diff --git a/meta-citadel/classes/citadel-image.bbclass b/meta-citadel/classes/citadel-image.bbclass
index 193fa97..3c90682 100644
--- a/meta-citadel/classes/citadel-image.bbclass
+++ b/meta-citadel/classes/citadel-image.bbclass
@@ -1,8 +1,6 @@
-
-DEPENDS:append = " citadel-tools-native mtools-native cryptsetup-native coreutils-native"
+DEPENDS:append = " make-ext4fs-native citadel-tools-native mtools-native cryptsetup-native coreutils-native"
 
 # Block size must be 4096 or dm-verity won't work
-EXTRA_IMAGECMD:ext4 = "-i 4096 -b 4096"
 IMAGE_FSTYPES = "ext4"
 IMAGE_OVERHEAD_FACTOR = "1.2"
 
@@ -16,7 +14,7 @@ do_citadel_mkimage() {
 image-type = "${CITADEL_IMAGE_TYPE}"
 channel = "${CITADEL_IMAGE_CHANNEL}"
 version = ${CITADEL_IMAGE_VERSION}
-timestamp = "${DATETIME}"
+timestamp = "${SOURCE_DATE_EPOCH}"
 source = "${IMGDEPLOYDIR}/${IMAGE_LINK_NAME}.ext4"
 compress = ${CITADEL_IMAGE_COMPRESS}
 EOF
diff --git a/meta-citadel/classes/make_repro_ext4fs.bbclass b/meta-citadel/classes/make_repro_ext4fs.bbclass
new file mode 100644
index 0000000..3de0bce
--- /dev/null
+++ b/meta-citadel/classes/make_repro_ext4fs.bbclass
@@ -0,0 +1,51 @@
+inherit image_types
+
+python set_image_size () {
+    import math
+
+    print("LOCAL set_image_size")
+    blocksize = 50000
+    rootfs_size = get_rootfs_size(d)
+    print("LOCAL rootfs_size")
+
+    rootfs_size = math.ceil(rootfs_size / blocksize) * blocksize
+    print("LOCAL rootfs_size")
+
+    d.setVar('ROOTFS_SIZE', str(rootfs_size))
+    d.setVarFlag('ROOTFS_SIZE', 'export', '1')
+}
+
+make_repro_ext4fs() {
+	fstype=ext4
+	extra_imagecmd=""
+
+	if [ $# -gt 1 ]; then
+		shift
+		extra_imagecmd=$@
+	fi
+
+	# If generating an empty image the size of the sparse block should be large
+	# enough to allocate an ext4 filesystem using 4096 bytes per inode, this is
+	# about 60K, so dd needs a minimum count of 60, with bs=1024 (bytes per IO)
+	eval local COUNT=\"0\"
+	eval local MIN_COUNT=\"60\"
+	if [ $ROOTFS_SIZE -lt $MIN_COUNT ]; then
+		eval COUNT=\"$MIN_COUNT\"
+	fi
+
+	# Create a sparse image block
+	bbdebug 1 Executing "dd if=/dev/zero of=${IMGDEPLOYDIR}/${IMAGE_NAME}.$fstype count=1 bs=1024"
+
+	bbdebug 1 "ROOTFS_SIZE: `${ROOTFS_SIZE}`"
+	bbdebug 1 Executing "make_ext4fs -vl ${ROOTFS_SIZE}k -T "1712775988" ${IMGDEPLOYDIR}/${IMAGE_NAME}.$fstype ${IMAGE_ROOTFS}"
+
+	make_ext4fs -vl ${ROOTFS_SIZE}k -T "1712775988" ${IMGDEPLOYDIR}/${IMAGE_NAME}.$fstype ${IMAGE_ROOTFS}
+
+	# Error codes 0-3 indicate successfull operation of fsck (no errors or errors corrected)
+	fsck.ext4 -pvD ${IMGDEPLOYDIR}/${IMAGE_NAME}.$fstype || [ $? -le 3 ]
+	# adding f makes it non-reproducible
+
+# delete the lost+found dir's contents
+#    mount ${IMGDEPLOYDIR}/${IMAGE_NAME}.$fstype /tmp/image/
+#	find "-iname" /tmp/image/lost+found -type d -exec rm -r "{}" \;
+}
diff --git a/meta-citadel/conf/templates/default/local.conf.sample b/meta-citadel/conf/templates/default/local.conf.sample
index 77bcb3b..84b0b81 100644
--- a/meta-citadel/conf/templates/default/local.conf.sample
+++ b/meta-citadel/conf/templates/default/local.conf.sample
@@ -38,6 +38,16 @@
 #MACHINE ??= "qemux86-64"
 MACHINE ?= "intel-corei7-64"
 
