Implement Maven reproducible builds

Open Copilot opened this issue 8 months ago • 0 comments

This PR implements Maven reproducible builds for the Jaxen project, ensuring that building the same source code multiple times produces bit-for-bit identical artifacts.

Changes Made

Core Implementation:

Added project.build.outputTimestamp property set to 2024-01-15T00:00:00Z in the main pom.xml
This property ensures all Maven plugins use a fixed timestamp for artifact generation

Verification & Documentation:

Created verify-reproducible-build.sh script that builds the project twice and compares SHA256 hashes to verify reproducibility
Updated README.md with a new "Reproducible Builds" section explaining the feature and how to verify it

Benefits

Reproducible builds provide several important advantages:

Security: Enables verification that distributed binaries match the claimed source code
Trust: Users can independently verify that artifacts haven't been tampered with
Debugging: Identical builds make it easier to track down issues across different environments
Compliance: Meets modern software supply chain security requirements

Testing

The implementation has been thoroughly tested:

Multiple builds produce identical SHA256 hashes for all JAR artifacts
Builds remain reproducible across different directories and environments
All existing tests continue to pass
The verification script successfully validates reproducibility

All Maven plugins used in the build are at versions that support reproducible builds (maven-compiler-plugin 3.13.0, maven-source-plugin 3.3.1, maven-bundle-plugin 5.1.9, etc.).

Fixes #173.

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.

Aug 23 '25 13:08 Copilot