Re: Automated release signing requirements

[Toshiya Kobayashi]

On my local machine, `mvn clean verify artifact:compare` results in:
```
[INFO] --- artifact:3.4.1:compare (default-cli) @ drools-core ---
[WARNING] SCM source tag in buildinfo source.scm.tag=HEAD does not permit
rebuilders reproducible source checkout
[INFO] Reference buildinfo file not found: it will be generated from
downloaded reference artifacts
[INFO] Reference build java.version: 17 (from MANIFEST.MF Build-Jdk-Spec)
[INFO] Reference build os.name: Unix (from pom.properties newline)
[INFO] Minimal buildinfo generated from downloaded artifacts:
/home/tkobayas/usr/work/reproducible/drools/drools-core/target/reference/drools-core-999-SNAPSHOT.buildinfo
[ERROR] size mismatch drools-core-999-SNAPSHOT-tests.jar: investigate with
diffoscope drools-core/target/reference/drools-core-999-SNAPSHOT-tests.jar
drools-core/target/drools-core-999-SNAPSHOT-tests.jar
[ERROR] Reproducible Build output summary: 4 files ok, 1 different
[ERROR] see diff
drools-core/target/reference/drools-core-999-SNAPSHOT.buildinfo
drools-core/target/drools-core-999-SNAPSHOT.buildinfo
[ERROR] see also
https://maven.apache.org/guides/mini/guide-reproducible-builds.html
[INFO] Reproducible Build output comparison saved to
/home/tkobayas/usr/work/reproducible/drools/drools-core/target/drools-core-999-SNAPSHOT.buildcompare
[INFO] Aggregate buildcompare copied to
/home/tkobayas/usr/work/reproducible/drools/target/drools-parent-999-SNAPSHOT.buildcompare
```