+#
+# Binary Reproducibility
+#
+BUILD_REPRODUCIBLE_BINARIES = "1"
+export PYTHONHASHSEED = "0"
+export PERL_HASH_SEED = "0"
+export TZ = 'UTC'
+export SOURCE_DATE_EPOCH ??= "1718285985"
+REPRODUCIBLE_TIMESTAMP_ROOTFS ??= "1712775988"
+
 DEFAULT_TIMEZONE = "America/New_York"
 DEPLOY_DIR_IMAGE = "${TOPDIR}/images"
 
diff --git a/meta-citadel/recipes-citadel/images/base-realmfs-image.bb b/meta-citadel/recipes-citadel/images/base-realmfs-image.bb
index 437bdb8..16a1685 100644
--- a/meta-citadel/recipes-citadel/images/base-realmfs-image.bb
+++ b/meta-citadel/recipes-citadel/images/base-realmfs-image.bb
@@ -15,7 +15,7 @@ do_realmfs_mkimage() {
 image-type = "realmfs"
 channel = "${CITADEL_IMAGE_CHANNEL}"
 version = 1
-timestamp = "${DATETIME}"
+timestamp = "${SOURCE_DATE_EPOCH}"
 source = "${REALMFS_DIR}/citadel-realmfs.ext4"
 realmfs-name = "base"
 compress = true
diff --git a/meta-citadel/recipes-citadel/images/citadel-extra-image.bb b/meta-citadel/recipes-citadel/images/citadel-extra-image.bb
index 9456c9e..7281865 100644
--- a/meta-citadel/recipes-citadel/images/citadel-extra-image.bb
+++ b/meta-citadel/recipes-citadel/images/citadel-extra-image.bb
@@ -18,7 +18,8 @@ CITADEL_IMAGE_VERSION = "${CITADEL_IMAGE_VERSION_extra}"
 CITADEL_IMAGE_TYPE = "extra"
 
 require citadel-image.inc
-inherit citadel-image
+inherit citadel-image make_repro_ext4fs
+IMAGE_CMD:ext4 = "make_repro_ext4fs"
 
 ROOTFS_POSTPROCESS_COMMAND += "write_manifest_file; "
 
diff --git a/meta-citadel/recipes-citadel/images/citadel-installer-image.bb b/meta-citadel/recipes-citadel/images/citadel-installer-image.bb
index 656ba5e..98725e2 100644
--- a/meta-citadel/recipes-citadel/images/citadel-installer-image.bb
+++ b/meta-citadel/recipes-citadel/images/citadel-installer-image.bb
@@ -139,8 +139,51 @@ write_boot_image() {
     fi
 
     bbdebug 1 Creating ${IMAGE_SIZE} block msdos image at ${IMAGE_PATH}
-    mkdosfs -n boot -C ${IMAGE_PATH} ${IMAGE_SIZE}
-    mcopy -i ${IMAGE_PATH} -s ${IMAGE_ROOTFS}/* ::/
+    mkdosfs --invariant -i 2e24ec82 -n BOOT -C ${IMAGE_PATH} ${IMAGE_SIZE}
+
+    ###############################################################################
+    echo "Running mmd and mcopy per file and dir to place files in the final fat32 image reproducibly"
+
+    INDIR=${IMAGE_ROOTFS}
+
+    # mmd is silly and requires this line to know where the image file is
+    echo "drive x: file=\"${IMAGE_PATH}\"" > ~/.mtoolsrc
+    echo ${OUTDIR}
+
+    for file in $(ls ${INDIR}/ | sort)
+    do
+        if [ -d ${INDIR}/${file} ] ; then
+            echo "lvl 1 mmd ${file}"
+            mmd x:/${file}
+
+            for file1 in $(ls ${INDIR}/${file}/ | sort)
+            do
+                if [ -d ${INDIR}/${file}/${file1} ] ; then
+                    echo "lvl 2 mmd ${file}/${file1}"
+                    mmd x:/${file}/${file1}
+
+                    for file2 in $(ls ${INDIR}/${file}/${file1}/ | sort)
+                    do
+                        echo "lvl 2 mmd ${file}/${file1}/${file2}"
+                        if [ -d ${INDIR}/${file}/${file1}/${file2} ] ; then
+                            mmd x:/${file}/${file1}/${file2}
+
+                        else
+                            echo "lvl 4 mcopy ${INDIR}/${file}/${file1}/${file2}"
+                            mcopy -i ${IMAGE_PATH} -vs ${INDIR}/${file}/${file1}/${file2} ::/${file}/${file1}/
+                        fi
+                    done
+                else
+                    echo "lvl 2 mcopy ${INDIR}/${file}/${file1}"
+                    mcopy -i ${IMAGE_PATH} -vs ${INDIR}/${file}/${file1} ::/${file}/
+                fi
+            done
+        else
+            echo "lvl 2 mcopy ${INDIR}/${file}"
+            mcopy -i ${IMAGE_PATH} -vs ${INDIR}/${file} ::/
+        fi
+    done
+    ###############################################################################
 
     syslinux --directory syslinux --install ${IMAGE_PATH}
 }
@@ -160,18 +203,31 @@ write_installer_image() {
     bbdebug 1 Creating ${TOTAL_IMAGE_BLOCKS} block empty image file at ${INSTALLER_IMAGE}
     truncate -s ${TOTAL_IMAGE_BLOCKS}K ${INSTALLER_IMAGE}
     parted -s ${INSTALLER_IMAGE} mklabel msdos
+    # now set disk Identifier manually to make reproducible
+    # thank you mook765 @ https://askubuntu.com/questions/1250224/how-to-change-partuuid
+    bash -c "sed -e 's/\s*\([\+0-9a-zA-Z]*\).*/\1/' <<EOF | fdisk ${INSTALLER_IMAGE}
+x
+i
+0x60123f76
+r
+w
+EOF"
 
