Simple (almost drop-in) replacement for zip that produces deterministic files.
- dropin for zip
- remove all metadata from files added
- immutable zip util
bash <(curl -sS https://raw.githubusercontent.com/timo-reymann/deterministic-zip/main/installer)curl -LO https://github.com/timo-reymann/deterministic-zip/releases/download/$(curl -Lso /dev/null -w %{url_effective} https://github.com/timo-reymann/deterministic-zip/releases/latest | grep -o '[^/]*$')/deterministic-zip_linux-amd64 && \
chmod +x deterministic-zip_linux-amd64 && \
sudo mv deterministic-zip_linux-amd64 /usr/local/bin/deterministic-zipbrew tap timo-reymann/deterministic-zip
brew install deterministic-zipcurl -LO https://github.com/timo-reymann/deterministic-zip/releases/download/$(curl -Lso /dev/null -w %{url_effective} https://github.com/timo-reymann/deterministic-zip/releases/latest | grep -o '[^/]*$')/deterministic-zip_darwin-amd64 && \
chmod +x deterministic-zip_darwin-amd64 && \
sudo mv deterministic-zip_darwin-amd64 /usr/local/bin/deterministic-zipgo get -u github.com/timo-reymann/deterministic-zipUsing pipx you can just use the following command use deterministic-zip as it is:
pipx install deterministic-zip-goIf you want to use it directly using the subprocess module you can install it with pip:
pip install deterministic-zip-goAnd use the package like this:
import subprocess
from deterministic_zip_go import exec
# Run process and prefix stdout and stderr
exec.exec_with_templated_output(["--help"])
# Create a subprocess, specifying how to handle stdout, stderr
exec.create_subprocess(["--help"], stdout=subprocess.PIPE, stderr=subprocess.PIPE)
# Perform command with suppressed output and return finished proces instance,
# on that one can also check if the call was successfully
exec.exec_silently(["--version"])Please check the Containerized section in Usage for more details.
The following platforms are supported (and have prebuilt binaries / ready to use integration):
- Linux
- 32-bit
- 64-bit
- ARM 64-bit
- ARM 32-bit
- Darwin
- 64-bit
- ARM (M1/M2)
- Windows
- ARM
- 32-bit
- 64-bit
- FreeBSD
- 32-bit
- 64-bit
- ARM 64-bit
- ARM 32-bit
- OpenBSD
- 32-bit
- 64-bit
- OCI compatible container engines (Docker, podman etc)
- ARM
- 64-bit
- CircleCI
- GitHub Actions
Binaries for all of these can be found on the latest release page.
For the docker image check the docker hub.
If you installed the binary via Releases, Install-Script or using go you can just run deterministic-zip as a command.
deterministic-zip -hPlease be aware that the image contains just the binary, no OS, libs or anything else. It also runs as root to be able to zip files no matter the ownership, feel free to build your own images based on that as well.
If you want to use the tool on a platform not supported yet or dont want
to install the tool locally you can also mount your folder in
/workspace which is the default working directory. Than you can just
execute commands as you want to.
docker run -v $PWD:/workspace timoreymann/deterministic-zip:latestIf you want to integrate the tool directly into your build image, you can also utilize the auto updates from tools like renovatebot or dependabot. Using docker built in features you can just get the binary directly from the image.
FROM base-image:tag
# do your customizations
COPY --from=timoreymann/deterministic-zip:latest /deterministic-zip /usr/bin/deterministic-zipWhy another zip-tool? What is this deterministic stuff?!
When we are talking about deterministic it means that the hash of the zip file won't change unless the contents of the zip file changes.
This means only the content, no metadata. You can achieve this with zip, yes.
The problem that still remains is that the order is almost unpredictable and zip is very platform specific, so you will end up with a bunch of crazy shell pipelines. And I am not even talking about windows at this point.
So this is where this tool comes in, it is intended to be a drop-in replacement for zip in your build process.
The use cases for this are primary:
- Zipping serverless code
- Backups or other files that get rsynced
I can recommend the following resources:
Of course, it is not as reliable as the battle-proven and billions of times executed zip.
Even though I am heavily relying on the go stdlib this software can of course have bugs. And you are welcome to report them and help make this even more stable. Of course there will be tests to cover most use cases but at the end this is still starting from scratch, so if you need advanced features or just dont feel comfortable about using this tool don't do it!
Please see docs/differences
I love your input! I want to make contributing to this project as easy and transparent as possible, whether it's:
- Reporting a bug
- Discussing the current state of the configuration
- Submitting a fix
- Proposing new features
- Becoming a maintainer
To get started please read the Contribution Guidelines.
make test-coverage-reportmake buildAs far as I know the following (GitHub) projects exist:
- bboe/deterministic_zip (Python)
- You must list files explicitly
- Changed order -> changed zip
- You will need to install Python (no problem on Linux/Mac) and the package
- bitgenics/deterministic-zip (NodeJS/JavaScript)
- Support for globs and ignores order
- You need to install node.js, the package, and it has no cli interface
- orf/deterministic-zip (Rust)
- has prebuilt binaries for all relevant platforms (and other can be built easily)
- very basic, but you can customize compression (nice feature)
All in all they are just simply not what I needed. My favourite is Rust, because its just simply dropping in a binary. Something that's very convenient especially when it comes to Docker builds.
The main problem that all these solutions share is that it in my opinion cool things like excluding patterns, that I regularly use are simply not implemented, and i REALLY love glob patterns.
This whole project wouldnt be possible with the great work of the following libraries:
![renovate[bot] avatar](https://avatars.githubusercontent.com/in/2740?v=4 "renovate[bot]")
React
Typescript
Django
Laravel
Facebook
Microsoft
Google
Alibaba
D3
Tencent