Reproducible build - how is the tar.gz file produced?

A follow up to my other question about reproducible builds.

The build depends on the source code download, whose latest version is https://github.com/restic/restic/releases/download/v0.8.3/restic-0.8.3.tar.gz

Is there an easy way to reproduce that source archive from the main restic repo? Something with git-archive, perhaps? Or is it somehow auto-generated by Github?

Github generates that download automatically when you push a tag. I believe it’s the same as what you would get with git-archive.

git archive -o src.tar.gz 272ccec7
sha256sum src.tar.gz
Output:
0fc0288064d1503a71570f1c22ec2ed8570d31eda538078a62f4ac0daf436638 src.tar.gz

However, the sha256sum of the latest release is different
0cf697c88404b180d6d6ff2e7d2c27b2fcb9536da6dbdf15ad4d320af7e8f17c restic-0.8.3.tar.gz

The git-archive has a bunch of flags that might affect the output file, so we might need to know what flags Github uses to generate the archive. Unfortunately, I couldn’t figure that out after a bit of searching.

It turns out the answer was already available in the documentation.

By analogy:

git archive --format=tar --prefix=restic-0.8.3/ v0.8.3 | gzip -n > restic-0.8.3.tar.gz

And indeed the sha256sum checks out:
sha256sum restic-0.8.3.tar.gz
Output:
0cf697c88404b180d6d6ff2e7d2c27b2fcb9536da6dbdf15ad4d320af7e8f17c restic-0.8.3.tar.gz

So that completely answers this question.

2 Likes