     offset=32
     end=$(expr ${offset} + ${BOOT_IMAGE_SECTORS} - 1)
     bbdebug 1 parted -s ${INSTALLER_IMAGE} unit s mkpart fat32 ${offset} ${end}
     parted -s ${INSTALLER_IMAGE} unit s mkpart primary fat32 ${offset} ${end}
     parted -s ${INSTALLER_IMAGE} set 1 boot on
+
     bbdebug 1 dd if=${BOOT_IMAGE} of=${INSTALLER_IMAGE} seek=${offset} count=${BOOT_IMAGE_SECTORS} conv=sparse,nocreat,notrunc
     dd if=${BOOT_IMAGE} of=${INSTALLER_IMAGE} seek=${offset} count=${BOOT_IMAGE_SECTORS} conv=sparse,nocreat,notrunc
 
     dd bs=440 count=1 conv=notrunc if=${RECIPE_SYSROOT}/usr/share/syslinux/mbr.bin of=${INSTALLER_IMAGE}
 
     parted -s ${INSTALLER_IMAGE} unit s print
+
+    # thank you Anade @ https://superuser.com/questions/1247972/how-to-change-vfat-partition-uuid
+    printf "\x"12"\x"34"\x"AB"\x"CD"" | dd bs=1 seek=67 count=4 conv=notrunc of=${INSTALLER_IMAGE}
 }
 
 do_fetch[noexec] = "1"
diff --git a/meta-citadel/recipes-citadel/images/citadel-kernel-image.bb b/meta-citadel/recipes-citadel/images/citadel-kernel-image.bb
index e4890a6..3b9666d 100644
--- a/meta-citadel/recipes-citadel/images/citadel-kernel-image.bb
+++ b/meta-citadel/recipes-citadel/images/citadel-kernel-image.bb
@@ -7,7 +7,8 @@ CITADEL_IMAGE_VERSION = "${CITADEL_IMAGE_VERSION_kernel}"
 CITADEL_IMAGE_TYPE = "kernel"
 
 require citadel-image.inc
-inherit citadel-image
+inherit citadel-image make_repro_ext4fs
+IMAGE_CMD:ext4 = "make_repro_ext4fs"
 
 do_rootfs[depends] += "citadel-kernel:do_deploy"
 
diff --git a/meta-citadel/recipes-citadel/images/citadel-rootfs-image.bb b/meta-citadel/recipes-citadel/images/citadel-rootfs-image.bb
index 612f2c3..96514c0 100644
--- a/meta-citadel/recipes-citadel/images/citadel-rootfs-image.bb
+++ b/meta-citadel/recipes-citadel/images/citadel-rootfs-image.bb
@@ -15,7 +15,10 @@ CITADEL_IMAGE_VERSION = "${CITADEL_IMAGE_VERSION_rootfs}"
 CITADEL_IMAGE_TYPE = "rootfs"
 
 require citadel-image.inc
-inherit citadel-image
+inherit citadel-image make_repro_ext4fs
+
+IMAGE_CMD:ext4 = "make_repro_ext4fs"
+IMAGE_OVERHEAD_FACTOR = "1.34"
 
 set_blank_user_password() {
     sed -i 's%^citadel::%citadel:!:%' ${IMAGE_ROOTFS}/etc/shadow
@@ -62,4 +65,4 @@ addtask rm_var_link after do_rootfs before do_image_qa
 
 symlink_lib64() {
     ln -s /usr/lib ${IMAGE_ROOTFS}/lib64
-}
+}
\ No newline at end of file
diff --git a/meta-citadel/recipes-kernel/citadel-kernel/files/defconfig b/meta-citadel/recipes-kernel/citadel-kernel/files/defconfig
index b737fac..98e2200 100644
--- a/meta-citadel/recipes-kernel/citadel-kernel/files/defconfig
+++ b/meta-citadel/recipes-kernel/citadel-kernel/files/defconfig
@@ -875,6 +875,10 @@ CONFIG_FUNCTION_ALIGNMENT_16B=y
 CONFIG_FUNCTION_ALIGNMENT=16
 # end of General architecture-dependent options
 
