From 25fe914b6a014976d3280a47513549adc3ff0ca4 Mon Sep 17 00:00:00 2001
From: Steve Lawrence <slawrence@owlcyberdefense.com>
Date: Mon, 15 Apr 2024 14:43:08 -0400
Subject: [PATCH] Improve zip file reproducibility

We currently use the ZipArchiveEntry(File, String) constructor when
creating a zip file entry for Universal/packageBin. This constructor
reads mtime, atime, and ctime from the File and adds them to the 5455
extended header in the zip file. When we call setTime on the entry, it
only changes the mtime field--the atime and ctime are the same values
from the file and are likely to be different across builds and break
reproducibility.

To fix this, we use the ZipArchiveEntry(String) constructor which does
not read any file metadata, and only uses information we directly
provided to it. We now provie the source epoch via setLastModifiedTime
since that continues to use the 5455 extended header but only for mtime.
We also ensure directories have a trailing slash in the entry name,
since that was previously done by the other constructor.

With this change, when using SOURCE_DATE_EPOCH, zip files created with
Universal/packageBin are now byte-for-byte exactly the same.
---
 .../typesafe/sbt/packager/universal/ZipHelper.scala    | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/src/main/scala/com/typesafe/sbt/packager/universal/ZipHelper.scala b/src/main/scala/com/typesafe/sbt/packager/universal/ZipHelper.scala
index b2a6a3230..b50c617df 100644
--- a/src/main/scala/com/typesafe/sbt/packager/universal/ZipHelper.scala
+++ b/src/main/scala/com/typesafe/sbt/packager/universal/ZipHelper.scala
@@ -4,6 +4,7 @@ package universal
 
 import java.net.URI
 import java.nio.file.{FileSystem, FileSystems, Files, StandardCopyOption}
+import java.nio.file.attribute.FileTime
 import java.util.zip.Deflater
 
 import org.apache.commons.compress.archivers.zip._
@@ -122,9 +123,14 @@ object ZipHelper {
       IO createDirectory outputDir
       withZipOutput(outputFile) { output =>
         for (FileMapping(file, name, mode) <- sources) {
-          val entry = new ZipArchiveEntry(file, normalizePath(name))
+          val entryName = {
+            val n = normalizePath(name)
+            if (file.isDirectory && !n.endsWith("/")) n + "/" else n
+          }
+          val entry = new ZipArchiveEntry(entryName)
           sys.env.get("SOURCE_DATE_EPOCH") foreach { epoch =>
-            entry.setTime(epoch.toLong * 1000)
+            val millis = epoch.toLong * 1000
+            entry.setLastModifiedTime(FileTime.fromMillis(millis))
           }
           // Now check to see if we have permissions for this sucker.
           mode foreach (entry.setUnixMode)