Different checksum results for jar files compiled on subsequent build?

Question

I am working verifying the jar files present on remote unix boxes with that of built on local machine(Windows & Cygwin) with same JVM.

As a POC I am trying to verify if same checksum is produced with jar files generated on my machine with consecutive builds, I tried below,

1. Generated the jar file first time using ant script
2. Calculated the checksum (e.g. "xyz abc")
3. Generated the jar file again with same ant script without changing anything
4. I got different checksum but same byte count (e.g. "xvw abc")

I am not sure how java internal processes produce the class files and then the jar files, Can someone please help me understand below points

1. Does the cksum utility of unix/cygwin consider timestamp of the file while coming up with the value?
2. Will the checksum be different for compiled class files/jar file produced if we keep every other things same [Compiler version + sourcecode + machine + environment]?

Answer 1

Answer to question 1: cksum doesn't consider the timestamp of the archive (e.g. jar-file) but it does consider the timestamps of the files inside the jarfile.

Answer to question 2: The checksums of the individual class-files will be the same with all other things the same (source-code, compiler etc.) The checksums of the jar-files will be different. Causes of differences can be the timestamp of the files inside the jarfile or if files are put into the archive in different orders (e.g. caused by parallel builds).

If you want to create a reproducible build with gradle you can do so with the config below:

tasks.withType(AbstractArchiveTask) {
    preserveFileTimestamps = false
    reproducibleFileOrder = true
}

Maven allows something similar, sorry I don't know how to do this with ant..

More info here:

https://dzone.com/articles/reproducible-builds-in-java

https://cwiki.apache.org/confluence/pages/viewpage.action?pageId=74682318