Skip to content

--optimized flag and providers jar are incompatible when used with tools changing last-modify-date #41268

Closed
#41798
Closed
--optimized flag and providers jar are incompatible when used with tools changing last-modify-date#41268
#41798
Assignees
shawkins
Labels
area/dist/quarkushelp wantedkind/bugCategorizes a PR related to a bugpriority/importantMust be worked on very soonrelease/26.3.3release/26.4.0status/bumped-by-botteam/cloud-native
@davinkevin

Description

@davinkevin
davinkevin
opened on Jul 19, 2025

Before reporting an issue

  • I have read and understood the above terms for submitting issues, and I understand that my issue may be closed without action if I do not follow them.

Area

dist/quarkus

Describe the bug

Hello 👋

I open this request after this request in another already closed issue. I hope I selected the area correctly.

The main issue is when we want to use and follow practices from Reproducible Builds, some are interfering with the way the kc.sh build --optimized system is working.

It's important to note our issue is mainly buildah related, managed by IronBank, but under certain circumstances, that could be reproduced with any kind of build system (docker, kaniko…).

The problem is buildah, when used with the --timestamp parameter and some provider jars, the kc.sh build --optimized generates a text file with the "now" timestamp associated to the jar (mechanism to validate if the jar has changed or not).

The main issue is after the RUN step, buildah applies this timestamp to every file of this layer.

Image

Then, we end up with an error at keycloak startup with the following error:

A provider JAR was updated since the last build, please rebuild for this to be fully utilized.

This can be reproduced with any build system, as soon as it changes date of files created after the complete build.

Version

26.2+

Regression

  • The issue is a regression

Expected behavior

We should be able to start the app if the last-modify-date is changed, because the file itself should be verified (and not only the date that represent nothing really valuable).

In another thread, we recommended to base this mechanism on something less fragile than date, like digest (CRC32, MD5, SHA…).

Actual behavior

The built container can't be executed correctly. We have the following error when we launch it:

A provider JAR was updated since the last build, please rebuild for this to be fully utilized.

How to Reproduce?

Because we use the IronBank system, I don't have (atm) a clear reproducer, but some are described in the original issue.

The main way to reproduce it is to:

  1. Build a first version of keycloak
  • ADD any 3rd party jar into ./providers/
  • RUN the kc.sh build --optimized command
  1. Build the inherited image with --timestamp 0, using buildah for example
  • COPY /opt/keycloak from image created in step 1
  • (implicitly, all files from this second image will have last-modify-date to the 1970-1-1
  1. docker run -it --rm image-from-step-2

Anything else?

Our IronBank repository is accessible if you want more context.

Metadata

Metadata

Assignees

Labels

area/dist/quarkushelp wantedkind/bugCategorizes a PR related to a bugpriority/importantMust be worked on very soonrelease/26.3.3release/26.4.0status/bumped-by-botteam/cloud-native

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions