -a buildenv buildopts installed installpkgs + +archiveurl='https://archive.archlinux.org/packages' +buildroot=/var/lib/archbuild/reproducible +chroot=testenv + +parse_buildinfo() { + local line var val + + while read -r line; do + var="${line%% = *}" + val="${line#* = }" + case ${var} in + buildenv) + buildenv+=("${val}") + ;; + options) + buildopts+=("${val}") + ;; + installed) + installed+=("${val}") + ;; + *) + buildinfo["${var}"]="${val}" + ;; + esac + done +} + +get_pkgfile() { + local cdir=${cache_dirs[0]} + local pkgfilebase=${1} + local pkgname=${pkgfilebase%-*-*-*} + local pkgfile ext + + for ext in .xz .zstd ''; do + pkgfile=${pkgfilebase}.pkg.tar${ext} + + for c in "${cache_dirs[@]}"; do + if [[ -f ${c}/${pkgfile} ]]; then + cdir=${c} + break + fi + done + + for f in "${pkgfile}" "${pkgfile}.sig"; do + if [[ ! -f "${cdir}/${f}" ]]; then + msg2 "retrieving '%s'..." "${f}" >&2 + curl -Llf -# -o "${cdir}/${f}" "${archiveurl}/${pkgname:0:1}/${pkgname}/${f}" || continue 2 + fi + done + printf '%s\n' "file://${cdir}/${pkgfile}" + return 0 + done + + return 1 +} + +usage() { + cat << __EOF__ +usage: ${BASH_SOURCE[0]##*/} [options] <package_file> + +Run this script in a PKGBUILD dir to build a package inside a +clean chroot while attempting to reproduce it. The package file +will be used to derive metadata needed for reproducing the +package, including the .PKGINFO as well as the buildinfo. + +For more details see https://reproducible-builds.org/ + +OPTIONS + -c <dir> Set pacman cache + -M <file> Location of a makepkg config file + -h Show this usage message +__EOF__ +} + +while getopts 'M:c:h' arg; do + case "$arg" in + M) archroot_args+=(-M "$OPTARG") ;; + c) cache_dirs+=("$OPTARG") ;; + h) usage; exit 0 ;; + *|?) usage; exit 1 ;; + esac +done +shift $((OPTIND - 1)) + +check_root + +if [[ -n $1 ]]; then + pkgfile="$1" + if ! bsdtar -tqf "${pkgfile}" .BUILDINFO >/dev/null 2>&1; then + error "file is not a valid pacman package: '%s'" "${pkgfile}" + exit 1 + fi +else + error "no package file specified. Try '${BASH_SOURCE[0]##*/} -h' for more information. " + exit 1 +fi + +if (( ${#cache_dirs[@]} == 0 )); then + mapfile -t cache_dirs < <(pacman-conf CacheDir) +fi + +ORIG_HOME=${HOME} +IFS=: read -r _ _ _ _ _ HOME _ < <(getent passwd "${SUDO_USER:-$USER}") +load_makepkg_config +HOME=${ORIG_HOME} +[[ -d ${SRCDEST} ]] || SRCDEST=${PWD} + +parse_buildinfo < <(bsdtar -xOqf "${pkgfile}" .BUILDINFO) +export SOURCE_DATE_EPOCH="${buildinfo[builddate]}" +PACKAGER="${buildinfo[packager]}" +BUILDDIR="${buildinfo[builddir]}" + +# nuke and restore reproducible testenv +for copy in "${buildroot}"/*/; do + [[ -d ${copy} ]] || continue + subvolume_delete_recursive "${copy}" +done +rm -rf --one-file-system "${buildroot}" +(umask 0022; mkdir -p "${buildroot}") + +for fname in "${installed[@]}"; do + if ! allpkgfiles+=("$(get_pkgfile "${fname}")"); then + error "failed to retrieve ${fname}" + exit 1 + fi +done +printf '%s\n' "${allpkgfiles[@]}" | mkarchroot -U "${archroot_args[@]}" "${buildroot}"/root - || exit 1 + + +# use makechrootpkg to prep the build directory +makechrootpkg -r "${buildroot}" -l "${chroot}" -- --packagelist || exit 1 + +# set detected makepkg.conf options +{ + for var in PACKAGER BUILDDIR; do + printf '%s=%s\n' "${var}" "${!var@Q}" + done + printf 'OPTIONS=(%s)\n' "${buildopts[*]@Q}" + printf 'BUILDENV=(%s)\n' "${buildenv[*]@Q}" +} >> "${buildroot}/${chroot}"/etc/makepkg.conf >> "${buildroot}/${chroot}"/etc/makepkg.conf +install -d -o "${SUDO_UID:-$UID}" -g "$(id -g "${SUDO_UID:-$UID}")" "${buildroot}/${chroot}/${BUILDDIR}" + +# kick off the build +arch-nspawn "${buildroot}/${chroot}" \ + --bind="${PWD}:/startdir" \ + --bind="${SRCDEST}:/srcdest" \ + /chrootbuild -C --noconfirm --log --holdver --skipinteg + +if (( $? == 0 )); then + msg2 "built succeeded! built packages can be found in ${buildroot}/${chroot}/pkgdest" + msg "comparing artifacts..." + if cmp -s "${pkgfile}" "${buildroot}/${chroot}/pkgdest/${pkgfile##*/}"; then + msg2 "Package successfully reproduced!" + exit 0 + else + warning "Package is not reproducible. :(" + sha256sum "${pkgfile}" "${buildroot}/${chroot}/pkgdest/${pkgfile##*/}" + fi +fi + +# the package either failed to build, or was unreproducible +exit 1 -- 2.24.0
participants (3)
-
Daniel Edgecumbe
-
Eli Schwartz
-
email@esotericnonsense.com