makepkg: introduce SOURCE_DATE_EPOCH

This patch introduces the SOURCE_DATE_EPOCH environmental variable.  All files
in a package are adjusted to have their modification dates set to the value
of SOURCE_DATE_EPOCH, which defaults to "date +%s".

Setting this variable allows a package that is built twice in the same
environment to be (potentially) reproducible in that the checksum of the
generated package file will be the same.

Also adjust the compression of the mtree file to avoid gzip embedding a
timestamp.

Signed-off-by: Levente Polyak <anthraxx@archlinux.org>

scripts/makepkg.sh.in

@@ -87,6 +87,8 @@ SPLITPKG=0
 SOURCEONLY=0
 VERIFYSOURCE=0
 
+export SOURCE_DATE_EPOCH=${SOURCE_DATE_EPOCH:-$(date +%s)}
+
 PACMAN_OPTS=()
 
 shopt -s extglob
@@ -620,7 +622,6 @@ write_kv_pair() {
 }
 
 write_pkginfo() {
-	local builddate=$(date -u "+%s")
 	if [[ -n $PACKAGER ]]; then
 		local packager="$PACKAGER"
 	else
@@ -654,7 +655,7 @@ write_pkginfo() {
 
 	write_kv_pair "pkgdesc" "$spd"
 	write_kv_pair "url" "$url"
-	write_kv_pair "builddate" "$builddate"
+	write_kv_pair "builddate" "$SOURCE_DATE_EPOCH"
 	write_kv_pair "packager" "$packager"
 	write_kv_pair "size" "$size"
 	write_kv_pair "arch" "$pkgarch"
@@ -738,10 +739,14 @@ create_package() {
 	[[ -f $pkg_file ]] && rm -f "$pkg_file"
 	[[ -f $pkg_file.sig ]] && rm -f "$pkg_file.sig"
 
+	# ensure all elements of the package have the same mtime
+	find . -exec touch -h -d @$SOURCE_DATE_EPOCH {} +
+
 	msg2 "$(gettext "Generating .MTREE file...")"
-	list_package_files | LANG=C bsdtar -cnzf .MTREE --format=mtree \
+	list_package_files | LANG=C bsdtar -cnf - --format=mtree \
 		--options='!all,use-set,type,uid,gid,mode,time,size,md5,sha256,link' \
-		--null --files-from - --exclude .MTREE
+		--null --files-from - --exclude .MTREE | gzip -c -f -n > .MTREE
+	touch -d @$SOURCE_DATE_EPOCH .MTREE
 
 	msg2 "$(gettext "Compressing package...")"
 	# TODO: Maybe this can be set globally for robustness