feat: reproducible tarballs for components + sboms (#2210)

## Description `archiver@v3` does not expose the functionality needed to create tarballs with file headers containing only deterministic information. As such, back to back package `create`s against the same data will result in differences in SHAs of `components/*.tar` and `sboms.tar`. To remedy this, tarballing up these directories manually is the only current path forward in order to guarantee reproducibility. `archiver@v4` contains such functionality, but is still in `alpha`. ## Related Issue Fixes #2199 ## Type of change - [ ] Bug fix (non-breaking change which fixes an issue) - [x] New feature (non-breaking change which adds functionality) - [ ] Other (security config, docs update, etc) ## Checklist before merging - [ ] Test, docs, adr added or updated as needed - [x] [Contributor Guide Steps](https://github.com/defenseunicorns/zarf/blob/main/CONTRIBUTING.md#developer-workflow) followed --------- Signed-off-by: razzle <[email protected]> Co-authored-by: Wayne Starr <[email protected]>
zarf-dev · Jan 3, 2024 · 9a97f83 · 9a97f83
1 parent 5e99a86
commit 9a97f83
Show file tree

Hide file tree

Showing 8 changed files with 168 additions and 55 deletions.
diff --git a/src/cmd/tools/archiver.go b/src/cmd/tools/archiver.go
@@ -53,6 +53,9 @@ var archiverDecompressCmd = &cobra.Command{
 
 		if unarchiveAll {
 			err := filepath.Walk(destinationPath, func(path string, info os.FileInfo, err error) error {
+				if err != nil {
+					return err
+				}
 				if strings.HasSuffix(path, ".tar") {
 					dst := filepath.Join(strings.TrimSuffix(path, ".tar"), "..")
 					// Unpack sboms.tar differently since it has a different folder structure than components
@@ -71,7 +74,7 @@ var archiverDecompressCmd = &cobra.Command{
 				return nil
 			})
 			if err != nil {
-				message.Fatalf(err, lang.CmdToolsArchiverUnarchiveAllErr)
+				message.Fatalf(err, lang.CmdToolsArchiverUnarchiveAllErr, err.Error())
 			}
 		}
 	},

diff --git a/src/config/lang/english.go b/src/config/lang/english.go
@@ -398,7 +398,7 @@ $ zarf package pull oci://ghcr.io/defenseunicorns/packages/dos-games:1.0.0 -a sk
 	CmdToolsArchiverDecompressShort = "Decompresses an archive or Zarf package based off of the source file extension."
 	CmdToolsArchiverDecompressErr   = "Unable to perform decompression: %s"
 
-	CmdToolsArchiverUnarchiveAllErr = "Unable to unarchive all nested tarballs"
+	CmdToolsArchiverUnarchiveAllErr = "Unable to unarchive all nested tarballs: %s"
 
 	CmdToolsRegistryShort     = "Tools for working with container registries using go-containertools"
 	CmdToolsRegistryZarfState = "Retrieving registry information from Zarf state"

diff --git a/src/pkg/layout/component.go b/src/pkg/layout/component.go
@@ -65,7 +65,7 @@ func (c *Components) Archive(component types.ZarfComponent, cleanupTemp bool) (e
 	if size > 0 {
 		tb := fmt.Sprintf("%s.tar", base)
 		message.Debugf("Archiving %q", name)
-		if err := archiver.Archive([]string{base}, tb); err != nil {
+		if err := utils.CreateReproducibleTarballFromDir(base, name, tb); err != nil {
 			return err
 		}
 		if c.Tarballs == nil {

diff --git a/src/pkg/layout/sbom.go b/src/pkg/layout/sbom.go
@@ -60,14 +60,9 @@ func (s *SBOMs) Archive() (err error) {
 	dir := s.Path
 	tb := filepath.Join(filepath.Dir(dir), SBOMTar)
 
