Reproducible builds broken in 1.8.0

[NullHypothesis]

Actual behavior
Consider the Go program main.go and its corresponding Dockerfile (both listed below). Using kaniko in version 1.7.0, two subsequent reproducible builds using the command listed below result – as expected – in two identical Docker images. In version 1.8.0, however, two subsequent builds are no longer identical.

Expected behavior

I expect two subsequent reproducible builds to result in identical images.

To Reproduce
Steps to reproduce the behavior:

1. Build an image by running:

$ docker run -v $(pwd):/src --network=host gcr.io/kaniko-project/executor:v1.8.0 --reproducible --dockerfile /src/Dockerfile --no-push --tarPath /src/image-file-main-00.tar --destination main:00 --cache=false --context dir:///src/

2. Build a second image by running:

$ docker run -v $(pwd):/src --network=host gcr.io/kaniko-project/executor:v1.8.0 --reproducible --dockerfile /src/Dockerfile --no-push --tarPath /src/image-file-main-01.tar --destination main:01 --cache=false --context dir:///src/

3. Import both images by running:

$ cat image-file-main-00.tar | docker load
$ cat image-file-main-01.tar | docker load

4. Compare the image IDs:

$ docker image ls main
REPOSITORY   TAG       IMAGE ID       CREATED   SIZE
main         00        e65d80240143   N/A       1.75MB
main         01        77fc4150ed91   N/A       1.75MB

The Go program is identical in both builds but the surrounding tar archive isn't. I compared the hexdump of the tar archive of both builds and noticed that there are atime and ctime fields that contain a Unix timestamp, which is the reason why the builds differ. Could this regression have been caused by ee95be1?

Additional Information

• Dockerfile

FROM golang:1.18 as builder
WORKDIR /src
COPY main.go ./
RUN CGO_ENABLED=0 GO111MODULE=off go build -trimpath -o main
FROM scratch as artifact
COPY --from=builder /src/main /bin/
CMD [ "/" ]

• Build Context

package main                      
 
import "fmt"

func main() {
	fmt.Println("Hello!")
}

Triage Notes for the Maintainers

Description	Yes/No
Please check if this a new feature you are proposing
Please check if the build works in docker but not in kaniko
Please check if this error is seen when you use --cache flag
Please check if your dockerfile is a multistage dockerfile

[imjasonh]

Just to check, do you get reproducible builds if your builder is golang:1.17 or even :1.16? There were some build stamping changes in 1.18 that may be causing reproducibility to suffer.

[NullHypothesis]

Just to check, do you get reproducible builds if your builder is golang:1.17 or even :1.16? There were some build stamping changes in 1.18 that may be causing reproducibility to suffer.

No, the problem remains with a 1.17 builder.

[hmemcpy]

My colleague and I stumbled on this exact issue and now can confirm: downgrading to v1.7.0 of kaniko solved the problem: the produced image had the same digest! So it's indeed a regression.

[fernandrone]

FWIW I'll add another anecdata here. I'm testing Kaniko at my workplace and had the exact same issue building a Golang 1.17 project. I could not figure out why Kaniko reproducible builds was not working even though I verified that my go binary was the same between builds. Downgrading to v1.7.0 of Kaniko fixed the issue. I could try and add some data here if that would be helpful but my situation was pretty much the one describe in the Issue description.

[Sineaggi]

Just encountered this today. We use kaniko --reproducible for our base-images. Downgrading to kaniko 1.7.0 worked for this project.

[suicide]

I think #1809 causes this issue. I compared layer tar's produced by 1.7.0 and 1.8.1 (because I am idiot) and the tar format (Pax Header) changed between these versions. 1.8.1 contains ctime and atime as @NullHypothesis noted. The old version does not.

maybe --repoducible should switch back to the old format?

[paisleyrob]

Narrowing down @suicide's comment, the --reproducible flag was broken between v1.7.0 and v1.8.0. The only changes I saw on the v1.8.0 was atime/ctime changes @NullHypothesis mentioned.

[hrobertson]

I can confirm that building 1.9.1 but with #1809 reverted results in reproducible image builds working as expected.