From f14f89b366200d41833219387d8c74569760659f Mon Sep 17 00:00:00 2001
From: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Date: Tue, 28 May 2024 11:34:51 +1200
Subject: [PATCH 1/2] examples:winexe: reproducible builds with zero timestamp

Windows Portable Executable files have a timestamp field and a
checksum field. By default the timestamp field is updated to the
current time, which consequently changes the checksum. This makes the
build nondeterministic. It looks like this:

  --- a/tmp/winexe-1/winexesvc64_exe_binary.c
  +++ b/tmp/winexe-2/winexesvc64_exe_binary.c
  @@ -23,7 +23,7 @@ const DATA_BLOB *winexesvc64_exe_binary(void)
                0x6D, 0x6F, 0x64, 0x65, 0x2E, 0x0D, 0x0D, 0x0A,
                0x24, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
                0x50, 0x45, 0x00, 0x00, 0x64, 0x86, 0x0A, 0x00,
  -             0xB2, 0x16, 0x55, 0x66, 0x00, 0x00, 0x00, 0x00,
  +             0xD3, 0x3B, 0x55, 0x66, 0x00, 0x00, 0x00, 0x00,
                0x00, 0x00, 0x00, 0x00, 0xF0, 0x00, 0x2E, 0x02,
                0x0B, 0x02, 0x02, 0x26, 0x00, 0x86, 0x00, 0x00,
                0x00, 0xBA, 0x00, 0x00, 0x00, 0x0C, 0x00, 0x00,
  @@ -33,7 +33,7 @@ const DATA_BLOB *winexesvc64_exe_binary(void)
                0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
                0x05, 0x00, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00,
                0x00, 0x40, 0x01, 0x00, 0x00, 0x04, 0x00, 0x00,
  -             0x73, 0xD7, 0x00, 0x00, 0x03, 0x00, 0x60, 0x01,
  +             0x94, 0xFC, 0x00, 0x00, 0x03, 0x00, 0x60, 0x01,
                0x00, 0x00, 0x20, 0x00, 0x00, 0x00, 0x00, 0x00,
                0x00, 0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
                0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x00, 0x00,

https://learn.microsoft.com/en-us/windows/win32/debug/pe-format says
that a timestamp of zero can be used to represent a time that is not
"real or meaningful", so we do that.

As far as I can tell, the timestamp and checksum are only used in
DLLs, not directly executed .exe files.

Thanks to Freexian and the Debian LTS project for sponsoring this work.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13213

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit e604f7575167d3572e1b67c6e77ab7273508533d)
---
 examples/winexe/wscript       | 14 ++++++++++++++
 examples/winexe/wscript_build |  4 ++--
 2 files changed, 16 insertions(+), 2 deletions(-)

diff --git a/examples/winexe/wscript b/examples/winexe/wscript
index 6b311b1da41..a202282e765 100644
--- a/examples/winexe/wscript
+++ b/examples/winexe/wscript
@@ -1,4 +1,6 @@
 #!/usr/bin/env python
+import os
+
 
 def configure(conf):
     AR32 = ['i386', 'i586', 'i686']
@@ -27,5 +29,17 @@ def configure(conf):
             conf.DEFINE('HAVE_WINEXE_CC_WIN64', 1);
             break
 
+    source_date_epoch = os.environ.get('SOURCE_DATE_EPOCH')
+    if source_date_epoch is None:
+        # We set the timestamp to be 0, which makes the winexe build
+        # reproducible. According to
+        # https://learn.microsoft.com/en-us/windows/win32/debug/pe-format
+        #
+        # > If the stamp value is 0 or 0xFFFFFFFF, it does not
+        # > represent a real or meaningful date/time stamp.
+
+        source_date_epoch = '0'
+
+    conf.env.SOURCE_DATE_EPOCH = source_date_epoch
     conf.DEFINE("WINEXE_LDFLAGS",
                 "-s -Wall -Wl,-Bstatic -Wl,-Bdynamic -luserenv")
diff --git a/examples/winexe/wscript_build b/examples/winexe/wscript_build
index a9de3473948..faec560bc88 100644
--- a/examples/winexe/wscript_build
+++ b/examples/winexe/wscript_build
@@ -58,7 +58,7 @@ bld.SAMBA_GENERATOR(
     'winexesvc32_exe',
     source='winexesvc.c',
     target='winexesvc32.exe',
-    rule='${WINEXE_CC_WIN32} ${SRC} -o ${TGT} ${WINEXE_LDFLAGS}',
+    rule='SOURCE_DATE_EPOCH=${SOURCE_DATE_EPOCH} ${WINEXE_CC_WIN32} ${SRC} -o ${TGT} ${WINEXE_LDFLAGS}',
     enabled=bld.env.build_winexe and bld.env.WINEXE_CC_WIN32)
 
