Skip to content
Snippets Groups Projects
New look: Off

openssl (for Windows) is including the year it was built on, causing the built to be unreproducible if built on different years

    • Closed (moved) Issue created by boklm @boklm

    My build of 9.5a7-build2 is not matching with the build from Richard: https://people.torproject.org/~richard/builds/9.5a7-build2/ https://people.torproject.org/~boklm/builds/9.5a7-build2/

    To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information

    Child items ...

    • Activity

    • boklm added TorBrowserTeam202003R component::applications/tor browser owner::tbb-team priority::very high resolution::fixed severity::normal status::closed tbb-rbm type::defect labels

      added TorBrowserTeam202003R component::applications/tor browser owner::tbb-team priority::very high resolution::fixed severity::normal status::closed tbb-rbm type::defect labels

    • boklm
      boklm @boklm ·
      Author

      I started a rebuild of win32 and win64 to check if I get a different result.

    • boklm
      boklm @boklm ·
      Author

      After comparing the win32 bundles, the following two files are different:

      • Browser/TorBrowser/Tor/libcrypto-1_1.dll
      • Browser/TorBrowser/Tor/libssl-1_1.dll

      And when comparing the files:

      --- b/Browser/TorBrowser/Tor/libcrypto-1_1.dll
+++ r/Browser/TorBrowser/Tor/libcrypto-1_1.dll
@@ -7,15 +7,15 @@
 0000060: 7420 6265 2072 756e 2069 6e20 444f 5320  t be run in DOS 
 0000070: 6d6f 6465 2e0d 0d0a 2400 0000 0000 0000  mode....$.......
 0000080: 5045 0000 4c01 1200 0000 0000 0058 2900  PE..L........X).
 0000090: 5254 0000 e000 0621 0b01 021f 0030 1c00  RT.....!.....0..
 00000a0: 008a 2500 003c 0000 b013 0000 0010 0000  ..%..<..........
 00000b0: 0040 1c00 0000 406b 0010 0000 0002 0000  .@....@k........
 00000c0: 0400 0000 0100 0000 0400 0000 0000 0000  ................
-00000d0: 0030 2a00 0010 0000 cd01 3300 0300 4001  .0*.......3...@.
+00000d0: 0030 2a00 0010 0000 c501 3300 0300 4001  .0*.......3...@.
 00000e0: 0000 2000 0010 0000 0000 1000 0010 0000  .. .............
 00000f0: 0000 0000 1000 0000 00e0 2200 44ff 0100  ..........".D...
 0000100: 00e0 2400 ac11 0000 0020 2500 b803 0000  ..$...... %.....
 0000110: 0000 0000 0000 0000 0000 0000 0000 0000  ................
 0000120: 0030 2500 10e9 0000 0000 0000 0000 0000  .0%.............
 0000130: 0000 0000 0000 0000 0000 0000 0000 0000  ................
 0000140: f40e 2200 1800 0000 0000 0000 0000 0000  ..".............
@@ -150251,15 +150251,15 @@
 024aea0: 0100 5000 7200 6f00 6400 7500 6300 7400  ..P.r.o.d.u.c.t.
 024aeb0: 5600 6500 7200 7300 6900 6f00 6e00 0000  V.e.r.s.i.o.n...
 024aec0: 3100 2e00 3100 2e00 3100 6400 0000 0000  1...1...1.d.....
 024aed0: a000 3e00 0100 4c00 6500 6700 6100 6c00  ..>...L.e.g.a.l.
 024aee0: 4300 6f00 7000 7900 7200 6900 6700 6800  C.o.p.y.r.i.g.h.
 024aef0: 7400 0000 4300 6f00 7000 7900 7200 6900  t...C.o.p.y.r.i.
 024af00: 6700 6800 7400 2000 3100 3900 3900 3800  g.h.t. .1.9.9.8.
