Repeatable builds

Tue, 22 Mar 2022 10:12:35 -0700 

Hi all,

I wanted to provide a status update on this.
The bnd issue [1] has been fixed and will be included in the next release. We can switch to the latest bnd snapshot to pick up that fix in the meantime.
I have tested detached signatures with JSign and they do work across platforms. I was able to build 10.1.0-M13-dev on Linux (generating the signature) and then repeat the build on Windows this time inserting the signature and the uninstaller was correctly digitally signed. 

There are, however, a couple of issues.
The JSign Ant task that adds the detached signature doesn't close the signed file. This causes problems for Ant. I've opened a JSign issue [2] for this. I have a locally build version with a hack that fixes the issue so I can continue testing.
The zips generated by the Javadoc task don't fix the timestamps of the files within the zips. The breaks repeatability for the full-docs package and for the Windows installer.
If it were just the full docs package, I don't think I'd worry too much about the Javadoc issue but the Windows installer is more of a problem. Therefore, I plan to work on a custom Ant task that will fix these zip files by setting the timestamps on the compressed files to be the same as the timestamp used by the rest of the build.
Finally, I have some minor modifications to buidl.xml that will enable repeatable builds. Once everything is in place the build process will look like: 

- prepare for tagging as currently (update version in
  build.properties.default and edit changelog)
- run a release build to generate the detached signatures
- tag including:
  - modified build.properties.default
  - modified chnagelog.xml
  - 2x .sig files added to res/install-win
- anyone can build a release from the tag and will get a build that
  includes a signed Windows installer
I have confirmed the builds are repeatable across Linux and Windows. I need to work on how much variation is permitted for Ant versions and JRE versions. 

Mark

[1] https://github.com/bndtools/bnd/issues/5183
[2] https://github.com/ebourg/jsign/issues/117

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

Reply via email to