fix: update mtime for generated files after unpacking

weihanglo · weihanglo · commit 2f6852f3340c · 2025-11-12T22:07:53.000-05:00
This is the unpacking half of #16237 Updating mtime for all files might not be worthy as crate published after 1.54 should all have the deterministic mtime for non-generated files, except those did manual upload. This patch is aimed at fixing the "regression" of vendor direct extraction, rather than a complete fix of the non-deterministic mtime. Also there are workarounds, so the workflow is not completely blocked. Since Cargo had a couple CVEs around tar and unpack, I separate the mtime update logic from the main unpack logic, so that each function's intent is clearer. Hope it won't introduce new vulnerability
diff --git a/src/cargo/sources/registry/mod.rs b/src/cargo/sources/registry/mod.rs
@@ -635,6 +635,7 @@ impl<'gctx> RegistrySource<'gctx> {
         dst.create_dir()?;
 
         let bytes_written = unpack(self.gctx, tarball, unpack_dir, &|_| true)?;
+        update_mtime_for_generated_files(unpack_dir);
 
         // Now that we've finished unpacking, create and write to the lock file to indicate that
         // unpacking was successful.
@@ -679,6 +680,7 @@ impl<'gctx> RegistrySource<'gctx> {
         let tarball =
             File::open(path).with_context(|| format!("failed to open {}", path.display()))?;
         unpack(self.gctx, &tarball, &dst, include)?;
+        update_mtime_for_generated_files(&dst);
         Ok(dst)
     }
 
@@ -1104,3 +1106,25 @@ fn unpack(
 
     Ok(bytes_written)
 }
+
+/// Workaround for rust-lang/cargo#16237
+///
+/// Generated files should have the same deterministic mtime as other files.
+/// However, since we forgot to set mtime for those files when uploading, they
+/// always have older mtime (1973-11-29) that prevents zip from packing (requiring >1980)
+///
+/// This workaround updates mtime after we unpack the tarball at the destination.
+fn update_mtime_for_generated_files(pkg_root: &Path) {
+    const GENERATED_FILES: &[&str] = &["Cargo.lock", "Cargo.toml", ".cargo_vcs_info.json"];
+    // Hardcoded value be removed once alexcrichton/tar-rs#420 is merged and released.
+    // See also rust-lang/cargo#16237
+    const DETERMINISTIC_TIMESTAMP: i64 = 1153704088;
+
+    for file in GENERATED_FILES {
+        let path = pkg_root.join(file);
+        let mtime = filetime::FileTime::from_unix_time(DETERMINISTIC_TIMESTAMP, 0);
+        if let Err(e) = filetime::set_file_mtime(&path, mtime) {
+            tracing::trace!("failed to set deterministic mtime for {path:?}: {e}");
+        }
+    }
+}
diff --git a/tests/testsuite/registry.rs b/tests/testsuite/registry.rs
@@ -4656,7 +4656,6 @@ required by package `foo v0.0.1 ([ROOT]/foo)`
 }
 
 #[cargo_test]
-#[should_panic]
 fn deterministic_mtime() {
     let registry = registry::init();
     Package::new("foo", "0.1.0")
diff --git a/tests/testsuite/vendor.rs b/tests/testsuite/vendor.rs
@@ -2122,7 +2122,6 @@ fn vendor_rename_fallback() {
 }
 
 #[cargo_test]
-#[should_panic]
 fn deterministic_mtime() {
     Package::new("foo", "0.1.0")
         // content doesn't matter, we just want to check mtime

Original file line number	Diff line number	Diff line change
@@ -4656,7 +4656,6 @@ required by package `foo v0.0.1 ([ROOT]/foo)`
`4656`	`4656`	`}`
`4657`	`4657`
`4658`	`4658`	`#[cargo_test]`
`4659`		`-#[should_panic]`
`4660`	`4659`	`fn deterministic_mtime() {`
`4661`	`4660`	`let registry = registry::init();`
`4662`	`4661`	`Package::new("foo", "0.1.0")`
Original file line number	Diff line number	Diff line change
`@@ -2122,7 +2122,6 @@ fn vendor_rename_fallback() {`
`2122`	`2122`	`}`
`2123`	`2123`
`2124`	`2124`	`#[cargo_test]`
`2125`		`-#[should_panic]`
`2126`	`2125`	`fn deterministic_mtime() {`
`2127`	`2126`	`Package::new("foo", "0.1.0")`
`2128`	`2127`	`// content doesn't matter, we just want to check mtime`