Menu
▾
▴
#2872 Produce reproducible pglx
In the effort to achieve reproducible builds https://reproducible-builds.org, would you amend your code that generates the PGLX file so that it is repreoducible?
I noticed 2 differences when the input is the same:
- there is a timestamp at the the beginning of the PGLX file. I could identify this by comparing the hexdump. If I run twice keepass --plgx-create with the same input it will differ because of that timestamp. By using "faketime {my_timestamp} keepass --plgx-create " to set the timestamp that difference will get away.
- If I set the timestamp (eg with faketime), I still have a difference on the bytes before the timestamp (starting from byte 19)
Concerning the timestamp, if you still want to keep it, maybe could you consider reading the SOURCE_DATE_EPOCH environment variable. More information on that env. var here: https://reproducible-builds.org/docs/source-date-epoch/
If your concern is to check whether the distributed plgx file wasn't altered in any way (maliciously) then you can try the "other" method (unpack the plgx file and compare the files against the source code repository).
See this tool I've made.
https://github.com/cristianst85/PlgxUnpacker.NET
https://sourceforge.net/p/keepass/discussion/329220/thread/0b62a014ff/#7824
Last edit: Cristian S. 2024-07-06