diff --git a/internal/cli/gen.go b/internal/cli/gen.go index 6908c0f..ac04427 100644 --- a/internal/cli/gen.go +++ b/internal/cli/gen.go @@ -25,6 +25,12 @@ func (mfa *CLIApp) generateManifestOperation(ctx *cli.Context) error { Fs: mfa.Fs, } + // Set seed for deterministic UUID if provided + if seed := ctx.String("seed"); seed != "" { + opts.Seed = seed + log.Infof("using deterministic seed for manifest UUID") + } + // Set up signing options if sign-key is provided if signKey := ctx.String("sign-key"); signKey != "" { opts.SigningOptions = &mfer.SigningOptions{ diff --git a/internal/cli/mfer.go b/internal/cli/mfer.go index e99dd7e..9bf9524 100644 --- a/internal/cli/mfer.go +++ b/internal/cli/mfer.go @@ -154,6 +154,11 @@ func (mfa *CLIApp) run(args []string) { Usage: "GPG key ID to sign the manifest with", EnvVars: []string{"MFER_SIGN_KEY"}, }, + &cli.StringFlag{ + Name: "seed", + Usage: "Seed value for deterministic manifest UUID (hashed 1B times with SHA-256)", + EnvVars: []string{"MFER_SEED"}, + }, ), }, { diff --git a/mfer/builder.go b/mfer/builder.go index 2ac00a2..fd7d4aa 100644 --- a/mfer/builder.go +++ b/mfer/builder.go @@ -92,6 +92,26 @@ type Builder struct { fixedUUID []byte // if set, use this UUID instead of generating one } +// seedIterations is the number of SHA-256 rounds used to derive a UUID from a seed. +const seedIterations = 1_000_000_000 + +// SetSeed derives a deterministic UUID from the given seed string. +// The seed is hashed 1,000,000,000 times with SHA-256 to produce +// 16 bytes used as a fixed UUID for the manifest. +func (b *Builder) SetSeed(seed string) { + b.fixedUUID = deriveSeedUUID(seed, seedIterations) +} + +// deriveSeedUUID hashes the seed string n times with SHA-256 +// and returns the first 16 bytes as a UUID. +func deriveSeedUUID(seed string, iterations int) []byte { + hash := sha256.Sum256([]byte(seed)) + for i := 1; i < iterations; i++ { + hash = sha256.Sum256(hash[:]) + } + return hash[:16] +} + // NewBuilder creates a new Builder. func NewBuilder() *Builder { return &Builder{ diff --git a/mfer/builder_test.go b/mfer/builder_test.go index 75af5c2..5c1fb11 100644 --- a/mfer/builder_test.go +++ b/mfer/builder_test.go @@ -150,6 +150,17 @@ func TestBuilderDeterministicOutput(t *testing.T) { assert.Equal(t, out1, out2, "two builds with same input should produce byte-identical output") } +func TestDeriveSeedUUID(t *testing.T) { + // Use a small iteration count for testing (production uses 1B) + uuid1 := deriveSeedUUID("test-seed-value", 1000) + uuid2 := deriveSeedUUID("test-seed-value", 1000) + assert.Equal(t, uuid1, uuid2, "same seed should produce same UUID") + assert.Len(t, uuid1, 16, "UUID should be 16 bytes") + + uuid3 := deriveSeedUUID("different-seed", 1000) + assert.NotEqual(t, uuid1, uuid3, "different seeds should produce different UUIDs") +} + func TestBuilderBuildEmpty(t *testing.T) { b := NewBuilder() diff --git a/mfer/scanner.go b/mfer/scanner.go index df0df11..84eeabd 100644 --- a/mfer/scanner.go +++ b/mfer/scanner.go @@ -47,6 +47,7 @@ type ScannerOptions struct { FollowSymLinks bool // Resolve symlinks instead of skipping them Fs afero.Fs // Filesystem to use, defaults to OsFs if nil SigningOptions *SigningOptions // GPG signing options (nil = no signing) + Seed string // If set, derive a deterministic UUID from this seed } // FileEntry represents a file that has been enumerated. @@ -276,6 +277,9 @@ func (s *Scanner) ToManifest(ctx context.Context, w io.Writer, progress chan<- S if s.options.SigningOptions != nil { builder.SetSigningOptions(s.options.SigningOptions) } + if s.options.Seed != "" { + builder.SetSeed(s.options.Seed) + } var scannedFiles FileCount var scannedBytes FileSize