diffoscope output:
```
$ diffoscope
drools-core/target/reference/drools-core-999-SNAPSHOT-tests.jar
drools-core/target/drools-core-999-SNAPSHOT-tests.jar
--- drools-core/target/reference/drools-core-999-SNAPSHOT-tests.jar
+++ drools-core/target/drools-core-999-SNAPSHOT-tests.jar
├── zipinfo {}
│ @@ -1,8 +1,8 @@
│ -Zip file size: 232564 bytes, number of entries: 220
│ +Zip file size: 233299 bytes, number of entries: 221
│  drwxr-xr-x  2.0 unx        0 b- stor 24-Jan-12 00:00 META-INF/
│  -rw-r--r--  2.0 unx      505 b- defN 24-Jan-12 00:00 META-INF/MANIFEST.MF
│  drwxr-xr-x  2.0 unx        0 b- stor 24-Jan-12 00:00 org/
│  drwxr-xr-x  2.0 unx        0 b- stor 24-Jan-12 00:00 org/drools/
│  drwxr-xr-x  2.0 unx        0 b- stor 24-Jan-12 00:00 org/drools/core/
│  drwxr-xr-x  2.0 unx        0 b- stor 24-Jan-12 00:00
org/drools/core/base/
│  drwxr-xr-x  2.0 unx        0 b- stor 24-Jan-12 00:00
org/drools/core/base/accumulators/
│ @@ -188,14 +188,15 @@
│  -rw-r--r--  2.0 unx      435 b- defN 24-Jan-12 00:00
org/drools/core/util/asm/TestAbstract.class
│  -rw-r--r--  2.0 unx      450 b- defN 24-Jan-12 00:00
org/drools/core/util/asm/TestAbstractImpl.class
│  -rw-r--r--  2.0 unx     1547 b- defN 24-Jan-12 00:00
org/drools/core/util/asm/TestBean.class
│  -rw-r--r--  2.0 unx      205 b- defN 24-Jan-12 00:00
org/drools/core/util/asm/TestInterface.class
│  -rw-r--r--  2.0 unx      556 b- defN 24-Jan-12 00:00
org/drools/core/util/asm/TestInterfaceImpl.class
│  -rw-r--r--  2.0 unx     1910 b- defN 24-Jan-12 00:00
org/drools/core/util/asm/TestObject.class
│  -rwxr-xr-x  2.0 unx      644 b- defN 24-Jan-12 00:00
org/drools/core/util/droolsClient.keystore
│ +-rw-r--r--  2.0 unx      624 b- defN 24-Jan-12 00:00
org/drools/core/util/droolsServer.jceks
│  -rwxr-xr-x  2.0 unx     1350 b- defN 24-Jan-12 00:00
org/drools/core/util/droolsServer.keystore
│  -rw-r--r--  2.0 unx      865 b- defN 24-Jan-12 00:00
org/drools/core/util/engine.policy
│  -rw-r--r--  2.0 unx     5312 b- defN 24-Jan-12 00:00
org/drools/core/util/index/IndexUtilTest$FakeBetaNodeFieldConstraint.class
│  -rw-r--r--  2.0 unx     3293 b- defN 24-Jan-12 00:00
org/drools/core/util/index/IndexUtilTest$FakeReadAccessor.class
│  -rw-r--r--  2.0 unx     7673 b- defN 24-Jan-12 00:00
org/drools/core/util/index/IndexUtilTest.class
│  -rw-r--r--  2.0 unx     3443 b- defN 24-Jan-12 00:00
org/drools/core/util/index/RangeIndexTest.class
│  -rw-r--r--  2.0 unx     1012 b- defN 24-Jan-12 00:00
org/drools/core/util/kie.policy
│ @@ -215,8 +216,8 @@
│  -rw-r--r--  2.0 unx    21806 b- defN 24-Jan-12 00:00 pkg/mortgages.pkg
│  -rw-r--r--  2.0 unx     1799 b- defN 24-Jan-12 00:00
rule-agent-config.properties
│  -rw-r--r--  2.0 unx     2209 b- defN 24-Jan-12 00:00
rule-base-rule-agent-config.properties
│  -rw-r--r--  2.0 unx      893 b- defN 24-Jan-12 00:00
sample-agent-config.properties
│  -rw-r--r--  2.0 unx    31057 b- defN 24-Jan-12 00:00 waltz12.dat
│  -rw-r--r--  2.0 unx     8039 b- defN 24-Jan-12 00:00
META-INF/maven/org.drools/drools-core/pom.xml
│  -rw-r--r--  2.0 unx       63 b- defN 24-Jan-12 00:00
META-INF/maven/org.drools/drools-core/pom.properties
│ -220 files, 560891 bytes uncompressed, 196398 bytes compressed:  65.0%
│ +221 files, 561515 bytes uncompressed, 196979 bytes compressed:  64.9%
├── zipnote «TEMP»/diffoscope_e6bcvig3_target/tmpceiwpf7e_.zip
│ @@ -573,14 +573,17 @@
│
│  Filename: org/drools/core/util/asm/TestObject.class
│  Comment:
│
│  Filename: org/drools/core/util/droolsClient.keystore
│  Comment:
│
│ +Filename: org/drools/core/util/droolsServer.jceks
│ +Comment:
│ +
│  Filename: org/drools/core/util/droolsServer.keystore
│  Comment:
│
│  Filename: org/drools/core/util/engine.policy
│  Comment:
│
│  Filename:
org/drools/core/util/index/IndexUtilTest$FakeBetaNodeFieldConstraint.class

```

`droolsServer.jceks` seems to be the problem. Sorry that I'll be off until
next Tuesday. I may occupationally investigate it, but it would be great if
someone can fix it.

Cheers,
Toshiya

On Thu, Jun 20, 2024 at 12:20 AM Alex Porcelli <a...@porcelli.me> wrote:

> Just tried at the drools repo and it failed in the reproducible build
> when I run `mvn clean verify artifact:compare` :(
>
> On Fri, Jun 14, 2024 at 12:08 PM Jan Šťastný <jstastn...@apache.org>
> wrote:
> >
> > Hello all,
> >
> > In discussion with security team I've been asked to provide answers to
> > following questions on how we fullfil security requirements that go with
> > the automated GPG signing in ci environment:
> >
> > https://infra.apache.org/release-signing.html#automated-release-signing
> > requires that the build is binary reproducible and that "The release
> > procedure contains a validation step where all artifacts are reproduced
> on
> > trusted hardware (
> >
> https://www.apache.org/legal/release-policy.html#owned-controlled-hardware
> )
> > before publication to pages intended for end users"
> >
> > I'd like to ask everyone for assistance, especially in confirming that
> our
> > builds are reproducible , but also help me to interpret the trusted
> > hardware request.
> >
> > More I think about this the more I tend to think we will be asked to
> > provide some documentation of how we release as a reference.
> >
> > Regards
> > Jan
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscr...@kie.apache.org
> For additional commands, e-mail: dev-h...@kie.apache.org
>
>