+KBUILD_BUILD_TIMESTAMP="1718377347"
+KBUILD_BUILD_USER="citadel"
+KBUILD_BUILD_HOST="subgraph"
+
 CONFIG_RT_MUTEXES=y
 CONFIG_BASE_SMALL=0
 CONFIG_MODULE_SIG_FORMAT=y
@@ -888,7 +892,7 @@ CONFIG_MODULE_UNLOAD=y
 # CONFIG_MODULE_SRCVERSION_ALL is not set
 CONFIG_MODULE_SIG=y
 # CONFIG_MODULE_SIG_FORCE is not set
-CONFIG_MODULE_SIG_ALL=y
+CONFIG_MODULE_SIG_ALL=n
 CONFIG_MODULE_SIG_SHA1=y
 # CONFIG_MODULE_SIG_SHA256 is not set
 # CONFIG_MODULE_SIG_SHA384 is not set
@@ -6825,7 +6829,7 @@ CONFIG_SIGNED_PE_FILE_VERIFICATION=y
 #
 # Certificates for signature checking
 #
-CONFIG_MODULE_SIG_KEY="certs/signing_key.pem"
+CONFIG_MODULE_SIG_KEY=""
 CONFIG_MODULE_SIG_KEY_TYPE_RSA=y
 # CONFIG_MODULE_SIG_KEY_TYPE_ECDSA is not set
 CONFIG_SYSTEM_TRUSTED_KEYRING=y
diff --git a/meta-citadel/recipes-kernel/citadel-kernel/files/kernel_key.pem b/meta-citadel/recipes-kernel/citadel-kernel/files/kernel_key.pem
new file mode 100644
index 0000000..66e8024
--- /dev/null
+++ b/meta-citadel/recipes-kernel/citadel-kernel/files/kernel_key.pem
@@ -0,0 +1,82 @@
+-----BEGIN PRIVATE KEY-----
+MIIJQwIBADANBgkqhkiG9w0BAQEFAASCCS0wggkpAgEAAoICAQCmK+LsbpL99cvA
+8bCrbmPUcTvcPIF3K7HTjhWBcWD+QXXZhFPRuA8yPOHbOjRyPvIbzCKaFTpEuxVk
+eVozLAEhMviDaQAzoq7Xajzz9r++uTu1W7HyH6gvNLxVmDdv2d2JLZZQNfOfPwql
+AGscdMhfg0sKEfvspJoSm1TAae+5/GrbRDse6xuhcghm4TE3TJb6CR1VlRcy07oi
+Ep+zTHAV2aTz4PGaYVAn5T1GuBSsioULd+abhN1D/LcZD6oY6Cmzb8PA9KL0fJQ3
+25iNmJ+VzJjM7EQbRudlbHr0XlYS6uG+MbVl2qyWuMSnkxCOuoA2JV+ZOa0cG8pZ
+ROENSq+/KEocpqKTYEwI1XKCQbSnHr5TZwJDSnUJNt/yFKAfy8th4UyapLpzAzrs
+VKcwY6pZSiab1ig6nOz3UNVV6yZAbpYcNRm6arQauytApr39AlIdh7aTJsmQ7BEH
+b3GhTz+sX4kgEJEyciW1o2Ec6LLB46ZNUijSwZFxmvHAzWWZm3Ae4FEBaPqhTSoc
+6YjZNKdmS1zi0PDN1KK692H4tHdxXUXK5zMAwMiU9J9ZIgeiqTBYiQMSWsEWO+BT
+lrNh0D2ifbhKnSL3/154m5OZxIJ+fwZ4r22iDFkzZEoAlBUan0KYMHRnuNNQoV+G
+wrUpGfyjobeQIrXR6zKOg0EfqojCiwIDAQABAoICAEDtwf+/HuljiudLqMv7WL+Q
+NSMTc0TkylmO2YFYE12Vp15EMdousKVhG6ElB4wiY0iQRW7uX3OupCe7sQ5wocpe
+l7MFKqKCbQ3XwZRT9E0qJJXzC78/NmCnmvVZAkROnRz2NpcF1bkCEX8ygCfAy/Bi
+JUZ8i3LGSDt//Sgn3JdP9VLSwMUOeZ/mJjlIwYnJf+6X9CHWHRfrmf2pSERvWBZ5
+kdYHLXA0mPTVwlEpKU7X2y+FfJKE4k4n50VAFSchQ/YMdDEnharBKMsAn4WoPqby
+KDxeDyiXVmAPeKWWXMyMgYNm+emf/bLw5EpUEPKsFd/ST53X5vemNjUWUFd4uN13
+DL12tKDzmYfzsXzAAnBcLTrxS1dAYu5V3ejd8Tx1HleYMJuzlBQesQ6sjsE2DaGI
+HxV2fxyFrNhjcEjNvJnYLGX6rg5Me7yGu3kcgeLlHALiixYFiIR7vHaKvmg0b+na
+0tO0sp4mitdynfrVAMDosLrFW8jRX2jOM3ttOOl91Xa0UvJrk2qavc9rauGTO4KX
+dHJ90SGf7JdkYKaSaq+eNu+6WHfBYVv8teOTu7Qi7dl/xHSdphR9eq/FRaEidxDF
+v/tYlS5va2yGA9pAbthNS8SQIp2OJupZOyGBhfVpvLemiUeGPqSKBFuocTN4DQ94
+aligiY4mBNO63dz16l4BAoIBAQDjA51zfmrkL4du3H6DMSs/lqZqvjcbcRg96wb3
+r7wpiug7beyv5RrtieSzN/0Y8thggvyOslNsu/dPqVxtufeP3xvSRzrde9En+2Tl
+Xa00WxcqNVUu+FqYg0LRXqvQzbvtDCyaszqlvlvM7PqkY+14QBvkZ+HYydd5PN6p
++3gN7rHUIAX1+JbkN+Q8TmQYdvCiQ52QRXXHi4w+h9Sy7+iXbbgtxqqyYR4JjOzT
+wTBz8bTxxfD+z0Cwge83VVmGrjRrYCkn9u8PQKinII8lbLTO5UBo/49P2jujFAh4
+dC1uW4VOPKS2DT4eMizQYQqQuaQdw8gp8L2BlBTlpXOVrGSLAoIBAQC7Y4Njmyqt
+SDjepsPptYVAtyrg10yK4vvWGXciLSwhqqHH5dk3gtOGnyV5yB3a5WoNRH6El4ct
+ss5tH5iEpE6zVcsgN2dl+JS6bjJcNfwwaDOmxMgYrBaCFzcJcW/R1Fet+pV7kni6
+pNzuAemu/u3Wb7sNckMom9VHOksBbRfSucoApKkwKMClHUmDs9eLjkn0JXZlRHHW
+iM0SLO6Q4oWzIQRw0AA+MGMRgH95UyOCfLi36ifhlqti29uaXvuntKgcizHcvIR0
+rI0TOLscoyoA3YvKp4oZQlNXaDJ0TEl2R++/FXTJ29VGFMG+QVh93qhEKGUyZWkx
+JpzZMJC3etoBAoIBAQCct7Mrtxsd2j3555gjA3+iz2KlkBlFBYdBv4240gXo++8k
+j9d0+onjcG2E1+MPJR8BSYwHCs6S4xRxVy7qxRZFqTVwriHSIxcaLe/SdCANY9ET