-	allSBOMFiles, err := filepath.Glob(filepath.Join(dir, "*"))
-	if err != nil {
+	if err := utils.CreateReproducibleTarballFromDir(dir, "", tb); err != nil {
 		return err
 	}
-
-	if err = archiver.Archive(allSBOMFiles, tb); err != nil {
-		return
-	}
 	s.Path = tb
 	return os.RemoveAll(dir)
 }

diff --git a/src/pkg/packager/create_stages.go b/src/pkg/packager/create_stages.go
@@ -9,6 +9,7 @@ import (
 	"fmt"
 	"os"
 	"path/filepath"
+	"slices"
 	"strconv"
 	"strings"
 	"time"
@@ -616,9 +617,8 @@ func (p *Packager) addComponent(index int, component types.ZarfComponent) error
 // Each file within the basePath represents a layer within the Zarf package.
 // generateChecksum returns a SHA256 checksum of the checksums.txt file.
 func (p *Packager) generatePackageChecksums() (string, error) {
-	var checksumsData string
-
 	// Loop over the "loaded" files
+	var checksumsData = []string{}
 	for rel, abs := range p.layout.Files() {
 		if rel == layout.ZarfYAML || rel == layout.Checksums {
 			continue
@@ -628,12 +628,13 @@ func (p *Packager) generatePackageChecksums() (string, error) {
 		if err != nil {
 			return "", err
 		}
-		checksumsData += fmt.Sprintf("%s %s\n", sum, rel)
+		checksumsData = append(checksumsData, fmt.Sprintf("%s %s", sum, rel))
 	}
+	slices.Sort(checksumsData)
 
 	// Create the checksums file
 	checksumsFilePath := p.layout.Checksums
-	if err := utils.WriteFile(checksumsFilePath, []byte(checksumsData)); err != nil {
+	if err := utils.WriteFile(checksumsFilePath, []byte(strings.Join(checksumsData, "\n")+"\n")); err != nil {
 		return "", err
 	}
 

diff --git a/src/pkg/utils/io.go b/src/pkg/utils/io.go
@@ -5,6 +5,7 @@
 package utils
 
 import (
+	"archive/tar"
 	"bufio"
 	"crypto/sha256"
 	"fmt"
@@ -16,6 +17,7 @@ import (
 	"path/filepath"
 	"regexp"
 	"strings"
+	"time"
 
