#2872 Produce reproducible pglx

Cristian S. — Sat, 06 Jul 2024 09:28:33 -0000

If your concern is to check whether the distributed plgx file wasn't altered in any way (maliciously) then you can try the "other" method (unpack the plgx file and compare the files against the source code repository).

See this tool I've made.
https://github.com/cristianst85/PlgxUnpacker.NET

https://sourceforge.net/p/keepass/discussion/329220/thread/0b62a014ff/

Produce reproducible pglx

Fab Stz — Wed, 20 Mar 2024 18:24:40 -0000

In the effort to achieve reproducible builds https://reproducible-builds.org, would you amend your code that generates the PGLX file so that it is repreoducible?

I noticed 2 differences when the input is the same:

there is a timestamp at the the beginning of the PGLX file. I could identify this by comparing the hexdump. If I run twice keepass --plgx-create with the same input it will differ because of that timestamp. By using "faketime {my_timestamp} keepass --plgx-create " to set the timestamp that difference will get away.
If I set the timestamp (eg with faketime), I still have a difference on the bytes before the timestamp (starting from byte 19)

Concerning the timestamp, if you still want to keep it, maybe could you consider reading the SOURCE_DATE_EPOCH environment variable. More information on that env. var here: https://reproducible-builds.org/docs/source-date-epoch/

Recent changes to 2872: Produce reproducible pglx

#2872 Produce reproducible pglx

Produce reproducible pglx