Enable Maven reproducible builds
- configure Maven to run build reproducibly [1]
- use UTC timestamp of checked out commit as build timestamp
- add git-describe, git-commit-id, git-commit-id, git-tags,
git-remote-origin-url to MANIFEST.MF files
- configure cyclonedx-maven-plugin to also use UTC timestamp of
checked out commit
- for packaging build use tycho-buildtimestamp-jgit [2] to ensure
version uses the timestamp of the last commit
- SBOMs are not reproducible by design [3] they should have a build
timestamp matching the time when the build was executed and a serial
number which is a unique UUID per build run. Hence exclude them from
comparison [4].
- Use gmavenplus-plugin to format build timestamps. Maven expects
build timestamp in ISO-8601 format, to replace the qualifier in
versions the timestamp format must be compatible with rules for OSGi
version numbers. Didn't find a way to read the properties set by the
git-commit-id-maven-plugin from another plugin. Hence use JGit in a
groovy script to get the commit time of the current HEAD and provide
it in these two formats.
TODO: packaging build (features and p2 repository) is not yet binary
reproducible since that's not yet supported by Tycho [5], artefacts have
reproducible version numbers but file lastModified timestamps are not
yet reproducible.
Test plan for Maven build:
- build using
mvn clean install"
- verify second build is reproducible:
mvn -T1 clean verify artifact:compare
verification seems not to be thread-safe, hence run it with a single
thread using option -T1
For packaging build (still fails due to non-reproducible file
timestamps):
- build using
mvn -f org.eclipse.jgit.packaging/pom.xml clean install
- verify second build is reproducible:
mvn -T1 -f org.eclipse.jgit.packaging/pom.xml clean verify artifact:compare
[1] https://maven.apache.org/guides/mini/guide-reproducible-builds.html
[2] https://wiki.eclipse.org/Tycho/Reproducible_Version_Qualifiers
[3] https://github.com/CycloneDX/cyclonedx-maven-plugin/issues/84
[4] https://maven.apache.org/plugins/maven-artifact-plugin/compare-mojo.html
[5] https://github.com/eclipse-tycho/tycho/issues/233
Change-Id: I0202f55a1b6ae0edd922cfef638beb39d2ce9417
diff --git a/org.eclipse.jgit.packaging/pom.xml b/org.eclipse.jgit.packaging/pom.xml
index ba73e92..715491d 100644
--- a/org.eclipse.jgit.packaging/pom.xml
+++ b/org.eclipse.jgit.packaging/pom.xml
@@ -32,6 +32,7 @@
<java.version>11</java.version>
<tycho-version>4.0.2</tycho-version>
<target-platform>jgit-4.17</target-platform>
+ <project.build.outputTimestamp>${git.commit.time}</project.build.outputTimestamp>
</properties>
<pluginRepositories>
@@ -223,7 +224,6 @@
<outputFormat>json</outputFormat>
<outputName>cyclonedx</outputName>
<outputDirectory>${project.build.directory}</outputDirectory>
- <outputTimestamp>${project.build.outputTimestamp}</outputTimestamp>
<verbose>false</verbose>
</configuration>
<executions>
@@ -235,6 +235,26 @@
</execution>
</executions>
</plugin>
+ <plugin>
+ <groupId>io.github.git-commit-id</groupId>
+ <artifactId>git-commit-id-maven-plugin</artifactId>
+ <version>6.0.0</version>
+ <executions>
+ <execution>
+ <id>get-the-git-infos</id>
+ <goals>
+ <goal>revision</goal>
+ </goals>
+ <phase>initialize</phase>
+ </execution>
+ </executions>
+ <configuration>
+ <generateGitPropertiesFile>false</generateGitPropertiesFile>
+ <injectAllReactorProjects>true</injectAllReactorProjects>
+ <dateFormat>yyyy-MM-dd'T'HH:mm:ss'Z'</dateFormat>
+ <dateFormatTimeZone>UTC</dateFormatTimeZone>
+ </configuration>
+ </plugin>
</plugins>
<pluginManagement>
<plugins>
@@ -256,6 +276,30 @@
</configuration>
</plugin>
<plugin>
+ <groupId>org.apache.maven.plugins</groupId>
+ <artifactId>maven-jar-plugin</artifactId>
+ <version>3.3.0</version>
+ <configuration>
+ <archive>
+ <manifestEntries>
+ <Implementation-Title>JGit ${project.artifactId}</Implementation-Title>
+ <Implementation-Version>${project.version}</Implementation-Version>
+ <Implementation-Vendor>Eclipse.org - JGit</Implementation-Vendor>
+ <Implementation-Vendor-Id>org.eclipse.jgit</Implementation-Vendor-Id>
+ <Implementation-Vendor-URL>${jgit-url}</Implementation-Vendor-URL>
+ <git-describe>${git.commit.id.describe}</git-describe>
+ <git-commit-id>${git.commit.id}</git-commit-id>
+ <git-commit-time>${git.commit.time}</git-commit-time>
+ <git-tags>${git.tags}</git-tags>
+ <git-remote-origin-url>${git.remote.origin.url}</git-remote-origin-url>
+ </manifestEntries>
+ </archive>
+ <!-- TODO: uncomment this in order to skip empty artifact of test modules as soon as bug 416299 is fixed
+ <skipIfEmpty>true</skipIfEmpty>
+ -->
+ </configuration>
+ </plugin>
+ <plugin>
<groupId>org.eclipse.tycho</groupId>
<artifactId>target-platform-configuration</artifactId>
<version>${tycho-version}</version>
@@ -318,6 +362,22 @@
<groupId>org.eclipse.tycho</groupId>
<artifactId>tycho-packaging-plugin</artifactId>
<version>${tycho-version}</version>
+ <dependencies>
+ <dependency>
+ <groupId>org.eclipse.tycho</groupId>
+ <artifactId>tycho-buildtimestamp-jgit</artifactId>
+ <version>${tycho-version}</version>
+ </dependency>
+ </dependencies>
+ <configuration>
+ <timestampProvider>jgit</timestampProvider>
+ <jgit.ignore>
+ pom.xml
+ .polyglot.build.properties
+ target/
+ </jgit.ignore>
+ <format>yyyyMMddHHmm</format>
+ </configuration>
</plugin>
<plugin>
<groupId>org.eclipse.tycho</groupId>
@@ -353,6 +413,15 @@
<artifactId>maven-site-plugin</artifactId>
<version>3.12.1</version>
</plugin>
+ <plugin>
+ <groupId>org.apache.maven.plugins</groupId>
+ <artifactId>maven-artifact-plugin</artifactId>
+ <version>3.5.0</version>
+ <configuration>
+ <ignore>**/*cyclonedx.json</ignore>
+ <reproducible>true</reproducible>
+ </configuration>
+ </plugin>
</plugins>
</pluginManagement>
</build>
