Commit 9dd20575 authored by Philip Hayes's avatar Philip Hayes
Browse files

sgx-sdk: disable mtime in bundled zip file for reproducible builds 

Context:

The `aesm_service` binary depends on a vendored library called
`CppMicroServices`. At build time, this lib creates and then bundles
service resources into a zip file and then embeds this zip into the
binary. Without changes, the `aesm_service` will be different after every
build because the embedded zip file contents have different modified times.

All credits to @haraldh for this patch <3
parent fd3978c1

pkgs/os-specific/linux/sgx/psw/default.nix

+1 −1
Original line number Diff line number Diff line
@@ -14,7 +14,7 @@ 
, debug ? false

}:

stdenv.mkDerivation rec {

  inherit (sgx-sdk) version versionTag src;

  inherit (sgx-sdk) patches src version versionTag;

  pname = "sgx-psw";



  postUnpack =

pkgs/os-specific/linux/sgx/sdk/cppmicroservices-no-mtime.patch

0 → 100644
+26 −0
Original line number Diff line number Diff line 
diff --git a/external/CppMicroServices/framework/src/bundle/BundleResourceContainer.cpp b/external/CppMicroServices/framework/src/bundle/BundleResourceContainer.cpp

index aee499e9..13fa89d4 100644

--- a/external/CppMicroServices/framework/src/bundle/BundleResourceContainer.cpp

+++ b/external/CppMicroServices/framework/src/bundle/BundleResourceContainer.cpp

@@ -105,7 +105,7 @@ bool BundleResourceContainer::GetStat(int index,

                    const_cast<mz_zip_archive*>(&m_ZipArchive), index)

                    ? true

                    : false;

-    stat.modifiedTime = zipStat.m_time;

+    stat.modifiedTime = 0;

     stat.crc32 = zipStat.m_crc32;

     // This will limit the size info from uint64 to uint32 on 32-bit

     // architectures. We don't care because we assume resources > 2GB

diff --git a/external/CppMicroServices/third_party/miniz.c b/external/CppMicroServices/third_party/miniz.c

index 6b0ebd7a..fa2aebca 100644

--- a/external/CppMicroServices/third_party/miniz.c

+++ b/external/CppMicroServices/third_party/miniz.c

@@ -170,7 +170,7 @@

 // If MINIZ_NO_TIME is specified then the ZIP archive functions will not be able to get the current time, or

 // get/set file times, and the C run-time funcs that get/set times won't be called.

 // The current downside is the times written to your archives will be from 1979.

-//#define MINIZ_NO_TIME

+#define MINIZ_NO_TIME



 // Define MINIZ_NO_ARCHIVE_APIS to disable all ZIP archive API's.

 //#define MINIZ_NO_ARCHIVE_APIS

pkgs/os-specific/linux/sgx/sdk/default.nix

+9 −0
Original line number Diff line number Diff line
@@ -49,6 +49,15 @@ stdenv.mkDerivation rec { 
    # and applies some patches to the in-repo git submodules. This patch removes

    # the parts that download things, since we can't do that inside the sandbox.

    ./disable-downloads.patch



    # This patch disable mtime in bundled zip file for reproducible builds.

    #

    # Context: The `aesm_service` binary depends on a vendored library called

    # `CppMicroServices`. At build time, this lib creates and then bundles

    # service resources into a zip file and then embeds this zip into the

    # binary. Without changes, the `aesm_service` will be different after every

    # build because the embedded zip file contents have different modified times.

    ./cppmicroservices-no-mtime.patch

  ];



  postPatch = ''