Skip to content

build: improve build reproducibility#8549

Merged
jsha merged 3 commits intoletsencrypt:mainfrom
sheurich:reproducible-version
Feb 10, 2026
Merged

build: improve build reproducibility#8549
jsha merged 3 commits intoletsencrypt:mainfrom
sheurich:reproducible-version

Conversation

@sheurich
Copy link
Contributor

@sheurich sheurich commented Jan 8, 2026
edited
Loading

Remove sources of non-determinism in the build process.

Changes

  • Add -trimpath to Go builds (strips file paths from binaries)
  • Use commit timestamp for BuildTime ldflags instead of $(date -u)
  • Use commit timestamp for VERSION string instead of $(date +%s)
  • Set SOURCE_DATE_EPOCH environment variable
  • Normalize timestamps in .deb packages
  • Add reproducible tar options (--mtime, --owner, --group, --sort)

What this achieves

Builds on the same OS/toolchain now produce identical artifacts. Verified by running try-release twice on the same commit—both produced identical SHA256 checksums.

What this does NOT address

Full reproducibility across different build environments would additionally require:

  • Pinning OS versions (CGO library linkage varies by OS)
  • Potentially other factors

This PR addresses the low-hanging fruit; cross-environment reproducibility is out of scope.

Files Modified

File Change
Containerfile -trimpath, SOURCE_DATE_EPOCH, BuildTime
tools/container-build.sh Pass COMMIT_TIMESTAMP, tar options
tools/make-deb.sh Normalize timestamps
test/ct-test-srv/Dockerfile -trimpath

@sheurich sheurich requested a review from a team as a code owner January 8, 2026 17:00
@sheurich sheurich changed the title build: make builds fully reproducible build: improve build reproducibility Jan 8, 2026
@sheurich sheurich force-pushed the reproducible-version branch 5 times, most recently from 3c88210 to 36ce0a5 Compare January 8, 2026 17:51
@sheurich
build: reduce nondeterminism in container builds
dd51d5b 
- Add -trimpath to Go builds
- Use commit timestamp for BuildTime ldflags
- Set SOURCE_DATE_EPOCH for build tools
- Normalize timestamps in .deb packages
- Add reproducible tar options (--mtime, --owner, --group, --sort)
- Use commit timestamp for container image label
@sheurich sheurich force-pushed the reproducible-version branch from 36ce0a5 to dd51d5b Compare January 8, 2026 18:01
@beautifulentropy beautifulentropy requested review from a team and jsha and removed request for a team January 23, 2026 22:36
aarongable
aarongable approved these changes Feb 4, 2026
View reviewed changes
Copy link
Contributor

@aarongable aarongable left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM but I'd love to have @jsha's eyes on this too.

@jsha jsha merged commit c470234 into letsencrypt:main Feb 10, 2026
51 of 53 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jsha jsha jsha approved these changes

@aarongable aarongable aarongable approved these changes

@beautifulentropy beautifulentropy beautifulentropy approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@sheurich @jsha @aarongable @beautifulentropy