Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Constellation images are not reproducible #3465

Open
burgerdev opened this issue Oct 30, 2024 · 0 comments
Open

Constellation images are not reproducible #3465

burgerdev opened this issue Oct 30, 2024 · 0 comments
Assignees
@burgerdev
Labels
bug Something isn't working known issue This is a known issue of the latest release

Comments

@burgerdev
Copy link
Contributor

Issue description

The build process for the constellation images is not deterministic.

During image creation, we add an additional system user etcd to the user database. The user's shadow entry contains a date of last password change which is set to the date of the build. This results in a different rootfs, a different dm-verity tag and different image measurements.

Workaround

  1. Stick close to the reproducible builds workflow.

  2. Check out the commit prior to the tagged commit to be verified:

    git checkout v2.19.0~1

  3. Modify the build process to use a static "last changed" date for the password (the date of the release commit).

    git apply <<EOF
diff --git a/image/base/BUILD.bazel b/image/base/BUILD.bazel
index 9028b8376..2928787f1 100644
--- a/image/base/BUILD.bazel
+++ b/image/base/BUILD.bazel
@@ -30,6 +30,7 @@ copy_to_directory(
     mkosi_image(
         name = "base_" + kernel_variant,
         srcs = [
+            "mkosi.finalize",
             "mkosi.postinst",
             "mkosi.prepare",
         ] + glob([
diff --git a/image/base/mkosi.finalize b/image/base/mkosi.finalize
new file mode 100755
index 000000000..f832f5d0a
--- /dev/null
+++ b/image/base/mkosi.finalize
@@ -0,0 +1,8 @@
+#!/usr/bin/env bash
+set -euxo pipefail
+
+# Disable password age for Constellation sysusers.
+tmp=\$(mktemp)
+cp -a "\${BUILDROOT}/etc/shadow-" "\${tmp}"
+mkosi-chroot chage -d "$(date -d "$(git log -1 --format=%ad --date=short)" +%s | awk '{print int($1/86400+0.5)}')" etcd
+cp -a "\${tmp}" "\${BUILDROOT}/etc/shadow-"
EOF

  4. Build the release images:

    bazel build //image/system:stable

  5. Calculate the expected measurements for the local images and compare with the measurements configured by constellation config fetch-measurements.

    bazel run --run_under sudo //image/measured-boot/cmd -- bazel-bin/image/system/$IMAGE/constellation.raw /tmp/measurements.json

Version

This affects v2.19.0 and older releases.
@burgerdev burgerdev added bug Something isn't working known issue This is a known issue of the latest release labels Oct 30, 2024
@burgerdev burgerdev self-assigned this Oct 30, 2024
@burgerdev burgerdev mentioned this issue Oct 30, 2024
Merged
6 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@burgerdev burgerdev

Labels
bug Something isn't working known issue This is a known issue of the latest release
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@burgerdev