-024af10: 2d00 3200 3000 3100 3900 2000 5400 6800  -.2.0.1.9. .T.h.
+024af10: 2d00 3200 3000 3200 3000 2000 5400 6800  -.2.0.2.0. .T.h.
 024af20: 6500 2000 4f00 7000 6500 6e00 5300 5300  e. .O.p.e.n.S.S.
 024af30: 4c00 2000 4100 7500 7400 6800 6f00 7200  L. .A.u.t.h.o.r.
 024af40: 7300 2e00 2000 4100 6c00 6c00 2000 7200  s... .A.l.l. .r.
 024af50: 6900 6700 6800 7400 7300 2000 7200 6500  i.g.h.t.s. .r.e.
 024af60: 7300 6500 7200 7600 6500 6400 2e00 0000  s.e.r.v.e.d.....
 024af70: 4400 0000 0100 5600 6100 7200 4600 6900  D.....V.a.r.F.i.
 024af80: 6c00 6500 4900 6e00 6600 6f00 0000 0000  l.e.I.n.f.o.....
      --- b/Browser/TorBrowser/Tor/libssl-1_1.dll
+++ r/Browser/TorBrowser/Tor/libssl-1_1.dll
@@ -7,15 +7,15 @@
 0000060: 7420 6265 2072 756e 2069 6e20 444f 5320  t be run in DOS 
 0000070: 6d6f 6465 2e0d 0d0a 2400 0000 0000 0000  mode....$.......
 0000080: 5045 0000 4c01 1200 0000 0000 0078 0b00  PE..L........x..
 0000090: be1c 0000 e000 0621 0b01 021f 00ae 0500  .......!........
 00000a0: 00be 0700 0006 0000 b013 0000 0010 0000  ................
 00000b0: 00c0 0500 0000 f86a 0010 0000 0002 0000  .......j........
 00000c0: 0400 0000 0100 0000 0400 0000 0000 0000  ................
-00000d0: 0030 0c00 0006 0000 3484 0e00 0300 4001  .0......4.....@.
+00000d0: 0030 0c00 0006 0000 2c84 0e00 0300 4001  .0......,.....@.
 00000e0: 0000 2000 0010 0000 0000 1000 0010 0000  .. .............
 00000f0: 0000 0000 1000 0000 0020 0700 3340 0000  ......... ..3@..
 0000100: 0070 0700 343e 0000 00d0 0700 b003 0000  .p..4>..........
 0000110: 0000 0000 0000 0000 0000 0000 0000 0000  ................
 0000120: 00e0 0700 ec41 0000 0000 0000 0000 0000  .....A..........
 0000130: 0000 0000 0000 0000 0000 0000 0000 0000  ................
 0000140: 9ceb 0600 1800 0000 0000 0000 0000 0000  ................
@@ -30730,16 +30730,16 @@
 0078090: 7400 0000 3200 0700 0100 5000 7200 6f00  t...2.....P.r.o.
 00780a0: 6400 7500 6300 7400 5600 6500 7200 7300  d.u.c.t.V.e.r.s.
 00780b0: 6900 6f00 6e00 0000 3100 2e00 3100 2e00  i.o.n...1...1...
 00780c0: 3100 6400 0000 0000 a000 3e00 0100 4c00  1.d.......>...L.
 00780d0: 6500 6700 6100 6c00 4300 6f00 7000 7900  e.g.a.l.C.o.p.y.
 00780e0: 7200 6900 6700 6800 7400 0000 4300 6f00  r.i.g.h.t...C.o.
 00780f0: 7000 7900 7200 6900 6700 6800 7400 2000  p.y.r.i.g.h.t. .
-0078100: 3100 3900 3900 3800 2d00 3200 3000 3100  1.9.9.8.-.2.0.1.
-0078110: 3900 2000 5400 6800 6500 2000 4f00 7000  9. .T.h.e. .O.p.
+0078100: 3100 3900 3900 3800 2d00 3200 3000 3200  1.9.9.8.-.2.0.2.
+0078110: 3000 2000 5400 6800 6500 2000 4f00 7000  0. .T.h.e. .O.p.
 0078120: 6500 6e00 5300 5300 4c00 2000 4100 7500  e.n.S.S.L. .A.u.
 0078130: 7400 6800 6f00 7200 7300 2e00 2000 4100  t.h.o.r.s... .A.
 0078140: 6c00 6c00 2000 7200 6900 6700 6800 7400  l.l. .r.i.g.h.t.
 0078150: 7300 2000 7200 6500 7300 6500 7200 7600  s. .r.e.s.e.r.v.
 0078160: 6500 6400 2e00 0000 4400 0000 0100 5600  e.d.....D.....V.
 0078170: 6100 7200 4600 6900 6c00 6500 4900 6e00  a.r.F.i.l.e.I.n.
 0078180: 6600 6f00 0000 0000 2400 0400 0000 5400  f.o.....$.....T.

