Date: Friday, July 10, 2020 @ 17:09:38 Author: diabonas Revision: 663122
upgpkg: thunderbird-extension-enigmail 2.1.7-3: remove timezone and UIDs/GIDs from XPI After the previous update some further sources of unreproducibility were found, hopefully everything relevant is covered now. Added: thunderbird-extension-enigmail/trunk/0001-genxpi-make-XPI-files-reproducible.patch Modified: thunderbird-extension-enigmail/trunk/PKGBUILD -----------------------------------------------+ 0001-genxpi-make-XPI-files-reproducible.patch | 65 ++++++++++++++++++++++++ PKGBUILD | 10 +-- 2 files changed, 70 insertions(+), 5 deletions(-) Added: 0001-genxpi-make-XPI-files-reproducible.patch =================================================================== --- 0001-genxpi-make-XPI-files-reproducible.patch (rev 0) +++ 0001-genxpi-make-XPI-files-reproducible.patch 2020-07-10 17:09:38 UTC (rev 663122) @@ -0,0 +1,65 @@ +From a68b0efbd2002aeb6aa1240b8611cbb97b84d7a7 Mon Sep 17 00:00:00 2001 +From: Jonas Witschel <diabo...@gmx.de> +Date: Fri, 10 Jul 2020 19:02:43 +0200 +Subject: [PATCH] genxpi: make XPI files reproducible + +zip records the mtime of packed files, making it harder to reproduce the +generated file bit for bit. Use the SOURCE_DATE_EPOCH specification that is +already respected in other places of this project (package/Makefile) to set the +modification time to a known, reproducible value. + +To avoid embedding time zone information and Unix UIDs/GIDs as further sources +of unreproducibilty use "export TZ=UTC" and "zip -X", resp. Also make the mtime +of the generated XPI file reproducible using "zip -o" for good measure. +--- + util/genxpi | 23 +++++++++++++++++------ + 1 file changed, 17 insertions(+), 6 deletions(-) + +diff --git a/util/genxpi b/util/genxpi +index 9d7c39e5..36110e02 100755 +--- a/util/genxpi ++++ b/util/genxpi +@@ -60,9 +60,10 @@ find chrome/content/modules -name "*.js*" | LC_ALL=C sort > chrome/content/modul + + echo "Creating ${xpiFile} file" + +-zip -9 --must-match\ +- ../${xpiFile} \ +- chrome/content/preferences/defaultPrefs.js \ ++# Avoid embedding time zone information about the current system into the XPI ++export TZ=UTC ++ ++set chrome/content/preferences/defaultPrefs.js \ + chrome/content/modules/addrbook.jsm \ + chrome/content/modules/amPrefsService.jsm \ + chrome/content/modules/app.jsm \ +@@ -184,9 +185,15 @@ zip -9 --must-match\ + chrome/content/modules/all-modules.txt \ + chrome/content/am-enigprefs.xul + +-zip -9 \ +- ../${xpiFile} \ +- chrome/content/ui/*.* \ ++# Set modification timestamps to a fixed value for reproducibilty ++[ -n "$SOURCE_DATE_EPOCH" ] && touch --date "@$SOURCE_DATE_EPOCH" -- "$@" ++zip -9 -o -X --must-match ../${xpiFile} "$@" ++ ++if [ $? -ne 0 ]; then ++ exit 1 ++fi ++ ++set chrome/content/ui/*.* \ + chrome/skin/aero/*.* \ + chrome/skin/modern/*.* \ + chrome/skin/tb-mac/*.* \ +@@ -198,3 +205,7 @@ zip -9 \ + bootstrap.js \ + chrome.manifest \ + ${pkgFile} ++ ++# Set modification timestamps to a fixed value for reproducibilty ++[ -n "$SOURCE_DATE_EPOCH" ] && touch --date "@$SOURCE_DATE_EPOCH" -- "$@" ++zip -9 -o -X ../${xpiFile} "$@" +-- +2.27.0 + Modified: PKGBUILD =================================================================== --- PKGBUILD 2020-07-10 16:57:18 UTC (rev 663121) +++ PKGBUILD 2020-07-10 17:09:38 UTC (rev 663122) @@ -10,7 +10,7 @@ pkgname=thunderbird-extension-enigmail pkgver=2.1.7 -pkgrel=2 +pkgrel=3 pkgdesc="OpenPGP message encryption and authentication for Thunderbird" arch=('any') url="https://www.enigmail.net/" @@ -20,17 +20,17 @@ source=("https://www.enigmail.net/download/source/enigmail-${pkgver}.tar.gz"{,.asc} "0001-preferences-disable-pEpAutoDownload-by-default.patch" "0001-Disable-Thunderbird-78-upgrade-warning-message.patch" - "enigmail-reprodible-xpi-timestamps.patch::https://gitlab.com/enigmail/enigmail/-/commit/e905796792feff11ec92d3757e0c54dea0d605d3.patch") + "0001-genxpi-make-XPI-files-reproducible.patch") sha512sums=('1b57091c8ab9aaa086f327b78d904d688c850b6d39e37e2dac82e0629c0279723eae4608ecd08a24efe9ed1bdc86fbc497e97cd800c7349a70612a42b98f3e41' 'SKIP' 'baebd963400574db89be747a4419534f945bdc64136d4014656ff98a9615a23984bca724da3f3840670979aab08ce441eee067921e21d0cb216938a20ed785b2' '4ddf887765e4296b3c639748d875b179d1e2a5fb38ad16e2918f115a9ff9a05e2f9c66218544f7ab8189f096908df761d4047fd5d23972c02737e46c4a0c843c' - '1ba5b64fb93737899d61d1f6755822eb6de5ac29a5016cc1a6260c480904c347b656b9e37c6476bc3c07058d750ff90ff04b5ebe65844f88975b98ec3064eaac') + '3902e09d801f8a3fd493450a85c23d3cd95c68465df0025599e6c923b9708a6cb0cb09920170ec5055d55a56e287ae468460fca150f7be8af9d83cffa1a40427') b2sums=('8f6d1ec16b48219c75c6dbcddf4807ed57965eeec29776e7c757d5aa34da6bfdbbb58964ee3d7de2efcb65ab69fa5b020f1a8ec01cd8eee662d8195a217cdc69' 'SKIP' 'c593ed7b094d9feecb2f14624cf0628ab390c96f0fb0212ab0069333508b59057ef4b0518da1bf59eb8aaf0942303c4c45afab76d0b8e77a93763eab975cb4c0' 'a2ba38e56f14a87834023076a75a6c59bc17488104227d8db3e31072f2dcc6488808a980b4073111dec4cf4661349c3e995b8226808c3038d96f2cab666eb90b' - '906c099f4d01a5d265cc96172ad00e44fca7c043eaad9827f5f319b294134e522d615100027ddbb89638d0b553a64451f4f116ddef5549081ba888217cb8c252') + '55709a3fd099fab4b11289518a44f2b53e81031606529cec5b4786e796de438faefa52f2a7ab3d29d6b3aca120e279f30d6d7ba3c3e3d02ca2abcb85f1652661') validpgpkeys=('4F9F89F5505AC1D1A260631CDB1187B9DD5F693B') # Patrick Brunschwig <patr...@enigmail.net> prepare() { @@ -45,7 +45,7 @@ # Make timestamps in the generated XPI file respect SOURCE_DATE_EPOCH # (https://gitlab.com/enigmail/enigmail/-/merge_requests/45) - patch -p1 -i ../enigmail-reprodible-xpi-timestamps.patch + patch -p1 -i ../0001-genxpi-make-XPI-files-reproducible.patch } build() {