diff --git a/linux/build/scripts/build-inner.sh b/linux/build/scripts/build-inner.sh
index 10763fc..27c9880 100755
--- a/linux/build/scripts/build-inner.sh
+++ b/linux/build/scripts/build-inner.sh
@@ -158,9 +158,30 @@ post_process_for_reproducibility() {
 
     # Files we know to be non-deterministic. sudo because the chroot
     # is owned by root.
+    #
+    # Why each one:
+    #   /etc/nvme/host{id,nqn}      — random UUIDs (nvme-cli postinst).
+    #                                 nvme-cli regenerates on first boot.
+    #   /var/lib/dkms/<…>/log       — wall-clock build timestamps in
+    #                                 DKMS make.log; not consulted at
+    #                                 runtime.
+    #   /var/cache/apt/{,src}pkgcache.bin
+    #                               — apt's compiled package index, has
+    #                                 internal pointers/timestamps that
+    #                                 vary run-to-run. Regenerated on
+    #                                 first `apt-get update` (and
+    #                                 transparently triggered by anything
+    #                                 that needs it).
+    #   /var/cache/ldconfig/aux-cache
+    #                               — ldconfig auxiliary cache, also
+    #                                 with internal nondet state.
+    #                                 Regenerated by ldconfig.
     sudo --non-interactive rm -f \
         "${chroot_dir}/etc/nvme/hostid" \
-        "${chroot_dir}/etc/nvme/hostnqn"
+        "${chroot_dir}/etc/nvme/hostnqn" \
+        "${chroot_dir}/var/cache/apt/pkgcache.bin" \
+        "${chroot_dir}/var/cache/apt/srcpkgcache.bin" \
+        "${chroot_dir}/var/cache/ldconfig/aux-cache"
     sudo --non-interactive find "${chroot_dir}/var/lib/dkms" \
         -mindepth 1 -type d -name log -prune -exec rm -rf {} + \
         2>/dev/null || true
@@ -201,12 +222,21 @@ post_process_for_reproducibility() {
     local new_iso="${iso_file%.iso}.silvermetal-clean.iso"
     sudo --non-interactive rm -f "${new_iso}"
     echo "post-process: replacing /live/filesystem.squashfs in ISO"
+    # `-alter_date_r m` rewrites every file's mtime to the pinned epoch
+    # so the new /live/filesystem.squashfs and the regenerated
+    # /boot.catalog don't carry the wall-clock time of the post-process
+    # step (run #4278's TOC diff caught both: 21:27 vs 21:44).
+    # `-volume_date` covers the volume-descriptor-level dates that
+    # xorriso also stamps on -commit.
     sudo --non-interactive xorriso \
         -return_with SORRY 0 \
         -indev   "${iso_file}" \
         -outdev  "${new_iso}" \
         -boot_image any keep \
         -update  "${new_sqfs}" /live/filesystem.squashfs \
+        -alter_date_r m "=${SOURCE_DATE_EPOCH}" / \
+        -volume_date c "=${SOURCE_DATE_EPOCH}" \
+        -volume_date m "=${SOURCE_DATE_EPOCH}" \
         -commit
     sudo --non-interactive mv -f "${new_iso}" "${iso_file}"
     sudo --non-interactive rm -f "${new_sqfs}"