Sign inContact usTry it out
Sign inContact usTry it out

Designing build date epoch in Chainguard Images

Matt Moore, CTO
  •  
June 8, 2023
The Case for Farm-to-Table Package Signing

In this post, we are going to walk through how we make Chainguard Images reproducible without the pesky problem where the images show up as created in 1970.

A little bit of background for the uninitiated. Typically container images carry a “created_at” timestamp in their “config file” reflecting when the container image was built. However, since this config file’s hash is part of a Merkle tree, which allows the container to be pulled by digest and how git works, any non-determinism in this timestamp results in the digest for the image changing even if everything else remains the same.

To address this non-determinism, a common practice became to set the timestamp to what’s called the Unix Epoch, which is midnight of January 1st 1970. above, this has led to all sorts of “fun” UX problems over the years.

To address this problem, the reproducible-builds.org group devised a scheme commonly called “source date epoch”, which established a way for users to configure a deterministic timestamp for the build tool to use, which is a function of the source input.

For folks using git they would do this via something like this:

-- CODE language-bash -- export SOURCE_DATE_EPOCH=$(git log -1 --pretty=%ct)

What this does is direct any build tools (that adhere to “source date epoch”) to use the timestamp of the most recent git commit as the timestamp within any artifacts produced. This means that any builds done at a particular commit will be binary-equivalent and the timestamps will match.

So why don’t we just use “source date epoch”?!?!  It sounds great!

In fact, we do! When we perform our APK builds for Wolfi, and our downstream enterprise Chainguard APKs, we encode the timestamp of when we last changed our packaging configuration file as the “source date epoch”:

-- CODE language-bash -- git log -1 --pretty=%ct --follow $(pkgname).yaml

Since each package pins to a particular version of the software, it only changes when the source or configuration changes (similar to the Merkle tree above):

The derived “source date epoch” timestamp gets encoded into the APK’s “control data” as the builddate, and the APKINDEX’s entry for that package as the “build time” (aka t:).

So what’s a “build date epoch” then…?

Things get a bit more complicated when we produce the Chainguard Images from these APKs because when we produce our Images we generally want to pick up the latest versions of these packages, often in order to fix CVEs. What this means is that unlike above, the timestamp of the configuration file does not reflect the timestamp we should use because the configuration file itself changes very rarely, but it will still continue to pick up newer packages than the configuration file itself. If the configuration file does change, then the image digest will change as well.

To account for this, we compute what we have dubbed the “build date epoch,” which is effectively the MAX(builddate) from the installed APKs and as we’ve established above for Wolfi and Chainguard APKs, it is based on a stable “source date epoch” of their respective packages.

In essence, “build date epoch” enables us to achieve a transitive form of “source date epoch,” and because of this the image digests will largely change only when one of their packages has a new version.

Want to learn more about how we build Chainguard Images? Watch our live demo with Chainguard CEO Dan Lorenc or visit Chainguard Academy.

The Case for Farm-to-Table Package Signing

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Suspendisse varius enim in eros elementum tristique. Duis cursus, mi quis viverra ornare, eros dolor interdum nulla, ut commodo diam libero vitae erat. Aenean faucibus nibh et justo cursus id rutrum lorem imperdiet. Nunc ut sem vitae risus tristique posuere.

More articles

Small octopus and a big idea: The story of how a one-year old Linux un-distro is improving the cloud’s software supply chain

Team Wolfi
  •  
September 27, 2023

Chainguard’s response to CVE-2023-4527 in glibc

Dan Luhring, Staff Software Engineer
  •  
September 25, 2023

A growing ecosystem of vulnerability scanners that now support Chainguard Images and Wolfi

Kim Lewandowski, Chief Product Officer
  •  
September 21, 2023

Don’t break the chain – secure your supply chain today!