+H2xmF6ebYApxtZSRemYA2IW2aoLTRx3i07qYYC/g8wkOXjTIz1bEaKQi3upbW+xB
+z7Wtv+aTOI6En210gi/PJTSSE5GipxCzXlwVB5AfcexTFbJjoK320+XurZDAih1r
+R0X+8p7q+1hkb7R1SLABbIoc/9i7Q9zqO4z2vhv4NMWJdtu9uZ+wDjVmynVOmTnm
+7/CZiXzXpbXQSR3dGXtV3QHDCmIZIVxnyReJPVDPAoIBAEi24epJ8PKS3vaPMeDD
+vnSRX0MmaJ5QXDcFZLRPYRujUen26CZhTuGjafBq1iL1+QQy+wFKp3r1MqMnqpB2
+DdALT6ottaLdJiF9127ux/Ckzr49CASC6q0KgyHX8fMzed6aKV1tRgnvJYf6GAr/
+A529d5FNMIBWkBl2plpkUeVEkP1U6A43EiJATiGcLN0Lluj1jI7ZU29TYHhYFS8F
+p6oN+uIn5KA9OIQ3H8Adod7ltOwxIc6pH9JZzEqH5xF5ye5hmTS1tpRrzMaTsg/3
+xLnXPoKiJrWMhjiZx1JXs/4BBihZFBusgYMTVOcWBle5igQAxNwcfAhFmoGxFccN
+FgECggEBAIsMbpB0hcbH6bIWSARRobhPL2Ka8zJ4d8ZfhpjPv8ZXNKoV4Ki/i57v
+IxlXi+t4NPqcWWUf3W0InFPjkkpNPpXQF1dMK4qdevOFikw7KINtjCI0iSvWEzTj
+gIFGXfZcFnBXqYiuc56YUKLQOncyR7M0RxBCWAe70coMB1msMz/TaknlnkAg4ghV
+TEN7LEd7GAQYzIAlsjd4boX4duiZndvPgG9V8eaUo1EWzcfD/0H8vk60HwRyfbkg
+O9ERb+x6sKYtR0pJoYRuahjKd6SoKPswi+hdOZDO076Xf9ORHTHqV/CznEtVA3Vc
+DDvz8/gvqoDgvAWlCrsjmZEffJizVcw=
+-----END PRIVATE KEY-----
+-----BEGIN CERTIFICATE-----
+MIIFKDCCAxCgAwIBAgIUE6rC+QfVn02trZ7Ead27i9ds4NYwDQYJKoZIhvcNAQEL
+BQAwLjEsMCoGA1UEAwwjQnVpbGQgdGltZSBhdXRvZ2VuZXJhdGVkIGtlcm5lbCBr
+ZXkwIBcNMjQwMjI4MTk1ODA4WhgPMjEyNDAyMDQxOTU4MDhaMC4xLDAqBgNVBAMM
+I0J1aWxkIHRpbWUgYXV0b2dlbmVyYXRlZCBrZXJuZWwga2V5MIICIjANBgkqhkiG
+9w0BAQEFAAOCAg8AMIICCgKCAgEApivi7G6S/fXLwPGwq25j1HE73DyBdyux044V
+gXFg/kF12YRT0bgPMjzh2zo0cj7yG8wimhU6RLsVZHlaMywBITL4g2kAM6Ku12o8
+8/a/vrk7tVux8h+oLzS8VZg3b9ndiS2WUDXznz8KpQBrHHTIX4NLChH77KSaEptU
+wGnvufxq20Q7HusboXIIZuExN0yW+gkdVZUXMtO6IhKfs0xwFdmk8+DxmmFQJ+U9
+RrgUrIqFC3fmm4TdQ/y3GQ+qGOgps2/DwPSi9HyUN9uYjZiflcyYzOxEG0bnZWx6
+9F5WEurhvjG1ZdqslrjEp5MQjrqANiVfmTmtHBvKWUThDUqvvyhKHKaik2BMCNVy
+gkG0px6+U2cCQ0p1CTbf8hSgH8vLYeFMmqS6cwM67FSnMGOqWUomm9YoOpzs91DV
+VesmQG6WHDUZumq0GrsrQKa9/QJSHYe2kybJkOwRB29xoU8/rF+JIBCRMnIltaNh
+HOiyweOmTVIo0sGRcZrxwM1lmZtwHuBRAWj6oU0qHOmI2TSnZktc4tDwzdSiuvdh
++LR3cV1FyuczAMDIlPSfWSIHoqkwWIkDElrBFjvgU5azYdA9on24Sp0i9/9eeJuT
+mcSCfn8GeK9togxZM2RKAJQVGp9CmDB0Z7jTUKFfhsK1KRn8o6G3kCK10esyjoNB
+H6qIwosCAwEAAaM8MDowDAYDVR0TAQH/BAIwADALBgNVHQ8EBAMCB4AwHQYDVR0O
+BBYEFHA0T2bpAZaELFDODMgvpSjwQNCEMA0GCSqGSIb3DQEBCwUAA4ICAQAOvHct
+yaAn0kCoxAZbMEs8NYxbqxSydLX0YOcV6iF+mS2LQOGQ1mlyOBiFgExjR3XKo6kB
+PRjnd8WuwDcBIHqzK9XBYgm8yCz1oOezVG/J9gvxF47QY3X7EC7M4B0MNGgPpETw
+kXTGIl1x8qXwbD/KwvQkdaRJsZ4uoIHQZOYzvy4M85pV0II5xoESAR/MPrCFQO7O
+/oqWNWs1LEt7XsRzH7mSZWfZ//mr0Kl6n7865i0ocCPv+4nyyT4CWv/0UEeWIKPK
+ChJE+lOpSdiidq2+uyJDN5ali5413nhOx0LY/aziE7JB4x5Ami3DOsGE23y/5Cho
+YWwW8EP3+9M5TVVxrji//I7g2MLQvXAtcwvhaucdrQybgKfQDCnjUSKhYi0WeX+e
+esDj0uVPVrHgbj5QdFIHeuc9F15beVpt3dBa+qYRUdt5J+XaXYxKS43dhz/RQh20
+Z1961O343/Gy023CqI/Ljs8P37CVhhldSWYntlMa39rg7GJPXeQZ1AN/3/2od1ay
+ZaC9FRUTcmoD/TiD14aHHJLwf3tvj/vzmxCzp18mzBVtUE3Ts0uKDkE7F7EVnh5y
+SWz8gehB8tUtsdZPeZqgIKQGCsWhIqD4Ir3csMpyPw+vGKxE6ZzzMr9TvwQpj/NI
+G0wlChzo9EPL58kJEUFhnY0WFhRn1OWfZStiiQ==
+-----END CERTIFICATE-----
diff --git a/meta-citadel/recipes-support/libbytesize/libbytesize_2.6.bb b/meta-citadel/recipes-support/libbytesize/libbytesize_2.10.bb
similarity index 83%
rename from meta-citadel/recipes-support/libbytesize/libbytesize_2.6.bb
rename to meta-citadel/recipes-support/libbytesize/libbytesize_2.10.bb
index 1549732..daa01bf 100644
--- a/meta-citadel/recipes-support/libbytesize/libbytesize_2.6.bb
+++ b/meta-citadel/recipes-support/libbytesize/libbytesize_2.10.bb
@@ -7,10 +7,9 @@ SECTION = "devel/lib"
 LIC_FILES_CHKSUM = "file://LICENSE;md5=c07cb499d259452f324bb90c3067d85c"
 
