4

In company where I work there is complicated industrial ARM arch router project, consisting primarily of many C and C++ apps with Linux kernel. Currently we are preparing to certification and certification organization wants us to send them all sources and binary checksum of resulting root filesystem image. Of course checksum we send them and checksum of image that they will get after build should be same.

I tried to sequentially build same app (I choosed busybox) on same host twice and got two different checksums. I've tried to solve it using answer https://superuser.com/a/1092566/851200 (pass -frandom-seed=123 as compile flag) - haven't helped.

If I could build same app with same checksum twice on same host - I think the problem will be practically solved cause we could say to certification organization "Build soft on Ubuntu 18.04.3 with GCC 7.5.0-3ubuntu1~18.04 with ARM GNUEABI GCC 4.8.5 built from sources that we gave you etc" and base soft will be same and it will be identical to build on same system case. But maybe I miss something.

Could anybody help me?

UPDATE:

I tried to see what exactly differs in resulting binary files using arm-linux-gnueabi-readelf -a and got following diff for two sequential builds on same machine for busybox:

--- a   2020-03-24 16:17:51.901192012 +0500
+++ b   2020-03-24 16:18:47.152671408 +0500
@@ -1404,7 +1404,7 @@
 Displaying notes found at file offset 0x00000168 with length 0x00000020:
   Owner                 Data size      Description
   GNU                  0x00000010      NT_GNU_BUILD_ID (unique build ID bitstring)
-    Build ID: ecc0ddee1a1f50c9b4ac98477be7ba55
+    Build ID: edab8a4ee42f8fd0e4ee7e931639f226
 Attribute Section: aeabi
 File Attributes
   Tag_CPU_name: "5TE"

Then I checked GCC man page and see If style is omitted, "sha1" is used ... The "md5" and "sha1" styles produces an identifier that is always the same in an identical output file. So defaults should be OK and produce same Build ID, but it is not.

Dmitriy Vinokurov
  • 365
  • 1
  • 6
  • 28
  • How about checking all your dependent library versions matches the library versions of the client only then proceed to build. Or you can for the checksum of the dependent libraries matches with the checksum of libraries present in your machine. You can also checksum of your source code in client machine before building – dheeraj Vadlani Mar 20 '20 at 11:40
  • @dheerajVadlani, as I've said I tried to make 2 builds sequentially on same one machine - and checksums are different. For the first I want to gain same checksums on same machine. – Dmitriy Vinokurov Mar 20 '20 at 11:42
  • 2
    I don't think that you can get the same checksum easily. IIRC the executables include a timestamp of the build. – the busybee Mar 20 '20 at 11:55
  • I've seen similar issues in the past. The problem was that the compiler was including various strings such as the 'time of compilation' in the output. The solution was to identify the sections (ELF file format) of importance and make sure *they* were identical across builds. – G.M. Mar 20 '20 at 11:57
  • 2
    I assume you have read https://reproducible-builds.org/ through and through and have a mechanism for finding out where your binaries differ? If so, can you narrow your question to non-standard stuff that differs between builds? – Botje Mar 20 '20 at 13:44
  • @Botje, I haven't known about term "reproducible build" before, my bad. I'll look on link you posted, thank you! – Dmitriy Vinokurov Mar 20 '20 at 18:09
  • No need to apologize, it's a niche subject. Happy to help! – Botje Mar 20 '20 at 20:33
  • Updated question with new info. Looks like I only need to make GCC set same `Build ID` (at least for busybox) but I could not find how to do it. – Dmitriy Vinokurov Mar 24 '20 at 11:35
  • Hm, `Build ID` contains checksum, so it is not so easy to make it same. – Dmitriy Vinokurov Mar 25 '20 at 03:59

0 Answers0