Make archive metadata deterministic (#151)

crypto-bug-hunters · Sep 9, 2024 · 24b5048 · 24b5048
1 parent 314ee3a
commit 24b5048
Show file tree

Hide file tree

Showing 4 changed files with 17 additions and 4 deletions.
diff --git a/tests/bounties/busybox-bounty/Makefile b/tests/bounties/busybox-bounty/Makefile
@@ -8,6 +8,8 @@ BOUNTY_RISCV64_TAR=busybox-$(VERSION)-bounty_riscv64.tar.xz
 HARDEN_CFLAGS=-O1 -ftrivial-auto-var-init=pattern -D_FORTIFY_SOURCE=2 -fPIE -fstack-clash-protection -fstack-protector-strong -ffunction-sections -fdata-sections -Wno-unused-result
 HARDEN_LDFLAGS=-pie -Wl,-z,now,-z,relro,--gc-sections -s
 
+TAR_FLAGS=--sort=name --mtime=@0 --owner=0 --group=0 --numeric-owner --pax-option=exthdr.name=%d/PaxHeaders/%f,delete=atime,delete=ctime
+
 # Use GitHub Actions cache when available
 ifdef ACTIONS_RUNTIME_TOKEN
 ifdef ACTIONS_RUNTIME_URL
@@ -25,7 +27,7 @@ riscv64: $(BOUNTY_RISCV64_TAR)
 download: | $(SOURCE_DIR)
 
 $(BOUNTY_TAR): busybox start.sh
-	tar cfJ $@ $^
+	tar $(TAR_FLAGS) -cJf $@ $^
 
 busybox: $(SOURCE_DIR)/busybox
 	cp $< $@

diff --git a/tests/bounties/lua-bounty/Makefile b/tests/bounties/lua-bounty/Makefile
@@ -8,6 +8,8 @@ BOUNTY_RISCV64_TAR=lua-$(VERSION)-bounty_riscv64.tar.xz
 HARDEN_CFLAGS=-O1 -ftrivial-auto-var-init=pattern -D_FORTIFY_SOURCE=2 -fexceptions -fPIE -fstack-clash-protection -fstack-protector-strong -ffunction-sections -fdata-sections
 HARDEN_LDFLAGS=-pie -Wl,-z,now,-z,relro,--gc-sections -s
 
+TAR_FLAGS=--sort=name --mtime=@0 --owner=0 --group=0 --numeric-owner --pax-option=exthdr.name=%d/PaxHeaders/%f,delete=atime,delete=ctime
+
 # Use GitHub Actions cache when available
 ifdef ACTIONS_RUNTIME_TOKEN
 ifdef ACTIONS_RUNTIME_URL
@@ -25,7 +27,7 @@ riscv64: $(BOUNTY_RISCV64_TAR)
 download: | $(SOURCE_DIR)
 
 $(BOUNTY_TAR): lua start.sh bounty.lua
-	tar cfJ $@ $^
+	tar $(TAR_FLAGS) -cJf $@ $^
 
 $(SOURCE_DIR)/src/lua: | $(SOURCE_DIR)
 	$(MAKE) -C $(SOURCE_DIR)/src MYCFLAGS="$(HARDEN_CFLAGS)" MYLDFLAGS="$(HARDEN_LDFLAGS)" linux

diff --git a/tests/bounties/solidity-bounty/Dockerfile b/tests/bounties/solidity-bounty/Dockerfile
@@ -59,4 +59,11 @@ RUN make -C solidity_${VERSION}/build solc
 
 RUN mv solidity_${VERSION}/build/solc/solc .
 COPY --chmod=755 start.sh .
-RUN tar cfJ /root/solidity-${VERSION}-bounty_riscv64.tar.xz solc start.sh
+RUN tar \
+    --sort=name \
+    --mtime=@0 \
+    --owner=0 \
+    --group=0 \
+    --numeric-owner \
+    --pax-option=exthdr.name=%d/PaxHeaders/%f,delete=atime,delete=ctime \
+    -cJf /root/solidity-${VERSION}-bounty_riscv64.tar.xz solc start.sh
diff --git a/tests/bounties/sqlite-bounty/Makefile b/tests/bounties/sqlite-bounty/Makefile
@@ -11,6 +11,8 @@ HARDEN_LDFLAGS=-pie -Wl,-z,now,-z,relro,--gc-sections
 SQLITE_CFLAGS=-DSQLITE_THREADSAFE=0 -DSQLITE_OMIT_LOAD_EXTENSION
 SQLITE_LDFLAGS=-lm -s
 
+TAR_FLAGS=--sort=name --mtime=@0 --owner=0 --group=0 --numeric-owner --pax-option=exthdr.name=%d/PaxHeaders/%f,delete=atime,delete=ctime
+
 # Use GitHub Actions cache when available
 ifdef ACTIONS_RUNTIME_TOKEN
 ifdef ACTIONS_RUNTIME_URL
@@ -28,7 +30,7 @@ riscv64: $(BOUNTY_RISCV64_TAR)
 download: | $(SOURCE_DIR)
 
 $(BOUNTY_TAR): sqlite3 start.sh
-	tar cfJ $@ $^
+	tar $(TAR_FLAGS) -cJf $@ $^
 
 sqlite3: $(SOURCE_DIR)/sqlite3.c
 	$(CC) -o sqlite3 $(HARDEN_CFLAGS) $(SQLITE_CFLAGS) $(SOURCE_DIR)/shell.c $(SOURCE_DIR)/sqlite3.c $(HARDEN_LDFLAGS) $(SQLITE_LDFLAGS)