<div dir="ltr"><div>Hi,</div><div><br></div><div>Fyi, OpenJDK build itself does not actually use "keytool" itself, as it has some determinism issues, but also</div><div>doesn't quite do exactly what is required for the cacerts store creation. OpenJDK uses it's own GenerateCacerts</div><div>tool: <a href="https://github.com/openjdk/jdk21u/blob/master/make/jdk/src/classes/build/tools/generatecacerts/GenerateCacerts.java">https://github.com/openjdk/jdk21u/blob/master/make/jdk/src/classes/build/tools/generatecacerts/GenerateCacerts.java</a></div><div>I did open a bug a while back to report the keytool issues, but is was closed as not an issue... <a href="https://bugs.openjdk.org/browse/JDK-8278157">https://bugs.openjdk.org/browse/JDK-8278157</a></div><div><br></div><div>With regards the build of OpenJDK as a whole, it is fully Reproducible, we produce identical Temurin JDKs at Eclipse Adoptium.</div><div><br></div><div>Cheers</div><div>Andrew</div><div><br></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Wed, Nov 13, 2024 at 2:25 PM Chris Lamb <<a href="mailto:chris@reproducible-builds.org">chris@reproducible-builds.org</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">Roland Clobus wrote:<br>
<br>
> After the regular postinst has run, I can run the postinst step again <br>
> but then with faketime active.<br>
<br>
Mm, that's likely the most elegant solution available. Even if it is,<br>
alas, a solution specific to building live images. :(<br>
<br>
Separate to that, I would file a bug against keytool and/or KeyStore<br>
class so that the command-line keytool utility either:<br>
<br>
a) obeys SOURCE_DATE_EPOCH internally to the tool<br>
b) accepts a date on the command-line (as suggested explicitly by John)<br>
c) there is some kind of -nodate option<br>
<br>
As you mention, at least (a) and (b) would require a bunch of the<br>
new Date() calls in the KeyStore class to be checked over, and likely<br>
the KeyStore API needs to change as you imply so that a date can be<br>
poked through to the right place. That's probably a design decision<br>
best left to the maintainers of the KeyStore class and keytool utility,<br>
however.<br>
<br>
I don't think we need to propose that the entire JRE/JDK starts to<br>
obey SOURCE_DATE_EPOCH …<br>
<br>
<br>
<br>
<br>
Regards,<br>
<br>
-- <br>
o<br>
⬋ ⬊ Chris Lamb<br>
o o <a href="http://reproducible-builds.org" rel="noreferrer" target="_blank">reproducible-builds.org</a> 💠<br>
⬊ ⬋<br>
o<br>
<br>
</blockquote></div>