 S = "${WORKDIR}/git"
-B = "${S}"
 
-SRCREV = "c9864f4dd03736839f40d225da494cb1eb64e654"
-SRC_URI = "git://github.com/rhinstaller/libbytesize;branch=master;protocol=https"
+SRCREV = "6e83cc6f6dff4f126fc79284e0c3c1c50123380d"
+SRC_URI = "git://github.com/storaged-project/libbytesize;branch=main;protocol=https"
 
 inherit gettext autotools pkgconfig python3native
 
diff --git a/meta-citadel/recipes-support/make-ext4fs/make-ext4fs.bb b/meta-citadel/recipes-support/make-ext4fs/make-ext4fs.bb
new file mode 100644
index 0000000..033014c
--- /dev/null
+++ b/meta-citadel/recipes-support/make-ext4fs/make-ext4fs.bb
@@ -0,0 +1,29 @@
+DESCRIPTION = "Ext4 creation utility used here because it outputs reproducible builds"
+HOMEPAGE = "https://git.subgraph.com.com/isa/make_ext4"
+LICENSE = "Apache-2.0"
+LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/Apache-2.0;md5=89aea4e17d99a7cacdbeed46a0096b10"
+
+SRCREV = "5c201be7d72aff735da27e17c29852e0cefe3e52"
+
+SRC_URI = "git://git.subgraph.com/isa/make_ext4fs.git;protocol=https;branch=master"
+
+DEPENDS = "zlib-native"
+inherit pkgconfig native
+
+PACKAGECONFIG = ""
+
+S = "${WORKDIR}/git"
+
+BBCLASSEXTEND = "native"
+
+do_compile () {
+    export LDFLAGS=""
+	oe_runmake
+}
+
+do_install () {
+    pwd
+    ls
+	install -d ${D}${bindir}
+    install -m 755 -T ${B}/make_ext4fs ${D}${bindir}/make_ext4fs
+}
\ No newline at end of file
diff --git a/meta-citadel/recipes-support/nss/nss_3.74.bb b/meta-citadel/recipes-support/nss/nss_3.74.bb
index ea5abe0..e60c564 100644
--- a/meta-citadel/recipes-support/nss/nss_3.74.bb
+++ b/meta-citadel/recipes-support/nss/nss_3.74.bb
@@ -76,6 +76,7 @@ do_compile:prepend:class-native() {
 
 do_compile() {
     export NSPR_INCLUDE_DIR=${STAGING_INCDIR}/nspr
+    export NSS_FIPS_DISABLED
 
     export CROSS_COMPILE=1
     export NATIVE_CC="${BUILD_CC}"
@@ -247,18 +248,6 @@ do_install:append:class-target() {
 
 PACKAGE_WRITE_DEPS += "nss-native"
 