 vars = {"WINEXE_FN": "winexesvc32_exe_binary"}
@@ -78,7 +78,7 @@ bld.SAMBA_GENERATOR(
     'winexesvc64_exe',
     source='winexesvc.c',
     target='winexesvc64.exe',
-    rule='${WINEXE_CC_WIN64} ${SRC} -o ${TGT} ${WINEXE_LDFLAGS}',
+    rule='SOURCE_DATE_EPOCH=${SOURCE_DATE_EPOCH} ${WINEXE_CC_WIN64} ${SRC} -o ${TGT} ${WINEXE_LDFLAGS}',
     enabled=bld.env.build_winexe and bld.env.WINEXE_CC_WIN64)
 
 vars = {"WINEXE_FN": "winexesvc64_exe_binary"}
-- 
2.25.1


From 49485df4aab456cabd4a2002d408a62f9cb6ebc0 Mon Sep 17 00:00:00 2001
From: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Date: Thu, 30 May 2024 10:44:24 +1200
Subject: [PATCH 2/2] examples:winexe: embed Samba version as exe timestamp

It turns out the timestamp doesn't need to be real, and it isn't used,
but it might as well tell you something. So let's make it tell you what
version of Samba it came from, which could be useful for people who have
lots of old winexes lying around, the poor souls.

00000040  0e 1f ba 0e 00 b4 09 cd  21 b8 01 4c cd 21 54 68  |........!..L.!Th|
00000050  69 73 20 70 72 6f 67 72  61 6d 20 63 61 6e 6e 6f  |is program canno|
00000060  74 20 62 65 20 72 75 6e  20 69 6e 20 44 4f 53 20  |t be run in DOS |
00000070  6d 6f 64 65 2e 0d 0d 0a  24 00 00 00 00 00 00 00  |mode....$.......|
00000080  50 45 00 00 64 86 0a 00  00 15 04 00 00 00 00 00  |PE..d...........|
                                    |  |  |
                                    |  |  major  4.
                                    |  minor     21.
                                    release      0

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13213

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Douglas Bagnall <dbagnall@samba.org>
Autobuild-Date(master): Fri May 31 01:28:06 UTC 2024 on atb-devel-224

(cherry picked from commit 3a7dbf8b77b2a9e7cdc55bc5b339b9f501d037aa)
---
 examples/winexe/wscript | 21 ++++++++++++++-------
 1 file changed, 14 insertions(+), 7 deletions(-)

diff --git a/examples/winexe/wscript b/examples/winexe/wscript
index a202282e765..c4f13b89f01 100644
--- a/examples/winexe/wscript
+++ b/examples/winexe/wscript
@@ -31,14 +31,21 @@ def configure(conf):
 
     source_date_epoch = os.environ.get('SOURCE_DATE_EPOCH')
     if source_date_epoch is None:
-        # We set the timestamp to be 0, which makes the winexe build
-        # reproducible. According to
-        # https://learn.microsoft.com/en-us/windows/win32/debug/pe-format
+        # We use the version to make up the timestamp that will be
+        # embedded in winexe.exe, to keep the build reproducible.
         #
-        # > If the stamp value is 0 or 0xFFFFFFFF, it does not
-        # > represent a real or meaningful date/time stamp.
-
-        source_date_epoch = '0'
+        # This is less evil than it sounds. According to Raymond Chen in
+        # https://devblogs.microsoft.com/oldnewthing/20180103-00/?p=97705
+        # since Windows 10 the timestamp has been randomised.
+        #
+        # The purpose of the timestamp in Windows PE files seems to be
+        # to make spotting ABI changes in DLLs quicker, for which a
+        # random number is just as good as a real time. The timestamp
+        # in .exe files is not used.
+        import samba_version
+        v = samba_version.load_version(env=conf.env)
+        version = (v.MAJOR << 16) | (v.MINOR << 8) | v.RELEASE
+        source_date_epoch = str(version)
 
     conf.env.SOURCE_DATE_EPOCH = source_date_epoch
     conf.DEFINE("WINEXE_LDFLAGS",
-- 
2.25.1