EJBCA 8.2: apache ant build a different ejbca.ear with different hash everytime.

[sianzz]

Hi All,

This may have been answered already but i could not find it.

Recently when i tried to compile ejbca 8.2 using apache ant i notice that each time the built ejbca.ear file will have different hash (sha256). Previously older version like 7.x i did not encounter this (it will always give same hash). There are no changes to config files/codes whatsoever. Just the command
ant clean build
Is this build process the norm now for ejbca? (non deterministic when building ear file). If yes is there any alternative way to do version control? (besides going to GUI to check)

Thanks for anyone able to help. :)

E.T

[primetomas]

Java does not by defauut, or easily, product reproducible builds. There would be timestamps and such that differ and would result in a different hash. So it has never been intended to give the same hash. I tested with EJBCA 7.9.1 and it gives different hashes.

ant build
sha256sum dist/ejbca.ear
2cde05b3028cbcd482cec76809f21c55e76ef9aafd13eae2565c4f00e100388d dist/ejbca.ear

ant clean build
sha256sum dist/ejbca.ear
9a08e254b2f45db15a2b54bae7466dacf155bf262c88d1e38d86029efd0cd7ac dist/ejbca.ear

Cheers,
Tomas

[Realiserad]

@sianzz What are you trying to achieve? Reproducible builds would make it possible to prove that an EAR delivered to a customer was built from a specific commit, but it shouldn't matter for CE because there you build it yourself (unless you use the container).

[sianzz]

Thanks all who replied.

@Realiserad "Reproducible builds would make it possible to prove that an EAR delivered to a customer was built from a specific commit"

Yes you right. Hash is one of the ways you accountable to your customer that you have deployed the correct ejbca version (using hash as reference) to his environment. The credentials used for deployment may not have the login certs to access ejbca GUI too.

Is there any way i can compile Reproducible builds with the same hash (or any other method for verification) so that i can maintain some form of version control easily? I don't do development in my job so i just need to compile the source code with predefined config files and produce the same ear with same hash.

@primetomas I have to dig back but for previous versions of ejbca (6.x to early 7.x i think) I remember I do get back same ear file with same hash. I post here again if I can reproduce the results. no promise though.

[Realiserad]

If you want to verify that the EAR comes from a trusted source, I recommend you to look into signing the EAR file using jarsigner. It can also be used to verify the signature on the server where EJBCA is to be deployed.

[primetomas]

Creating reproducible builds with Java seems to be theoretically possible but a lot of work. Our SignServer team experimented with that some time ago (years) but abandoned it, it's also hard to maintain. There are many ways to find out the version of EJBCA that is running.

• build on one place and distribute ear files only, you will then know the hash and can find "unofficial" built versions
• look inside the ear in src/internal.properties, the git revision will be there even
• use one of the APIs that can be used to query version, SOAP API getVersion or REST API any status method