-pkg_postinst:${PN} () {
-    for I in $D${libdir}/lib*.chk; do
-        DN=`dirname $I`
-        BN=`basename $I .chk`
-        FN=$DN/$BN.so
-        shlibsign -i $FN
-        if [ $? -ne 0 ]; then
-            echo "shlibsign -i $FN failed"
-        fi
-    done
-}
-
 PACKAGES =+ "${PN}-smime"
 FILES:${PN}-smime = "\
     ${bindir}/smime \
diff --git a/meta-gnome/recipes-gnome/libgtop/libgtop/0001-Fix-reproducibility-issue.patch b/meta-gnome/recipes-gnome/libgtop/libgtop/0001-Fix-reproducibility-issue.patch
new file mode 100644
index 0000000..ecfb4b9
--- /dev/null
+++ b/meta-gnome/recipes-gnome/libgtop/libgtop/0001-Fix-reproducibility-issue.patch
@@ -0,0 +1,28 @@
+From 805d67b57d1b229f8fafc942df51e7a3b830889a Mon Sep 17 00:00:00 2001
+From: isa <isa@subgraph.com>
+Date: Thu, 7 Mar 2024 22:06:04 +0000
+Subject: [PATCH] Fix reproducibility issue
+
+---
+ src/daemon/Makefile.am | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/src/daemon/Makefile.am b/src/daemon/Makefile.am
+index e7eb1f2..d486819 100644
+--- a/src/daemon/Makefile.am
++++ b/src/daemon/Makefile.am
+@@ -13,10 +13,10 @@
+ ##
+ 
+ AM_CPPFLAGS			= $(LIBGTOP_CFLAGS) @AM_CPPFLAGS@ -D_BSD \
+-				  -DLIBGTOP_COMPILE_SYSTEM="\"`uname -s`\"" \
+-				  -DLIBGTOP_COMPILE_RELEASE="\"`uname -r`\"" \
+-				  -DLIBGTOP_COMPILE_VERSION="\"`uname -v`\"" \
+-				  -DLIBGTOP_COMPILE_MACHINE="\"`uname -m`\""
++				  -DLIBGTOP_COMPILE_SYSTEM="\"Linux\"" \
++				  -DLIBGTOP_COMPILE_RELEASE="\"6.7.4\"" \
++				  -DLIBGTOP_COMPILE_VERSION="\"SMP PREEMPT_DYNAMIC\"" \
++				  -DLIBGTOP_COMPILE_MACHINE="\"x86_64\""
+ 
+ if LIBGTOP_NEED_SERVER
+ suid_sysdeps			= $(top_builddir)/sysdeps/@sysdeps_dir@/libgtop_sysdeps_suid-2.0.la
diff --git a/meta-gnome/recipes-gnome/libgtop/libgtop_2.41.3.bb b/meta-gnome/recipes-gnome/libgtop/libgtop_2.41.3.bb
index 5587baa..b2696ca 100644
--- a/meta-gnome/recipes-gnome/libgtop/libgtop_2.41.3.bb
+++ b/meta-gnome/recipes-gnome/libgtop/libgtop_2.41.3.bb
@@ -7,6 +7,7 @@ inherit gnomebase lib_package gtk-doc gobject-introspection gettext upstream-ver
 
 ANY_OF_DISTRO_FEATURES = "${GTK3DISTROFEATURES}"
 
+SRC_URI += " file://0001-Fix-reproducibility-issue.patch"
 SRC_URI[archive.sha256sum] = "775676df958e2ea2452f7568f28b2ea581063d312773dd5c0b7624c1b9b2da8c"
 
 DEPENDS = "glib-2.0 libxau"
diff --git a/realmfs-builder/basic-image.conf b/realmfs-builder/basic-image.conf
index 7c355dd..c955af1 100644
--- a/realmfs-builder/basic-image.conf
+++ b/realmfs-builder/basic-image.conf
@@ -1 +1 @@
-PACKAGES="man manpages neovim iputils-ping tmux vifm gnome-terminal firefox nautilus eog evince unzip x264 yelp"
+PACKAGES="man manpages neovim iputils-ping tmux vifm gnome-terminal firefox-esr nautilus eog evince unzip x264 yelp"
diff --git a/realmfs-builder/build-template.conf b/realmfs-builder/build-template.conf
index fea3dbb..a4792f3 100644
--- a/realmfs-builder/build-template.conf
+++ b/realmfs-builder/build-template.conf
@@ -26,7 +26,7 @@ PACKAGES="man manpages vim-nox iputils-ping tmux gnome-terminal firefox nautilus
 # they can just be deleted.  Or you can keep them, the result will be the same.
 #
 
-DEBIAN_RELEASE="bullseye"
+DEBIAN_RELEASE="bookworm"
 DEBIAN_MIRROR="https://deb.debian.org/debian"
 
 #
diff --git a/realmfs-builder/common.inc b/realmfs-builder/common.inc
index ba84a99..ae901f5 100644
--- a/realmfs-builder/common.inc
+++ b/realmfs-builder/common.inc
@@ -1,6 +1,6 @@
 
 : ${DEBIAN_MIRROR:="https://deb.debian.org/debian"}
-: ${DEBIAN_RELEASE:="bullseye"}
+: ${DEBIAN_RELEASE:="bookworm"}
 
