Bug#787795: grub2: please build rescue ISO and floppy reproducibly

Vagrant Cascadian vagrant at reproducible-builds.org
Mon Jun 1 21:34:04 BST 2026 

On 2024-10-02, James Addison wrote:
> On Fri, 05 Jun 2015 02:37:38 -0400, Daniel wrote:
>> > However, it won't be completely reproducible until we get a newer
>> > version of xorriso in debian so that we can "-alter_date_r c" (see
>> > #787793, which blocks this bug).
>
> On Sun, 25 Jul 2021 16:19:46 -0700, Vagrant wrote:
>> Since newer versions of xorriso are now in Debian, I tried adding
>> "-alter_date_r c" to xorriso calls, but it would seem xorriso doesn't
>> support "-alter_date_r c" when used with "-as mkisofs". I'm not sure how
>> difficult it would be to convert away from using "-as mkisofs" so that
>> "-alter_date_r c" would be supportable...
>
> From inspecting the grub codebase and the commandline options to both xorriso
> and xorrisofs (aka "xorriso -as mkisofs").. although it may in theory be
> possible to convert to 'native' xorriso by migrating a lot of the command-line
> construction, I think that it might be fragile and unnecessary work, because:
>
> ...there is a '--set_all_file_dates' command-line option[1] in xorrisofs that
> seems to do what we want here.
>
> There's one other change required in grub-mkrescue alongside this in order to
> achieve reproducible builds: we need it to read from the SOURCE_DATE_EPOCH env
> var when set (currently grub-mkrescue always uses system clock time).
>
> Please find attached a patch that allows me to rebuild grub-rescue-cdrom.iso
> deterministically on my local machine when SOURCE_DATE_EPOCH is set.  I'll also
> offer this as a merge request on the Salsa repository[2].

I can confirm that this still applies for grub2 2.14-2, still is needed,
and fixes the issue. Thanks!

So that is one more known fix for grub2 reproducibility...

live well,
  vagrant

> From: James Addison <jay at jp-hosting.net>
> Date: Tue, 01 Oct 2024 22:36:39 +0100
> Subject: grub2: build rescue ISO reproducibly
>
> Extend the xorriso command-line invocation to configure a specific
> timestamp for all files during creation of Grub rescue ISO images.
>
> The timestamp to use is read from the SOURCE_DATE_EPOCH environment
> variable when it is set.
>
> Bug-Debian: https://bugs.debian.org/787795
> ---
> --- a/util/grub-mkrescue.c
> +++ b/util/grub-mkrescue.c
> @@ -576,7 +576,13 @@
>    {
>      time_t tim;
>      struct tm *tmm;
> -    tim = time (NULL);
> +    /* https://reproducible-builds.org/docs/source-date-epoch/ */
> +    char *source_date_epoch;
> +    /* This assumes that the SOURCE_DATE_EPOCH environment variable will contain
> +       a correct, positive integer in the time_t range */
> +    if ((source_date_epoch = getenv("SOURCE_DATE_EPOCH")) == NULL ||
> +        (tim = (time_t)strtoll(source_date_epoch, NULL, 10)) <= 0)
> +            time(&tim);
>      tmm = gmtime (&tim);
>      iso_uuid = xmalloc (55);
>      grub_snprintf (iso_uuid, 50,
> @@ -600,6 +606,19 @@
>      xorriso_push (uuid_out);
>      free (uuid_out);
>    }
> +  {
> +    char *uuid_out = xmalloc (strlen (iso_uuid) + 1);
> +    char *optr;
> +    const char *iptr;
> +    optr = grub_stpcpy (uuid_out, "");
> +    for (iptr = iso_uuid; *iptr; iptr++)
> +      if (*iptr != '-')
> +	*optr++ = *iptr;
> +    *optr = '\0';
> +    xorriso_push ("--set_all_file_dates");
> +    xorriso_push (uuid_out);
> +    free (uuid_out);
> +  }
>  
>    /* build BIOS core.img.  */
>    if (source_dirs[GRUB_INSTALL_PLATFORM_I386_PC])
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 227 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-grub-devel/attachments/20260601/21c8fe1c/attachment.sig>

More information about the Pkg-grub-devel mailing list