x/build/cmd/relui: reproducibility diffs in darwin signed tar generation

[rsc]

The Darwin tar files that get rebuilt to put in the signed binaries
are different from the cmd/dist-generated ones in a few ways.
For now I can teach the reproduction checker I'm working on to ignore
these differences, but could these divergences be corrected in relui?
It seems like they should be straightforward
(perhaps it requires packing the tar file in Go code instead of invoking the system tar though).

• The standard cmd/dist-generated tar files have no uid/gid/uname/gname - they're 0/0/""/"".
  The signed ones say 501/0/gopher/wheel.
  Let's clear the signed ones too (or preserve the cmd/dist-provided metadata, either way).

• The standard cmd/dist-generated tar files have no entries for directories.
  The signed ones add entries for directories, with semi-random time stamps, like go/ and go/api/ below (and more).
  Let's remove the tar entries for directories.

• The mtime on signed binaries is changed to be different from the mtime used consistently in the rest of the archive.
  Let's keep the mtime the same on all files.

There is also an inconsistency in the file order but I think that one is cmd/distpack's fault and I will fix it there.

Thanks!

% tar tzvf cmddist.tgz | sed 10q
-rw-r--r--  0 0      0        1337 Jul 13 15:00 go/CONTRIBUTING.md
-rw-r--r--  0 0      0        1479 Jul 13 15:00 go/LICENSE
-rw-r--r--  0 0      0        1303 Jul 13 15:00 go/PATENTS
-rw-r--r--  0 0      0        1455 Jul 13 15:00 go/README.md
-rw-r--r--  0 0      0         419 Jul 13 15:00 go/SECURITY.md
-rw-r--r--  0 0      0          36 Jul 13 15:00 go/VERSION
-rw-r--r--  0 0      0        1142 Jul 13 15:00 go/api/README
-rw-r--r--  0 0      0       35424 Jul 13 15:00 go/api/except.txt
-rw-r--r--  0 0      0     2687115 Jul 13 15:00 go/api/go1.1.txt
-rw-r--r--  0 0      0       30821 Jul 13 15:00 go/api/go1.10.txt
% tar tzvf signed.tgz | sed 10q
drwxr-xr-x  0 0      0           0 Jul 13 17:49 go/
-rw-r--r--  0 gopher wheel    1337 Jul 13 15:00 go/CONTRIBUTING.md
-rw-r--r--  0 gopher wheel    1479 Jul 13 15:00 go/LICENSE
-rw-r--r--  0 gopher wheel    1303 Jul 13 15:00 go/PATENTS
-rw-r--r--  0 gopher wheel    1455 Jul 13 15:00 go/README.md
-rw-r--r--  0 gopher wheel     419 Jul 13 15:00 go/SECURITY.md
-rw-r--r--  0 gopher wheel      36 Jul 13 15:00 go/VERSION
drwxr-xr-x  0 gopher wheel       0 Jul 13 15:14 go/api/
-rw-r--r--  0 gopher wheel    1142 Jul 13 15:00 go/api/README
-rw-r--r--  0 gopher wheel   35424 Jul 13 15:00 go/api/except.txt
% 

[rsc]

https://go-review.googlesource.com/c/go/+/511977 is the distpack change to fix the file sort order to match what a system tar or fs.WalkDir would use.

[gopherbot]

Change https://go.dev/cl/511977 mentions this issue: cmd/distpack: sort files in standard walk order

[rsc]

One more issue - the mtimes on signed binaries are different from the mtime used on all the other files in the archive. Updated list in top comment.

[gopherbot]

Change https://go.dev/cl/511759 mentions this issue: internal/relui: improve reproducibility of signed tarballs

[rsc]

Replied on the submitted CL, but since it is merged I will comment here too: distpack does not set AccessTime and ChangeTime, so I think those should be zeroed, not set to the mtime.

[gopherbot]

Change https://go.dev/cl/512437 mentions this issue: internal/relui: improve reproducibility of signed tarballs, take 2

[heschi]

I've pushed relui and I believe we're done here. Let me know if I'm wrong.

[gopherbot]

Change https://go.dev/cl/515415 mentions this issue: cmd/gorebuild: check uid/gid/uname/gname/mtime fields in tgz files

[gopherbot]

Change https://go.dev/cl/552015 mentions this issue: internal/relui: handle error from loadBinaries