sgx-sdk: disable mtime in bundled zip file for reproducible builds

Context: The `aesm_service` binary depends on a vendored library called `CppMicroServices`. At build time, this lib creates and then bundles service resources into a zip file and then embeds this zip into the binary. Without changes, the `aesm_service` will be different after every build because the embedded zip file contents have different modified times. All credits to @haraldh for this patch <3
2024-11-25 16:33:15 +00:00 · 2024-02-01 11:44:36 +08:00 · 2024-02-01 11:44:36 +08:00 · 9dd20575b3
commit 9dd20575b3
parent fd3978c164
3 changed files with 36 additions and 1 deletions
--- a/pkgs/os-specific/linux/sgx/psw/default.nix
+++ b/pkgs/os-specific/linux/sgx/psw/default.nix
@ -14,7 +14,7 @@
 , debug ? false
 }:
 stdenv.mkDerivation rec {
-  inherit (sgx-sdk) version versionTag src;
+  inherit (sgx-sdk) patches src version versionTag;
  pname = "sgx-psw";

  postUnpack =
--- a/pkgs/os-specific/linux/sgx/sdk/cppmicroservices-no-mtime.patch
+++ b/pkgs/os-specific/linux/sgx/sdk/cppmicroservices-no-mtime.patch
@ -0,0 +1,26 @@
+diff --git a/external/CppMicroServices/framework/src/bundle/BundleResourceContainer.cpp b/external/CppMicroServices/framework/src/bundle/BundleResourceContainer.cpp
+index aee499e9..13fa89d4 100644
+--- a/external/CppMicroServices/framework/src/bundle/BundleResourceContainer.cpp
+++ b/external/CppMicroServices/framework/src/bundle/BundleResourceContainer.cpp
+@@ -105,7 +105,7 @@ bool BundleResourceContainer::GetStat(int index,
+                    const_cast<mz_zip_archive*>(&m_ZipArchive), index)
+                    ? true
+                    : false;
+-    stat.modifiedTime = zipStat.m_time;
+    stat.modifiedTime = 0;
+     stat.crc32 = zipStat.m_crc32;
+     // This will limit the size info from uint64 to uint32 on 32-bit
+     // architectures. We don't care because we assume resources > 2GB
+diff --git a/external/CppMicroServices/third_party/miniz.c b/external/CppMicroServices/third_party/miniz.c
+index 6b0ebd7a..fa2aebca 100644
+--- a/external/CppMicroServices/third_party/miniz.c
+++ b/external/CppMicroServices/third_party/miniz.c
+@@ -170,7 +170,7 @@
+ // If MINIZ_NO_TIME is specified then the ZIP archive functions will not be able to get the current time, or
+ // get/set file times, and the C run-time funcs that get/set times won't be called.
+ // The current downside is the times written to your archives will be from 1979.
+-//#define MINIZ_NO_TIME
+#define MINIZ_NO_TIME
+
+ // Define MINIZ_NO_ARCHIVE_APIS to disable all ZIP archive API's.
+ //#define MINIZ_NO_ARCHIVE_APIS
--- a/pkgs/os-specific/linux/sgx/sdk/default.nix
+++ b/pkgs/os-specific/linux/sgx/sdk/default.nix
@ -49,6 +49,15 @@ stdenv.mkDerivation rec {
    # and applies some patches to the in-repo git submodules. This patch removes
    # the parts that download things, since we can't do that inside the sandbox.
    ./disable-downloads.patch
+
+    # This patch disable mtime in bundled zip file for reproducible builds.
+    #
+    # Context: The `aesm_service` binary depends on a vendored library called
+    # `CppMicroServices`. At build time, this lib creates and then bundles
+    # service resources into a zip file and then embeds this zip into the
+    # binary. Without changes, the `aesm_service` will be different after every
+    # build because the embedded zip file contents have different modified times.
+    ./cppmicroservices-no-mtime.patch
  ];

  postPatch = ''