#787795 grub2: please build rescue ISO and floppy reproducibly

Package:
grub2
Source:
grub2
Description:
GRand Unified Bootloader, version 2 (dummy package)
Submitter:
Daniel Kahn Gillmor
Date:
2026-06-01 20:37:01 UTC
Severity:
wishlist
Tags:
#787795#5
Date:
2015-06-05 06:37:38 UTC
From:
To:
The ISOs (/usr/lib/grub-rescue/grub-rescue-cdrom.iso and
/usr/lib/grub-rescue/grub-rescue-floppy.iso) that are created by the
grub build process embed subtle variations in the timestamps and the
extents of each file.

This is one of the things that keeps the package from producing
byte-for-byte identical binary builds.

(see https://reproducible.debian.net/rb-pkg/unstable/amd64/grub2.html)

I think this can be fixed with a couple steps in debian/rules: sort
the files by extent, and fix the timestamps.  See some of the scripts
sketched here for example:

https://lists.gnu.org/archive/html/bug-xorriso/2015-06/msg00013.html

However, it won't be completely reproducible until we get a newer
version of xorriso in debian so that we can "-alter_date_r c" (see
#787793, which blocks this bug).

Note that there are other parts of the package which are also
unreproducible (/usr/share/qemu/grub.bin and
usr/lib/grub-xen/grub-i386-xen.bin binaries differ in ways i have not
examined, and there are timestamps in
usr/share/info/grub-dev.info.gz).  These probably will be covered with
separate bug reports.

Regards,
#787795#20
Date:
2015-12-04 17:57:29 UTC
From:
To:
I've send a patches regarding reproducible builds.

debian/rules uses mkrescue and it's uuid comes from a timestamp.

https://lists.gnu.org/archive/html/grub-devel/2015-12/msg00015.html
#787795#25
Date:
2021-07-25 23:19:46 UTC
From:
To:
Looking at recent diffoscope output:

https://tests.reproducible-builds.org/debian/rb-pkg/bullseye/amd64/diffoscope-results/grub2.html

It appears for the .iso files only the timestamp issue remains.

Since newer versions of xorriso are now in Debian, I tried adding
"-alter_date_r c" to xorriso calls, but it would seem xorriso doesn't
support "-alter_date_r c" when used with "-as mkisofs". I'm not sure how
difficult it would be to convert away from using "-as mkisofs" so that
"-alter_date_r c" would be supportable...


live well,
  vagrant
#787795#30
Date:
2024-10-02 11:05:20 UTC
From:
To:
Hi,
and xorrisofs (aka "xorriso -as mkisofs").. although it may in theory be
possible to convert to 'native' xorriso by migrating a lot of the command-line
construction, I think that it might be fragile and unnecessary work, because:

...there is a '--set_all_file_dates' command-line option[1] in xorrisofs that
seems to do what we want here.

There's one other change required in grub-mkrescue alongside this in order to
achieve reproducible builds: we need it to read from the SOURCE_DATE_EPOCH env
var when set (currently grub-mkrescue always uses system clock time).

Please find attached a patch that allows me to rebuild grub-rescue-cdrom.iso
deterministically on my local machine when SOURCE_DATE_EPOCH is set.  I'll also
offer this as a merge request on the Salsa repository[2].

Note: the current patch _always_ adds the set_all_file_dates option when
invoking xorriso, regardless of whether the image creation time is read from
the SOURCE_DATE_EPOCH variable or the system clock.

Regards,
James

[1] - https://manpages.debian.org/bookworm/xorriso/xorrisofs.1.en.html#set_all_file_dates

[2] - https://salsa.debian.org/grub-team/grub/
#787795#37
Date:
2024-10-02 11:30:08 UTC
From:
To:
#787795#44
Date:
2026-06-01 20:34:04 UTC
From:
To:
I can confirm that this still applies for grub2 2.14-2, still is needed,
and fixes the issue. Thanks!

So that is one more known fix for grub2 reproducibility...

live well,
  vagrant