Add SOURCE_DATE_EPOCH support for reproducible builds

Implement support for the SOURCE_DATE_EPOCH environment variable as specified by reproducible-builds.org. When set, this variable overrides the current timestamp in the Release file's Date and Valid-Until fields, enabling reproducible filesystem publishes. - Read SOURCE_DATE_EPOCH environment variable in Publish() - Use the epoch timestamp for both Date and Valid-Until fields - Gracefully fallback to current time if unset or invalid - Add comprehensive tests for valid and invalid SOURCE_DATE_EPOCH values
2026-05-06 22:18:28 +00:00 · 2026-02-20 06:01:53 +00:00
parent a65f79eb79
commit 49f342878a
8 changed files with 119 additions and 3 deletions
@@ -9,6 +9,10 @@ def strip_processor(output):
    return "\n".join([l for l in output.split("\n") if not l.startswith(' ') and not l.startswith('Date:') and not l.startswith('Valid-Until:')])


+def strip_processor_keep_date(output):
+    return "\n".join([l for l in output.split("\n") if not l.startswith(' ')])
+
+
 class PublishRepo1Test(BaseTest):
    """
    publish repo: default
@@ -970,3 +974,34 @@ class PublishRepo35Test(BaseTest):
        # verify contents except of sums
        self.check_file_contents(
            'public/dists/maverick/Release', 'release', match_prepare=strip_processor)
+
+
+class PublishRepo36Test(BaseTest):
+    """
+    publish repo: SOURCE_DATE_EPOCH produces byte-identical output
+    """
+    fixtureCmds = [
+        "aptly repo create local-repo",
+        "aptly repo add local-repo ${files}",
+    ]
+    runCmd = "aptly publish repo -skip-signing -distribution=maverick local-repo"
+    gold_processor = BaseTest.expand_environ
+    environmentOverride = {"SOURCE_DATE_EPOCH": "1234567890"}
+
+    def check(self):
+        super(PublishRepo36Test, self).check()
+
+        # verify Release file includes the expected date from SOURCE_DATE_EPOCH
+        self.check_file_contents(
+            'public/dists/maverick/Release', 'release', match_prepare=strip_processor_keep_date)
+
+        # save Release file from first publish
+        first_release = self.read_file('public/dists/maverick/Release')
+
+        # drop and republish with same SOURCE_DATE_EPOCH
+        self.run_cmd("aptly publish drop maverick")
+        self.run_cmd("aptly publish repo -skip-signing -distribution=maverick local-repo")
+
+        # verify byte-identical output
+        second_release = self.read_file('public/dists/maverick/Release')
+        self.check_equal(first_release, second_release)