      So it looks like openssl is including somewhere in the binary the year on which it was built. My build of openssl is from 2019, while the build from Richard is from 2020.

    • boklm
      boklm @boklm ·
      Author

      Trac:
      Summary: win32 and win64 bundles from 9.5a7-build2 are not matching to openssl is including the year it was built on, causing the built to be unreproducible if built on different years

    • boklm
      boklm @boklm ·
      Author

      There is a patch for review in branch bug_33535: https://gitweb.torproject.org/user/boklm/tor-browser-build.git/commit/?h=bug_33535&id=f0b504b13768f3236f6880c9346db00082549506

      I will submit this patch to upstream after confirming that it is solving the issue for us.

      Trac:
      Keywords: TorBrowserTeam202003 deleted, TorBrowserTeam202003R added
      Status: new to needs_review

    • morgan
      morgan @morgan ·

      Replying to boklm:

      There is a patch for review in branch bug_33535: https://gitweb.torproject.org/user/boklm/tor-browser-build.git/commit/?h=bug_33535&id=f0b504b13768f3236f6880c9346db00082549506

      I will submit this patch to upstream after confirming that it is solving the issue for us.

      Looks good to me!

    • boklm
      boklm @boklm ·
      Author

      I posted a more simple version of the patch in branch bug_33535_v2: https://gitweb.torproject.org/user/boklm/tor-browser-build.git/commit/?h=bug_33535_v2&id=d1878906cced1672563f5958b13ed1ae9a158471

      Doing it the same way as is already done in an other part of openssl: https://git.openssl.org/?p=openssl.git;a=blob;f=util/mkbuildinf.pl;h=1c273872be11c01e881a59a61bb3f0f125679441;hb=HEAD#l15

    • boklm
      boklm @boklm ·
      Author

      In branch bug_33535_v2 I fixed a typo in the patch's commit message (noticed by GeKo): https://gitweb.torproject.org/user/boklm/tor-browser-build.git/commit/?h=bug_33535_v3&id=b5e9b4ad94be85ec581b8e7a8aaec42696519dc1

    • S
      Matthew Finkel @sysrqb ·

      Replying to boklm:

      In branch bug_33535_v2 I fixed a typo in the patch's commit message (noticed by GeKo): https://gitweb.torproject.org/user/boklm/tor-browser-build.git/commit/?h=bug_33535_v3&id=b5e9b4ad94be85ec581b8e7a8aaec42696519dc1

      Thanks! I backported to maint-9.0 as commit 4a2ad0146f9ad09eca816f07335df2a627ede6a1. Merged onto master as commit b5e9b4ad94be85ec581b8e7a8aaec42696519dc1.

      Trac:
      Resolution: N/A to fixed
      Status: needs_review to closed

    • boklm
      boklm @boklm ·
      Author

      Trac:
      Summary: openssl is including the year it was built on, causing the built to be unreproducible if built on different years to openssl (for Windows) is including the year it was built on, causing the built to be unreproducible if built on different years

    • boklm
      boklm @boklm ·
      Author

      https://github.com/openssl/openssl/pull/11296

    • boklm
      boklm @boklm ·
      Author

      Replying to boklm:

      https://github.com/openssl/openssl/pull/11296 Patch has been merged to master and 1.1.1. So it should be possible to remove projects/openssl/use-SOURCE_DATE_EPOCH.patch with next openssl update.

    • Trac closed

      closed

    • Trac moved to tpo/applications/tor-browser#33535 (closed)

      moved to tpo/applications/tor-browser#33535 (closed)

    Please register or sign in to reply