 	"github.com/defenseunicorns/zarf/src/config"
 	"github.com/defenseunicorns/zarf/src/pkg/message"
@@ -422,3 +424,64 @@ func SHAsMatch(path, expected string) error {
 	}
 	return nil
 }
+
+// CreateReproducibleTarballFromDir creates a tarball from a directory with stripped headers
+func CreateReproducibleTarballFromDir(dirPath, dirPrefix, tarballPath string) error {
+	tb, err := os.Create(tarballPath)
+	if err != nil {
+		return fmt.Errorf("error creating tarball: %w", err)
+	}
+	defer tb.Close()
+
+	tw := tar.NewWriter(tb)
+	defer tw.Close()
+
+	// Walk through the directory and process each file
+	return filepath.Walk(dirPath, func(filePath string, info os.FileInfo, err error) error {
+		if err != nil {
+			return err
+		}
+
+		// Create a new header
+		header, err := tar.FileInfoHeader(info, "")
+		if err != nil {
+			return fmt.Errorf("error creating tar header: %w", err)
+		}
+
+		// Strip non-deterministic header data
+		header.ModTime = time.Time{}
+		header.AccessTime = time.Time{}
+		header.ChangeTime = time.Time{}
+		header.Uid = 0
+		header.Gid = 0
+		header.Uname = ""
+		header.Gname = ""
+
+		// Ensure the header's name is correctly set relative to the base directory
+		name, err := filepath.Rel(dirPath, filePath)
+		if err != nil {
+			return fmt.Errorf("error getting relative path: %w", err)
+		}
+		header.Name = filepath.Join(dirPrefix, name)
+
+		// Write the header to the tarball
+		if err := tw.WriteHeader(header); err != nil {
+			return fmt.Errorf("error writing header: %w", err)
+		}
+
+		// If it's a file, write its content
+		if !info.IsDir() {
+			file, err := os.Open(filePath)
+			if err != nil {
+				return fmt.Errorf("error opening file: %w", err)
+			}
+			defer file.Close()
+
+			if _, err := io.Copy(tw, file); err != nil {
+				return fmt.Errorf("error writing file to tarball: %w", err)
+			}
+		}
+
+		return nil
+	})
+}
diff --git a/src/test/e2e/05_multi_part_test.go b/src/test/e2e/05_multi_part_test.go
diff --git a/src/test/e2e/05_tarball_test.go b/src/test/e2e/05_tarball_test.go
@@ -0,0 +1,93 @@
+// SPDX-License-Identifier: Apache-2.0
+// SPDX-FileCopyrightText: 2021-Present The Zarf Authors
+
+// Package test provides e2e tests for Zarf.
+package test
+
+import (
+	"fmt"
+	"os"
+	"path/filepath"
+	"testing"
+
+	"github.com/defenseunicorns/zarf/src/pkg/layout"
+	"github.com/defenseunicorns/zarf/src/pkg/message"
+	"github.com/defenseunicorns/zarf/src/pkg/utils"
+	"github.com/defenseunicorns/zarf/src/types"
+	"github.com/stretchr/testify/require"
+)
+
+func TestMultiPartPackage(t *testing.T) {
+	t.Log("E2E: Multi-part package")
+
+	var (
+		createPath = "src/test/packages/05-multi-part"
+		deployPath = fmt.Sprintf("zarf-package-multi-part-%s.tar.zst.part000", e2e.Arch)
+		outputFile = "multi-part-demo.dat"
+	)
+
+	e2e.CleanFiles(deployPath, outputFile)
+
+	// Create the package with a max size of 1MB
+	stdOut, stdErr, err := e2e.Zarf("package", "create", createPath, "--max-package-size=1", "--confirm")
+	require.NoError(t, err, stdOut, stdErr)
+
+	list, err := filepath.Glob("zarf-package-multi-part-*")
+	require.NoError(t, err)
+	// Length is 7 because there are 6 parts and 1 manifest
+	require.Len(t, list, 7)
+
+	stdOut, stdErr, err = e2e.Zarf("package", "deploy", deployPath, "--confirm")
+	require.NoError(t, err, stdOut, stdErr)
+
+	// Verify the package was deployed
+	require.FileExists(t, outputFile)
+
+	e2e.CleanFiles(deployPath, outputFile)
+}
+
+func TestReproducibleTarballs(t *testing.T) {
+	t.Log("E2E: Reproducible tarballs")
+
+	var (
+		createPath = filepath.Join("examples", "dos-games")
+		tmp        = t.TempDir()
+		tb         = filepath.Join(tmp, fmt.Sprintf("zarf-package-dos-games-%s-1.0.0.tar.zst", e2e.Arch))
+		unpack1    = filepath.Join(tmp, "unpack1")
+		unpack2    = filepath.Join(tmp, "unpack2")
+	)
+
+	stdOut, stdErr, err := e2e.Zarf("package", "create", createPath, "--confirm", "--output", tmp)
+	require.NoError(t, err, stdOut, stdErr)
+
+	stdOut, stdErr, err = e2e.Zarf("tools", "archiver", "decompress", tb, unpack1)
+	require.NoError(t, err, stdOut, stdErr)
+
+	var pkg1 types.ZarfPackage
+	err = utils.ReadYaml(filepath.Join(unpack1, layout.ZarfYAML), &pkg1)
+	require.NoError(t, err)
+
+	b, err := os.ReadFile(filepath.Join(unpack1, layout.Checksums))
+	require.NoError(t, err)
+	checksums1 := string(b)
+
+	e2e.CleanFiles(unpack1, tb)
+
+	stdOut, stdErr, err = e2e.Zarf("package", "create", createPath, "--confirm", "--output", tmp)
+	require.NoError(t, err, stdOut, stdErr)
+
+	stdOut, stdErr, err = e2e.Zarf("tools", "archiver", "decompress", tb, unpack2)
+	require.NoError(t, err, stdOut, stdErr)
+
+	var pkg2 types.ZarfPackage
+	err = utils.ReadYaml(filepath.Join(unpack2, layout.ZarfYAML), &pkg2)
+	require.NoError(t, err)
+
+	b, err = os.ReadFile(filepath.Join(unpack2, layout.Checksums))
+	require.NoError(t, err)
+	checksums2 := string(b)
+
+	message.PrintDiff(checksums1, checksums2)
+
+	require.Equal(t, pkg1.Metadata.AggregateChecksum, pkg2.Metadata.AggregateChecksum)
+}