Arch Linux now has a bit-for-bit reproducible Docker image

Mon Apr 20 15:44:17 UTC 2026

Hey everyone,

As a follow-up to the related milestone achieved for our WSL image a few 
months ago [1], I'm proud to announce that Arch Linux now has a 
bit-for-bit reproducible Docker image!

This bit-for-bit reproducible image is distributed under a new "repro" 
tag [2]. This is due to one important caveat: to ensure reproducibility, 
the pacman keys have to be stripped from the image, meaning that pacman 
is not usable *out of the box* in this image.
Users will need to (re)generate the pacman keyring (by running 
`pacman-key --init && pacman-key --populate archlinux`) before being 
able to update the system and install packages via pacman. While waiting 
to find a suitable solution to this technical constraint, we are 
therefore providing this reproducible image under a dedicated tag as a 
first milestone.

The bit-for-bit reproducibility of the image is confirmed by digest 
equality across builds (`podman inspect --format '{{.Digest}}' <image>`) 
and by running `diffoci` [3] to compare builds.
We provide documentation on how to reproduce this Docker image [4] (as 
we did for the WSL image as well [5]).

Building the base rootFS for the Docker image in a deterministic way was 
the main challenge, but it reuses the same process as for our WSL [6] 
image (as both share the same rootFS build system).

The main Docker-specific adjustments include:

- Set `SOURCE_DATE_EPOCH` and honor it in the 
`org.opencontainers.image.created` LABEL in the Dockerfile
- Remove the ldconfig auxiliary cache file (which introduces 
non-determinism) from the built image in the Dockerfile
- Normalize timestamps during `docker build` / `podman build` using the 
`--source-date-epoch=$SOURCE_DATE_EPOCH` and `--rewrite-timestamp` options.

You can check the related change set in our archlinux-docker repository 
[7] for more details.

This represents another meaningful achievement in our "reproducible 
builds" efforts and we’re already looking forward to the next step!

[1] 
https://lists.reproducible-builds.org/pipermail/rb-general/2025-December/003975.html
[2] https://hub.docker.com/layers/archlinux/archlinux/repro
[3] https://github.com/reproducible-containers/diffoci
[4] 
https://gitlab.archlinux.org/archlinux/archlinux-docker/-/blob/master/REPRO.md
[5] 
https://gitlab.archlinux.org/archlinux/archlinux-wsl/-/blob/main/REPRO.md
[6] 
https://gitlab.archlinux.org/archlinux/archlinux-wsl/-/commit/7c0340e26358048f3f8ee03b3ab3aea666751712
[7] 
https://gitlab.archlinux.org/archlinux/archlinux-docker/-/merge_requests/96/diffs
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_0xFDC3040B92ACA748.asc
Type: application/pgp-keys
Size: 9509 bytes
Desc: OpenPGP public key
URL: <http://lists.reproducible-builds.org/pipermail/rb-general/attachments/20260420/907bdf24/attachment.key>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature.asc
Type: application/pgp-signature
Size: 840 bytes
Desc: OpenPGP digital signature
URL: <http://lists.reproducible-builds.org/pipermail/rb-general/attachments/20260420/907bdf24/attachment.sig>