cmd/rofl/build: Improve reproducible builds with squashfs-tools

ptrus · ptrus · commit 3b8dcbabedcf · 2025-11-10T19:00:40.000+01:00
diff --git a/cmd/rofl/build/artifacts.go b/cmd/rofl/build/artifacts.go
@@ -23,6 +23,7 @@ import (
 	"github.com/oasisprotocol/oasis-core/go/common/crypto/hash"
 
 	"github.com/oasisprotocol/cli/build/env"
+	"github.com/oasisprotocol/cli/cmd/common"
 )
 
 const artifactCacheDir = "build_cache"
@@ -287,29 +288,143 @@ func ensureBinaryExists(buildEnv env.ExecEnv, name, pkg string) error {
 	return nil
 }
 
+// cleanEnvForReproducibility filters out locale and timestamp environment variables and sets
+// consistent values for reproducible builds.
+func cleanEnvForReproducibility() []string {
+	env := []string{}
+	for _, e := range os.Environ() {
+		if !strings.HasPrefix(e, "LC_") && !strings.HasPrefix(e, "LANG=") && !strings.HasPrefix(e, "TZ=") && !strings.HasPrefix(e, "SOURCE_DATE_EPOCH=") {
+			env = append(env, e)
+		}
+	}
+	return append(env, "LC_ALL=C", "TZ=UTC", "SOURCE_DATE_EPOCH=0")
+}
+
+// checkSquashfsVersion checks if the squashfs-tools version is 4.5.x and warns if not.
+func checkSquashfsVersion(buildEnv env.ExecEnv, sqfstarBin string) error {
+	versionCmd := exec.Command(sqfstarBin, "-version")
+	var versionOut strings.Builder
+	versionCmd.Stdout = &versionOut
+	versionCmd.Stderr = &versionOut
+	if err := buildEnv.WrapCommand(versionCmd); err != nil {
+		return err
+	}
+
+	// Ignore errors from running the version command, as some versions may not support -version flag.
+	_ = versionCmd.Run()
+
+	output := versionOut.String()
+	// Look for version pattern like "mksquashfs version 4.5" or "sqfstar version 4.5"
+	if strings.Contains(output, "version 4.5") {
+		return nil
+	}
+
+	// Version is not 4.5.x, show warning.
+	fmt.Println("WARNING: squashfs-tools version 4.5.x is the officially supported version.")
+	fmt.Println("         Builds with other versions might not be reproducible.")
+	fmt.Printf("         Detected version output: %s\n", strings.TrimSpace(output))
+
+	if !common.IsForce() {
+		return fmt.Errorf("unsupported squashfs-tools version (use --force to proceed anyway)")
+	}
+
+	fmt.Println("         Proceeding anyway due to --force flag.")
+	return nil
+}
+
 // createSquashFs creates a squashfs filesystem in the given file using directory dir to populate
 // it.
 //
 // Returns the size of the created filesystem image in bytes.
 func createSquashFs(buildEnv env.ExecEnv, fn, dir string) (int64, error) {
-	const mkSquashFsBin = "mksquashfs"
-	if err := ensureBinaryExists(buildEnv, mkSquashFsBin, "squashfs-tools"); err != nil {
+	const sqfstarBin = "sqfstar"
+	if err := ensureBinaryExists(buildEnv, sqfstarBin, "squashfs-tools"); err != nil {
+		return 0, err
+	}
+	if err := ensureBinaryExists(buildEnv, "fakeroot", "fakeroot"); err != nil {
 		return 0, err
 	}
 
-	// Execute mksquashfs.
+	// Check squashfs-tools version.
+	if err := checkSquashfsVersion(buildEnv, sqfstarBin); err != nil {
+		return 0, err
+	}
+
+	// Create reproducible tar archive.
+	tarPath := fn + ".tar"
+	fmt.Printf("Creating tar archive: %s\n", tarPath)
+	//nolint:gosec // tarPath is constructed internally, not from user input.
+	tarCmd := exec.Command(
+		"tar",
+		"--create",
+		"--file="+tarPath,
+		"--format=pax",
+		"--pax-option=exthdr.name=%d/PaxHeaders/%f,delete=atime,delete=ctime",
+		"--sort=name",
+		"--mtime=@0",
+		"--owner=0",
+		"--group=0",
+		"--numeric-owner",
+		"--mode=a-s",
+		".",
+	)
+	tarCmd.Dir = dir
+	tarCmd.Env = cleanEnvForReproducibility()
+
+	var tarOut strings.Builder
+	tarCmd.Stderr = &tarOut
+	tarCmd.Stdout = &tarOut
+	if err := buildEnv.WrapCommand(tarCmd); err != nil {
+		return 0, err
+	}
+	if err := tarCmd.Run(); err != nil {
+		return 0, fmt.Errorf("failed to create tar archive: %w\n%s", err, tarOut.String())
+	}
+
+	// Compute and print tar archive hash for verification.
+	tarFile, err := os.Open(tarPath)
+	if err != nil {
+		return 0, fmt.Errorf("failed to open tar archive for hashing: %w", err)
+	}
+	tarHasher := sha256.New()
+	if _, err := io.Copy(tarHasher, tarFile); err != nil {
+		tarFile.Close()
+		return 0, fmt.Errorf("failed to hash tar archive: %w", err)
+	}
+	tarFile.Close()
+	tarHash := hex.EncodeToString(tarHasher.Sum(nil))
+	fmt.Printf("TAR archive SHA256: %s\n", tarHash)
+
+	// Convert tar to squashfs using sqfstar under fakeroot.
 	cmd := exec.Command(
-		mkSquashFsBin,
-		dir,
+		"fakeroot",
+		"--",
+		sqfstarBin,
 		fn,
+		"--reproducible",
 		"-comp", "gzip",
+		"-b", "1M",
+		"-processors", "1",
 		"-noappend",
-		"-mkfs-time", "1234",
-		"-all-time", "1234",
-		"-root-time", "1234",
+		"-mkfs-time", "0",
+		"-all-time", "0",
+		"-nopad",
 		"-all-root",
-		"-reproducible",
+		"-force-uid", "0",
+		"-force-gid", "0",
 	)
+
+	cmd.Env = cleanEnvForReproducibility()
+
+	// Open tar file and pipe it to sqfstar's stdin.
+	tarFile, err = os.Open(tarPath)
+	if err != nil {
+		return 0, fmt.Errorf("failed to open tar archive: %w", err)
+	}
+	defer tarFile.Close()
+	defer os.Remove(tarPath)
+
+	cmd.Stdin = tarFile
 	var out strings.Builder
 	cmd.Stderr = &out
 	cmd.Stdout = &out
