Constellation images are not reproducible #3465
Description
Issue description
The build process for the constellation images is not deterministic.
During image creation, we add an additional system user etcd to the user database. The user's shadow entry contains a date of last password change which is set to the date of the build. This results in a different rootfs, a different dm-verity tag and different image measurements.
Workaround
-
Stick close to the reproducible builds workflow.
-
Check out the commit prior to the tagged commit to be verified:
git checkout v2.19.0~1
-
Modify the build process to use a static "last changed" date for the password (the date of the release commit).
git apply <<EOF diff --git a/image/base/BUILD.bazel b/image/base/BUILD.bazel index 9028b8376..2928787f1 100644 --- a/image/base/BUILD.bazel +++ b/image/base/BUILD.bazel @@ -30,6 +30,7 @@ copy_to_directory( mkosi_image( name = "base_" + kernel_variant, srcs = [ + "mkosi.finalize", "mkosi.postinst", "mkosi.prepare", ] + glob([ diff --git a/image/base/mkosi.finalize b/image/base/mkosi.finalize new file mode 100755 index 000000000..f832f5d0a --- /dev/null +++ b/image/base/mkosi.finalize @@ -0,0 +1,8 @@ +#!/usr/bin/env bash +set -euxo pipefail + +# Disable password age for Constellation sysusers. +tmp=\$(mktemp) +cp -a "\${BUILDROOT}/etc/shadow-" "\${tmp}" +mkosi-chroot chage -d "$(date -d "$(git log -1 --format=%ad --date=short)" +%s | awk '{print int($1/86400+0.5)}')" etcd +cp -a "\${tmp}" "\${BUILDROOT}/etc/shadow-" EOF
-
Build the release images:
bazel build //image/system:stable
-
Calculate the expected measurements for the local images and compare with the measurements configured by
constellation config fetch-measurements.bazel run --run_under sudo //image/measured-boot/cmd -- bazel-bin/image/system/$IMAGE/constellation.raw /tmp/measurements.json
Version
This affects v2.19.0 and older releases.