13 files changed, 25 insertions, 14 deletions

diff --git a/pkgs/applications/networking/go-graft/default.nix b/pkgs/applications/networking/go-graft/default.nix
index ec9ca385e1ef8..14dbcea6277ba 100644
--- a/pkgs/applications/networking/go-graft/default.nix
+++ b/pkgs/applications/networking/go-graft/default.nix
@@ -13,7 +13,7 @@ buildGoModule rec {
 
   CGO_ENABLED = 0;
 
-  ldflags = [ "-X github.com/mzz2017/gg/cmd.Version=${version}" "-s" "-w" "-buildid=" ];
+  ldflags = [ "-X github.com/mzz2017/gg/cmd.Version=${version}" "-s" "-w" ];
   vendorHash = "sha256-fnM4ycqDyruCdCA1Cr4Ki48xeQiTG4l5dLVuAafEm14=";
   subPackages = [ "." ];
 
diff --git a/pkgs/applications/version-management/gitsign/default.nix b/pkgs/applications/version-management/gitsign/default.nix
index cf804ddfb54c6..87b73391987ed 100644
--- a/pkgs/applications/version-management/gitsign/default.nix
+++ b/pkgs/applications/version-management/gitsign/default.nix
@@ -19,7 +19,7 @@ buildGoModule rec {
 
   nativeBuildInputs = [ makeWrapper ];
 
-  ldflags = [ "-s" "-w" "-buildid=" "-X github.com/sigstore/gitsign/pkg/version.gitVersion=${version}" ];
+  ldflags = [ "-s" "-w" "-X github.com/sigstore/gitsign/pkg/version.gitVersion=${version}" ];
 
   preCheck = ''
     # test all paths
diff --git a/pkgs/build-support/go/module.nix b/pkgs/build-support/go/module.nix
index 2fb59c6348290..153b675d48aef 100644
--- a/pkgs/build-support/go/module.nix
+++ b/pkgs/build-support/go/module.nix
@@ -39,6 +39,8 @@
   # Not needed with buildGoModule
 , goPackagePath ? ""
 
+, ldflags ? [ ]
+
   # needed for buildFlags{,Array} warning
 , buildFlags ? ""
 , buildFlagsArray ? ""
@@ -154,6 +156,9 @@ let
     GOFLAGS = lib.optionals (!proxyVendor) [ "-mod=vendor" ] ++ lib.optionals (!allowGoReference) [ "-trimpath" ];
     inherit CGO_ENABLED enableParallelBuilding GO111MODULE GOTOOLCHAIN;
 
+    # If not set to an explicit value, set the buildid empty for reproducibility.
+    ldflags = ldflags ++ lib.optionals (!lib.any (lib.hasPrefix "-buildid=") ldflags) [ "-buildid=" ];
+
     configurePhase = args.configurePhase or (''
       runHook preConfigure
 
@@ -301,4 +306,5 @@ in
 lib.warnIf (args' ? vendorSha256) "`vendorSha256` is deprecated. Use `vendorHash` instead"
 lib.warnIf (buildFlags != "" || buildFlagsArray != "")
   "Use the `ldflags` and/or `tags` attributes instead of `buildFlags`/`buildFlagsArray`"
+lib.warnIf (builtins.elem "-buildid=" ldflags) "`-buildid=` is set by default as ldflag by buildGoModule"
   package
diff --git a/pkgs/build-support/go/package.nix b/pkgs/build-support/go/package.nix
index 7e099b76f0b76..8ca5ca0dca011 100644
--- a/pkgs/build-support/go/package.nix
+++ b/pkgs/build-support/go/package.nix
@@ -37,6 +37,8 @@
 
 , CGO_ENABLED ? go.CGO_ENABLED
 
+, ldflags ? [ ]
+
 # needed for buildFlags{,Array} warning
 , buildFlags ? ""
 , buildFlagsArray ? ""
@@ -91,6 +93,9 @@ let
 
     GOARM = toString (lib.intersectLists [(stdenv.hostPlatform.parsed.cpu.version or "")] ["5" "6" "7"]);
 
+    # If not set to an explicit value, set the buildid empty for reproducibility.
+    ldflags = ldflags ++ lib.optionals (!lib.any (lib.hasPrefix "-buildid=") ldflags) [ "-buildid=" ];
+
     configurePhase = args.configurePhase or (''
       runHook preConfigure
 
@@ -280,4 +285,5 @@ let
 in
 lib.warnIf (buildFlags != "" || buildFlagsArray != "")
   "Use the `ldflags` and/or `tags` attributes instead of `buildFlags`/`buildFlagsArray`"
+lib.warnIf (builtins.elem "-buildid=" ldflags) "`-buildid=` is set by default as ldflag by buildGoModule"
   package
diff --git a/pkgs/by-name/at/athens/package.nix b/pkgs/by-name/at/athens/package.nix
index e6095f7691a19..c53c571c036f2 100644
--- a/pkgs/by-name/at/athens/package.nix
+++ b/pkgs/by-name/at/athens/package.nix
@@ -18,7 +18,7 @@ buildGoModule rec {
   vendorHash = "sha256-8+PdkanodNZW/xeFf+tDm3Ej7DRSpBBtiT/CqjnWthw=";
 
