Fork me on GitHub

Reproducible Build Maven Plugin

Have you ever tried to compile twice the same sources with Maven and compared the hashes of the generated artifacts? They are not the same! Maven is not able to build an artifact in a real reproducible (i.e. byte-for-byte) way.

NOTE: Recent versions of the main Maven plugins have been modified to allow reproducible builds without the use of this plugin. See Configuring for Reproducible Builds for more details.

This Maven plugin tries to strip "non reproducible" data from the generated artifacts. It follows the same goals as Debian's Reproducible Builds project but at the modest scale of a Maven project. You can also have a look at my Devoxx France 2016 talk "Bit-for-bit reproducible builds with Maven".

Using this plugin is a no-brainer: simply add it to your pom and it will try to "automagically" make the build byte-for-byte reproducible.

NOTE: This plugin requires Java 8 or later.

Goals Overview

There are several goals:

  • The "strip-jar" goal processes all the ZIP/JAR/WAR/EAR files found in the target repository and does the following things:
    • sorts ZIP entries by name,
    • replaces file timestamps in ZIP entries with a fixed value,
    • removes timestamps, user names and tool versions in MANIFEST.MF,
    • removes comments in pom.properties file (some of them can contain time/date).

NOTE: As of version 0.5, the "strip-jar" goal also processes TAR/TAR.GZ/TAR.BZ2 files.

  • The "strip-jaxb" goal normalizes ObjectFactory.java files generated by the JAXB xjc tool (before JAXB 2.2.11, xjc generates ObjectFactory.java files where the methods are put in a non-predictable order, which produces non-reproductible class files. Cf. issue JAXB-598).

If you find other interesting sources of "non reproducible" data that this plugin could remove, please open a ticket in the bug tracker or send a pull request.

Please note that you must use the same compiler (and possibly Maven) version to get the same results. You can use the maven-enforcer-plugin for that, or use a tool like moot to download and use the JDK and Maven versions people need to use for the build.