cmd/rofl/build: Improve reproducible builds with squashfs-tools #643
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
✅ Deploy Preview for oasisprotocol-cli canceled.
|
ptrus
force-pushed
the
ptrus/feature/reproducable-build
branch
from
40cec55 to
3b8dcba
Compare
abukosek
approved these changes
Nov 10, 2025
Contributor
abukosek
left a comment
abukosek
left a comment
There was a problem hiding this comment.
Looks good! :) I've given it a quick try on my macOS and Linux dev machines and it generates the exact same output.
Going via tar was also one of my considerations for fixing the UTF-8 normalization differences between Linux and macOS, it's good to see that this also fixes other problems.
ptrus
force-pushed
the
ptrus/feature/reproducable-build
branch
from
3b8dcba to
38b48ef
Compare
Member
Author
|
I have also made it reproducible across different squashfs tools versions (see updated description). |
ptrus
force-pushed
the
ptrus/feature/reproducable-build
branch
from
38b48ef to
28f66d9
Compare
ptrus
force-pushed
the
ptrus/feature/reproducable-build
branch
from
28f66d9 to
92b87b2
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Fixes: #592
This change refactors the squashfs build to produce bit-for-bit identical outputs across multiple environments, but the resulting images differ from those built with previous versions. We should probably do a major bump of CLI to 0.17 once this is merged.
I have tested this change on:
In all cases, the resulting rofl app builds produced identical Enclave IDs.
I wasn't able to avoid
fakeroot: even with adding-all-root -force-uid 0, -force-gid 0tosqfstar.Also, I wasn't able to get it working without
tar -> sqfstar.I also added a warning to check for versionversion 4.5, because using4.7.4i get a different Enclave IDs.Edit:
4.5and4.7.4comes from, because based on the changelog, it's not apparent to me. Then we could achieve even greater reproducibility. Will try a bit, but don't want to spend too much time on this.4.6.xand4.7.xproduce identical images, while4.5.xproduces different. So the change is in4.6.I have confirmed the difference comes from the following bug fix in
4.6:Will try switching from
"--format=paxto"--format=gnuin the tar command.This fixed the issue 🎉 This is now also reproducable across
squashfs-tools >= 4.5