   CGO_ENABLED = "0";
-  ldflags = [ "-s" "-w" "-buildid=" "-X github.com/gomods/athens/pkg/build.version=${version}" ];
+  ldflags = [ "-s" "-w" "-X github.com/gomods/athens/pkg/build.version=${version}" ];
 
   subPackages = [ "cmd/proxy" ];
 
diff --git a/pkgs/by-name/up/uplosi/package.nix b/pkgs/by-name/up/uplosi/package.nix
index 05e38ca8026c7..738f7ea5a5673 100644
--- a/pkgs/by-name/up/uplosi/package.nix
+++ b/pkgs/by-name/up/uplosi/package.nix
@@ -16,7 +16,7 @@ buildGo121Module rec {
   vendorHash = "sha256-RsjUPLe8omoN+XGyNhHDxzNfZR7VVTkh/f/On1oCRqM=";
 
   CGO_ENABLED = "0";
-  ldflags = [ "-s" "-w" "-buildid=" "-X main.version=${version}" ];
+  ldflags = [ "-s" "-w" "-X main.version=${version}" ];
   flags = [ "-trimpath" ];
 
   meta = with lib; {
diff --git a/pkgs/development/tools/gofumpt/default.nix b/pkgs/development/tools/gofumpt/default.nix
index 6becc6f4002d4..36e38163e2a77 100644
--- a/pkgs/development/tools/gofumpt/default.nix
+++ b/pkgs/development/tools/gofumpt/default.nix
@@ -21,7 +21,11 @@ buildGoModule rec {
 
   CGO_ENABLED = "0";
 
-  ldflags = "-s -w -X main.version=v${version}";
+  ldflags = [
+    "-s"
+    "-w"
+    "-X main.version=v${version}"
+  ];
 
   checkFlags = [
     # Requires network access (Error: module lookup disabled by GOPROXY=off).
diff --git a/pkgs/development/tools/kind/default.nix b/pkgs/development/tools/kind/default.nix
index 63f6fff66b623..1f58fd637a6de 100644
--- a/pkgs/development/tools/kind/default.nix
+++ b/pkgs/development/tools/kind/default.nix
@@ -20,7 +20,7 @@ buildGoModule rec {
 
   CGO_ENABLED = 0;
   GOFLAGS = [ "-trimpath" ];
-  ldflags = [ "-buildid=" "-w" ];
+  ldflags = [ "-w" ];
 
   doCheck = false;
 
diff --git a/pkgs/tools/networking/tun2socks/default.nix b/pkgs/tools/networking/tun2socks/default.nix
index 9296b0df0068e..37019a38b348b 100644
--- a/pkgs/tools/networking/tun2socks/default.nix
+++ b/pkgs/tools/networking/tun2socks/default.nix
@@ -17,7 +17,7 @@ buildGoModule rec {
   vendorHash = "sha256-zeiOcn33PnyoseYb0wynkn7MfGp3rHEYBStY98C6aR8=";
 
   ldflags = [
-    "-w" "-s" "-buildid="
+    "-w" "-s"
     "-X github.com/xjasonlyu/tun2socks/v2/internal/version.Version=v${version}"
     "-X github.com/xjasonlyu/tun2socks/v2/internal/version.GitCommit=v${version}"
   ];
diff --git a/pkgs/tools/networking/v2ray/default.nix b/pkgs/tools/networking/v2ray/default.nix
index 1da2adba9d542..4d783fb47345f 100644
--- a/pkgs/tools/networking/v2ray/default.nix
+++ b/pkgs/tools/networking/v2ray/default.nix
@@ -19,7 +19,7 @@ buildGoModule rec {
   # https://github.com/Mic92/nix-update/pull/95
   vendorHash = "sha256-ZBvHu4BEmQi6PQwRHuVwx/6X4gBqlRR44OktKRBGcs4=";
 
-  ldflags = [ "-s" "-w" "-buildid=" ];
+  ldflags = [ "-s" "-w" ];
 
   subPackages = [ "main" ];
 
diff --git a/pkgs/tools/networking/xray/default.nix b/pkgs/tools/networking/xray/default.nix
index bb317055dc041..683cd9e484479 100644
--- a/pkgs/tools/networking/xray/default.nix
+++ b/pkgs/tools/networking/xray/default.nix
@@ -26,7 +26,7 @@ buildGoModule rec {
 
   doCheck = false;
 
-  ldflags = [ "-s" "-w" "-buildid=" ];
+  ldflags = [ "-s" "-w" ];
   subPackages = [ "main" ];
 
    installPhase = ''
diff --git a/pkgs/tools/security/slsa-verifier/default.nix b/pkgs/tools/security/slsa-verifier/default.nix
index d02b574b1563b..5a6ab18a49ec5 100644
--- a/pkgs/tools/security/slsa-verifier/default.nix
+++ b/pkgs/tools/security/slsa-verifier/default.nix
@@ -27,7 +27,6 @@ buildGoModule rec {
   ldflags = [
     "-s"
     "-w"
-    "-buildid="
     "-X sigs.k8s.io/release-utils/version.gitVersion=${version}"
   ];
 
diff --git a/pkgs/tools/security/step-ca/default.nix b/pkgs/tools/security/step-ca/default.nix
index 5c1463ec117b8..6bdbfa02d62a3 100644
--- a/pkgs/tools/security/step-ca/default.nix
+++ b/pkgs/tools/security/step-ca/default.nix
@@ -23,10 +23,6 @@ buildGoModule rec {
 
   vendorHash = "sha256-AXMMpzXEhdKSGeVg/KK2NEgalxIXP6DUTcoxOQVqow4=";
 
-  ldflags = [
-    "-buildid="
-  ];
-
   nativeBuildInputs = lib.optionals hsmSupport [
     pkg-config
   ];