Use strip-nondeterminism to make tarballs reproducible

GarboMuffin · GarboMuffin · commit be0112abd646 · 2025-07-26T17:35:40.000-05:00
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -12,6 +12,8 @@ jobs:
       with:
         submodules: recursive
         persist-credentials: false
+    - name: Install strip-nondeterminism
+      run: sudo apt-get install strip-nondeterminism
     - name: Install Node.js
       uses: actions/setup-node@v4
       with:
diff --git a/release-automation/README.md b/release-automation/README.md
@@ -6,6 +6,11 @@ These are the bespoke scripts that we use to automate various aspects of releasi
 
 This is what creates most of the downloads that are up on our website and on GitHub.
 
+Optional dependencies:
+
+ * [Git](https://git-scm.com/) (used to get the time of the most recent commit)
+ * [strip-nondeterminism](https://salsa.debian.org/reproducible-builds/strip-nondeterminism) (Linux only, used for tarballs)
+
 You must specify which platform to build for:
 
 ```
@@ -44,6 +49,7 @@ You must specify which platform to build for:
 
 --tarball
     Create tar.gz files for Linux.
+    If strip-nondeterminism is installed, tarballs will be reproducible.
 
 --appimage
     Create AppImage executables for Linux.
diff --git a/release-automation/build.js b/release-automation/build.js
@@ -303,7 +303,30 @@ const buildDebian = () => build({
 const buildTarball = () => build({
   platformName: 'LINUX',
   platformType: 'tar.gz',
-  manageUpdates: true
+  manageUpdates: true,
+  extraConfig: {
+    // gzip header contains various non-deterministic fields that we would like to remove.
+    // TODO: would be nice to reimplement this small part of strip-nondeterminism in JS to remove dependency.
+    artifactBuildCompleted: async (artifact) => new Promise((resolve, reject) => {
+      console.log(`Running strip-nondeterminism on ${artifact.file}`)
+      const stripNondeterminism = childProcess.spawn('strip-nondeterminism', [artifact.file]);
+      stripNondeterminism.on('error', (e) => {
+        if (e.code === 'ENOENT') {
+          console.error('strip-nondeterminism is not installed; tarball may not be reproducible.')
+          resolve();
+        } else {
+          reject(e);
+        }
+      });
+      stripNondeterminism.on('close', (code) => {
+        if (code === 0) {
+          resolve();
+        } else {
+          reject(new Error(`strip-nondeterminism exited with status code ${code}`));
+        }
+      });
+    })
+  }
 });
 
 const buildAppImage = () => build({
