software

Arch Linux Now Has a Bit-for-Bit Reproducible Docker Image

Published: (April 22, 2026 at 09:59 PM EDT)
2 min read
Source: Hacker News

Source: Hacker News

As a follow‑up to the similar milestone reached for our WSL image a few months ago, Arch Linux now has a bit‑for‑bit reproducible Docker image.

The image is distributed under a new repro tag on Docker Hub: .

Reproducible Docker Image

To guarantee reproducibility, the pacman keyring is stripped from the image. Consequently, pacman cannot be used out of the box.
Before installing or updating packages you must (re)generate the keyring inside the container:

pacman-key --init && pacman-key --populate archlinux

You can run this command interactively on first start, or include it in a RUN statement when using the image as a base.

Distrobox usage

distrobox create -n arch-repro \
  -i docker.io/archlinux/archlinux:repro \
  --pre-init-hooks "pacman-key --init && pacman-key --populate archlinux"

Verification of Reproducibility

  • Digest equality across builds can be checked with:

    podman inspect --format '{{.Digest}}'

  • The diffoci tool can compare builds for byte‑level differences: .

Documentation for reproducing the Docker image is available here.

Building the Image

The deterministic build of the base root filesystem reuses the same process as the Arch Linux WSL image ().

Docker‑specific adjustments

  • Source date epoch – set SOURCE_DATE_EPOCH and propagate it to the org.opencontainers.image.created label in the Dockerfile.

  • Remove ldconfig auxiliary cache – this file introduces non‑determinism:

    TYPE    NAME                            INPUT-0                                                             INPUT-1
File    var/cache/ldconfig/aux-cache    656b08db599dbbd9eb0ec663172392023285ed6598f74a55326a3d95cdd5f5d0    ffee92304701425a85c2aff3ade5668e64bf0cc381cfe0a5cd3c0f4935114195

  • Normalize timestamps during docker build / podman build using the --source-date-epoch=$SOURCE_DATE_EPOCH and --rewrite-timestamp options:

    TYPE    NAME                 INPUT-0                          INPUT-1
File    etc/                 2026-03-31 07:57:46 +0000 UTC    2026-03-31 07:59:21 +0000 UTC
File    etc/ld.so.cache      2026-03-31 07:57:46 +0000 UTC    2026-03-31 07:59:21 +0000 UTC
File    etc/os-release       2026-03-31 07:57:46 +0000 UTC    2026-03-31 07:59:21 +0000 UTC
File    sys/                 2026-03-31 07:57:46 +0000 UTC    2026-03-31 07:59:21 +0000 UTC
File    var/cache/           2026-03-31 07:57:46 +0000 UTC    2026-03-31 07:59:21 +0000 UTC
File    var/cache/ldconfig/  2026-03-31 07:57:46 +0000 UTC    2026-03-31 07:59:21 +0000 UTC
File    proc/                2026-03-31 07:57:46 +0000 UTC    2026-03-31 07:59:21 +0000 UTC
File    dev/                 2026-03-31 07:57:46 +0000 UTC    2026-03-31 07:59:21 +0000 UTC

You can review the full change set in the archlinux‑docker repository: .

Acknowledgements & Next Steps

Thanks to Mark for his help on this effort!

This milestone furthers Arch Linux’s broader “reproducible builds” initiative. Looking ahead, I’m considering setting up an automated rebuilder for this Docker image (and for the WSL image) to periodically rebuild, verify reproducibility, and publish build logs publicly. 🤗

0 views
#software #programming #tech-trends
View source
Share:
Back to Blog

Related posts

Read more »