Merge pull request #326785 from Smaug123/nuget-deterministic

dotnet: strip signature files from NuGet

pkgs/build-support/dotnet/make-nuget-deps/default.nix

@@ -1,15 +1,35 @@
-{ linkFarmFromDrvs, fetchurl }:
+{ linkFarmFromDrvs, fetchurl, runCommand, zip }:
 { name, nugetDeps ? import sourceFile, sourceFile ? null }:
 linkFarmFromDrvs "${name}-nuget-deps" (nugetDeps {
   fetchNuGet = { pname, version, sha256 ? "", hash ? ""
     , url ? "https://www.nuget.org/api/v2/package/${pname}/${version}" }:
-    fetchurl {
-      name = "${pname}.${version}.nupkg";
-      # There is no need to verify whether both sha256 and hash are
-      # valid here, because nuget-to-nix does not generate a deps.nix
-      # containing both.
-      inherit url sha256 hash;
-    };
-}) // {
+    let
+      src = fetchurl {
+        name = "${pname}.${version}.nupkg";
+        # There is no need to verify whether both sha256 and hash are
+        # valid here, because nuget-to-nix does not generate a deps.nix
+        # containing both.
+        inherit url sha256 hash;
+      };
+    in
+    # NuGet.org edits packages by signing them during upload, which makes
+    # those packages nondeterministic depending on which source you
+    # get them from. We fix this by stripping out the signature file.
+    # Signing logic is https://github.com/NuGet/NuGet.Client/blob/128a5066b1438627ac69a2ffe9de564b2c09ee4d/src/NuGet.Core/NuGet.Packaging/Signing/Archive/SignedPackageArchiveIOUtility.cs#L518
+    # Non-NuGet.org sources might not have a signature file; in that case, zip
+    # exits with code 12 ("zip has nothing to do", per `man zip`).
+    runCommand src.name
+      {
+        inherit src;
+        nativeBuildInputs = [ zip ];
+      }
+      ''
+        zip "$src" --temp-path "$TMPDIR" --output-file "$out" --delete .signature.p7s || {
+          (( $? == 12 ))
+          install -Dm644 "$src" "$out"
+        }
+      '';
+})
+// {
   inherit sourceFile;
 }