Are Ubuntu Core Images Reproducible?


I’m working on creating an Ubuntu Core img that includes my first snap preinstalled. I have a bash script that downloads and configures a model assertion. It works!

Before publishing the img I wanted to generate a sha sum for others to verify after downloading. After doing so I noticed that each img, even if generated minutes apart, had a different sha sum. Therefore, the build is not reproducible.

This is my fault. I’m setting a timestamp to be a generated date after the creation of the signing key (because it is required to do so). Each build generates a different timestamp. Each built img contains the timestamp information within it. Therefore, each build outputs a slightly different img.

This leaves me with a few questions:

  • What does timestamp represent? The time of signing? Signature expiration? The documentation doesn’t say much about it.
  • If I were to fix the timestamp issue, can an Ubuntu Core img be expected to be reproducible at all?
    • It seems that snaps are fetched during the build so if one of them changes between builds it would mean that the build output is different without the build input (model assertion) having changed, right?
  • Would there be any problems if I were to, let’s say, set the timestamp to 100 years into the future to buy myself some time to figure this all out?