fix(linux/build): touch squashfs to SOURCE_DATE_EPOCH before xorriso (M1.1 iter35)

Run #4282's enriched diagnostic pinpointed the exact remaining drift:

    diagnose: first ISO byte difference at offset 205152 (LBA 100)
    205153   7  10
    205154  27   0
    205155  57   3
    205156  52  55

Decoded as decimal, those are the day/hour/minute/second fields of an
ISO9660 7-byte directory record date:
    A: dd=7  hh=23  mm=47  ss=42  (May 7 23:47:42 UTC)
    B: dd=8  hh=0   mm=3   ss=45  (May 8 00:03:45 UTC)

Match the wall-clock mtime of /live/filesystem.squashfs that the TOC
diff also still showed:
    -/live/filesystem.squashfs ... May  7 23:47
    +/live/filesystem.squashfs ... May  8 00:03

Why iter34's `-alter_date_r all "=N" /` didn't catch it: xorriso
applies `-alter_date_r` to the in-memory ISO node table, but `-update
<src> <iso_path>` writes the directory record's mtime at `-commit`
time using the SOURCE FILE's mtime — overriding whatever was in the
node table. So the relevant mtime is on `/tmp/silvermetal-rebuilt-
XXXXXX.squashfs` (the freshly-`mksquashfs`d file), and that has
wall-clock mtime.

Fix: touch the source file to SOURCE_DATE_EPOCH right before xorriso
reads it.

    sudo touch -d "@${SOURCE_DATE_EPOCH}" "${new_sqfs}"

Bonus: diagnose-divergence.sh now falls back to `od -t x1z` when xxd
isn't available — silvermetal-builder ships coreutils but not
vim-common, so the iter34 xxd window was silently empty. The new
od-based dump is what landed the actual byte values in run #4282.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

linux/build/scripts/build-inner.sh

@@ -217,6 +217,17 @@ post_process_for_reproducibility() {
         -comp xz -b 1M -Xdict-size 100% \
         -no-recovery
 
+    # The squashfs file's mtime is what xorriso's `-update` writes into
+    # the ISO9660 directory record at `-commit` time, OVERRIDING what
+    # `-alter_date_r all` set on the in-memory ISO model. Run #4282
+    # diagnosed exactly this: bytes 205152-205156 of the ISO encoded
+    # the dirrec date for /live/filesystem.squashfs as
+    # `7 23 47 42` (Build A wrote at May 7 23:47:42) vs
+    # `8 0 3 45`   (Build B wrote at May 8 00:03:45).
+    # Touching the source file to the pinned epoch before xorriso reads
+    # it eliminates the wall-clock leak through -update.
+    sudo --non-interactive touch -d "@${SOURCE_DATE_EPOCH}" "${new_sqfs}"
+
     # Substitute the new squashfs into the ISO. xorriso's `-update`
     # rewrites just the named file then re-emits the ISO; -boot_image
     # any keep preserves the existing El Torito + GPT/UEFI bits so the

linux/build/scripts/diagnose-divergence.sh

@@ -227,15 +227,27 @@ if command -v cmp >/dev/null 2>&1; then
         echo "diagnose: first ISO byte difference at offset ${first_diff_byte} (LBA ${lba})"
         # 128-byte window starting 32 bytes before the diff.
         start=$(( first_diff_byte > 32 ? first_diff_byte - 32 : 0 ))
-        if command -v xxd >/dev/null 2>&1; then
-            dd if="${ISO_A}" bs=1 skip="${start}" count=128 2>/dev/null \
-                | xxd > "${REPORT_DIR}/iso-a-around-first-diff.xxd" || true
-            dd if="${ISO_B}" bs=1 skip="${start}" count=128 2>/dev/null \
-                | xxd > "${REPORT_DIR}/iso-b-around-first-diff.xxd" || true
-            diff -u "${REPORT_DIR}/iso-a-around-first-diff.xxd" \
-                    "${REPORT_DIR}/iso-b-around-first-diff.xxd" \
-                > "${REPORT_DIR}/iso-around-first-diff.diff" 2>/dev/null || true
-        fi
+        # Prefer xxd if available, fall back to od (always in coreutils).
+        # silvermetal-builder doesn't ship xxd; run #4282's diagnostic
+        # silently produced no hex window because of that.
+        dump_hex() {
+            local f="$1" out="$2"
+            if command -v xxd >/dev/null 2>&1; then
+                xxd "${f}" > "${out}"
+            else
+                od -A x -t x1z -v "${f}" > "${out}"
+            fi
+        }
+        dd if="${ISO_A}" bs=1 skip="${start}" count=128 2>/dev/null \
+            > "${REPORT_DIR}/_a-window.bin" || true
+        dd if="${ISO_B}" bs=1 skip="${start}" count=128 2>/dev/null \
+            > "${REPORT_DIR}/_b-window.bin" || true
+        dump_hex "${REPORT_DIR}/_a-window.bin" "${REPORT_DIR}/iso-a-around-first-diff.hex" || true
+        dump_hex "${REPORT_DIR}/_b-window.bin" "${REPORT_DIR}/iso-b-around-first-diff.hex" || true
+        rm -f "${REPORT_DIR}/_a-window.bin" "${REPORT_DIR}/_b-window.bin" || true
+        diff -u "${REPORT_DIR}/iso-a-around-first-diff.hex" \
+                "${REPORT_DIR}/iso-b-around-first-diff.hex" \
+            > "${REPORT_DIR}/iso-around-first-diff.diff" 2>/dev/null || true
     fi
 
     # Keep the legacy first-8KB scan around as a quick header view.