Contact us
Please direct security disclosures or questions about our bug bounty program to security@chainguard.dev
Copyright 2022
BlogCareersLegalTerms

Sign up for our newsletter

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Unchained
Products
Chainguard Images
Reduce your attack surface with minimal, distroless images.
Chainguard Enforce
Manage, monitor and enforce end-to-end policies.
Chainguard Services
Infrastructure, configuration, and compliance assessment.
Developer
Resources
Company
Contact
Back
Docs
Open source
Back
Unchained blog
Chainguard labs
Customer stories
Education
Back
About
Newsroom
Careers
Back
About
Newsroom
Careers
Engineering

Designing build date epoch in Chainguard Images

Matt Moore, CTO
June 8, 2023
copied

In this post, we are going to walk through how we make Chainguard Images reproducible without the pesky problem where the images show up as created in 1970.

A little bit of background for the uninitiated. Typically container images carry a “created_at” timestamp in their “config file” reflecting when the container image was built. However, since this config file’s hash is part of a Merkle tree, which allows the container to be pulled by digest and how git works, any non-determinism in this timestamp results in the digest for the image changing even if everything else remains the same.

To address this non-determinism, a common practice became to set the timestamp to what’s called the Unix Epoch, which is midnight of January 1st 1970. above, this has led to all sorts of “fun” UX problems over the years.

To address this problem, the reproducible-builds.org group devised a scheme commonly called “source date epoch”, which established a way for users to configure a deterministic timestamp for the build tool to use, which is a function of the source input.

For folks using git they would do this via something like this:

-- CODE language-bash -- export SOURCE_DATE_EPOCH=$(git log -1 --pretty=%ct)

What this does is direct any build tools (that adhere to “source date epoch”) to use the timestamp of the most recent git commit as the timestamp within any artifacts produced. This means that any builds done at a particular commit will be binary-equivalent and the timestamps will match.

So why don’t we just use “source date epoch”?!?!  It sounds great!

In fact, we do! When we perform our APK builds for Wolfi, and our downstream enterprise Chainguard APKs, we encode the timestamp of when we last changed our packaging configuration file as the “source date epoch”:

-- CODE language-bash -- git log -1 --pretty=%ct --follow $(pkgname).yaml

Since each package pins to a particular version of the software, it only changes when the source or configuration changes (similar to the Merkle tree above):

The derived “source date epoch” timestamp gets encoded into the APK’s “control data” as the builddate, and the APKINDEX’s entry for that package as the “build time” (aka t:).

So what’s a “build date epoch” then…?

Things get a bit more complicated when we produce the Chainguard Images from these APKs because when we produce our Images we generally want to pick up the latest versions of these packages, often in order to fix CVEs. What this means is that unlike above, the timestamp of the configuration file does not reflect the timestamp we should use because the configuration file itself changes very rarely, but it will still continue to pick up newer packages than the configuration file itself. If the configuration file does change, then the image digest will change as well.

To account for this, we compute what we have dubbed the “build date epoch,” which is effectively the MAX(builddate) from the installed APKs and as we’ve established above for Wolfi and Chainguard APKs, it is based on a stable “source date epoch” of their respective packages.

In essence, “build date epoch” enables us to achieve a transitive form of “source date epoch,” and because of this the image digests will largely change only when one of their packages has a new version.

Want to learn more about how we build Chainguard Images? Watch our live demo with Chainguard CEO Dan Lorenc or visit Chainguard Academy.

Related articles
Engineering
Fully bootstrapping Go from source in Wolfi
August 11, 2023
Engineering
Good MLOps is good ML supply chain security
July 25, 2023
Engineering
OCI announces upcoming changes for registries
July 13, 2023
Products

Chainguard Images

Chainguard Enforce

Chainguard Services

Developer

Open source

Docs

Resources

Unchained blog

Chainguard Labs

Customer stories

Scanners

Security

Education

Company

About

Newsroom

Careers

Legal

Contact

Follow

Twitter

GitHub

LinkedIn

TikTok

© 2023 Chainguard, Inc.

Contact