From 500fd9cfd1a32ab54ae22bb29612704cfa112b60 Mon Sep 17 00:00:00 2001
From: Jon Hermansen <jon@jh86.org>
Date: Sun, 29 Mar 2026 19:52:49 -0400
Subject: [PATCH] Fix reproducibility of embedded data tarball

The tar command in package-cli produces a non-reproducible archive
because file ordering and timestamps vary between builds. This causes
bit-for-bit differences when rebuilding k3s from the same source,
which breaks reproducible build systems such as Nix.

Sort the archive entries by name and clamp modification times to the
Unix epoch so the tarball content is deterministic regardless of
filesystem ordering or build time.

Ref: NixOS/nixpkgs#430225
Ref: NixOS/nixpkgs#502374

Signed-off-by: Jon Hermansen <jon@jh86.org>
---
 scripts/package-cli | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/scripts/package-cli b/scripts/package-cli
index fbdc3463e69..cd1d4fb8d26 100755
--- a/scripts/package-cli
+++ b/scripts/package-cli
@@ -54,7 +54,8 @@ mkdir -p ./etc
     set -x
 )
 
-tar cvf ./build/out/data-${OS}.tar ./bin ./etc
+# Ensure the embedded tarball is reproducible: sort file order and clamp timestamps
+tar --sort=name --mtime=@0 -cvf ./build/out/data-${OS}.tar ./bin ./etc
 zstd --no-progress -T0 -16 -f --long=25 --rm ./build/out/data-${OS}.tar -o ./build/out/data-${OS}.tar.zst
 HASH=$(sha256sum ./build/out/data-${OS}.tar.zst | awk '{print $1}')