 BASE_PACKAGES="iproute2 less xz-utils sudo dbus libpam-systemd openssh-client packagekit-gtk3-module libcanberra-gtk3-module libpulse0 fonts-roboto-hinted bash-completion"
 
diff --git a/realmfs-builder/realmfs-modules/create-user b/realmfs-builder/realmfs-modules/create-user
index f615eba..f3d7cf6 100644
--- a/realmfs-builder/realmfs-modules/create-user
+++ b/realmfs-builder/realmfs-modules/create-user
@@ -1,6 +1,6 @@
 info "Creating user account"
 
 useradd -s /bin/bash -m user
-echo "user:user" | chpasswd 
+echo "user:user" | chpasswd -c NONE
 usermod -aG sudo user
 echo "export DISPLAY=:0" >> /home/user/.bashrc
diff --git a/realmfs-builder/realmfs-modules/write-apt-sources b/realmfs-builder/realmfs-modules/write-apt-sources
index f48c803..deb19b5 100644
--- a/realmfs-builder/realmfs-modules/write-apt-sources
+++ b/realmfs-builder/realmfs-modules/write-apt-sources
@@ -3,6 +3,5 @@ info "Writing /etc/apt/sources.list"
 {
     echo "deb ${DEBIAN_MIRROR} ${DEBIAN_RELEASE} main contrib non-free"
     echo "deb ${DEBIAN_MIRROR}-security ${DEBIAN_RELEASE}-security main contrib non-free"
-    echo "deb ${DEBIAN_MIRROR} unstable main"
 
 } > /etc/apt/sources.list
diff --git a/realmfs-builder/stage-one.sh b/realmfs-builder/stage-one.sh
index d993130..b5ece7f 100755
--- a/realmfs-builder/stage-one.sh
+++ b/realmfs-builder/stage-one.sh
@@ -29,22 +29,43 @@ setup_rootfs() {
 }
 
 run_debootstrap() {
+    #[[ -f ${CACHE_DIR}/lock ]] && rm -f ${CACHE_DIR}/lock
+    #mkdir --parents ${CACHE_DIR} ${ROOTFS}/var/cache/apt/archives
 
-    [[ -f ${CACHE_DIR}/lock ]] && rm -f ${CACHE_DIR}/lock
-    mkdir --parents ${CACHE_DIR} ${ROOTFS}/var/cache/apt/archives
+    #info "Bind mounting ${CACHE_DIR} to ${ROOTFS}/var/cache/apt/archives"
+    #mount --bind ${CACHE_DIR} ${ROOTFS}/var/cache/apt/archives
 
-    info "Bind mounting ${CACHE_DIR} to ${ROOTFS}/var/cache/apt/archives"
-    mount --bind ${CACHE_DIR} ${ROOTFS}/var/cache/apt/archives
+    info "Launching mmdebstrap"
 
-    info "Launching debootstrap"
+    export SOURCE_DATE_EPOCH="1718285985"
 
-    debootstrap --verbose --merged-usr --variant=minbase \
-        --include=systemd-sysv,locales \
-        ${DEBIAN_RELEASE} ${ROOTFS} ${DEBIAN_MIRROR}
+    mmdebstrap --variant=minbase \
+            --include=systemd-sysv,locales,ca-certificates \
+            ${DEBIAN_RELEASE} ${ROOTFS} ${DEBIAN_MIRROR}
+}
+
+make_reproducible() {
+    #umount ${ROOTFS}/var/cache/apt/archives
+
+    rm -rdf ${ROOTFS}/var/cache/*
+    rm ${ROOTFS}/var/log/apt/term.log
+    rm ${ROOTFS}/var/log/apt/history.log
+    rm ${ROOTFS}/var/log/bootstrap.log || true
+    rm ${ROOTFS}/var/log/fontconfig.log || true
+    rm ${ROOTFS}/var/log/dpkg.log
+    rm ${ROOTFS}/var/log/alternatives.log
+    rm ${ROOTFS}/var/log/eipp.log.xz || true
+    rm -rdf ${ROOTFS}/var/lib/apt/lists/*
+    awk -i inplace -F":" '{OFS=FS}{ $3="1" ; print   }' ${ROOTFS}/etc/shadow # do not record date of last password change
+
+    echo "bf58db8bc11448788138633a01a06cdd" > ${ROOTFS}/etc/machine-id
+    echo "bf58db8bc11448788138633a01a06cdd" > ${ROOTFS}/var/lib/dbus/machine-id
+
+    echo -e "# Generated during realmfs build\nnameserver 192.168.4.1" > ${ROOTFS}/etc/resolv.conf
+    echo -e "# File generated during realmfs build\nLC_COLLATE=C\nLANG=en_US.UTF-8" > ${ROOTFS}/etc/default/locale
 }
 
 setup_chroot() {
-
     mount chproc ${ROOTFS}/proc -t proc
     mount chsys ${ROOTFS}/sys -t sysfs
     mount chtmp ${ROOTFS}/tmp -t tmpfs
@@ -60,10 +81,11 @@ setup_chroot() {
 }
 
 cleanup_chroot() {
+    make_reproducible
+
     umount ${ROOTFS}/proc
     umount ${ROOTFS}/sys
     umount ${ROOTFS}/tmp
-    umount ${ROOTFS}/var/cache/apt/archives
 
     # Remove cache files in case we are creating a tarball for distribution
     rm -f ${ROOTFS}/var/cache/apt/pkgcache.bin
@@ -71,7 +93,6 @@ cleanup_chroot() {
 }
 
 run_chroot_stage() {
-
     setup_chroot
 
     #
@@ -103,15 +124,27 @@ generate_tarball() {
     echo
 }
 
+build_make_ext4fs() {
+    cd ${WORKDIR}
+    if [ ! -d "make_ext4fs" ]; then
+        git clone https://git.subgraph.com/isa/make_ext4fs.git
+    fi
+    cd make_ext4fs
+    git checkout 5c201be7d72aff735da27e17c29852e0cefe3e52
+    make
+    cd ../..
+}
+
 generate_image() {
 #    BLOCKS=$(du -ks ${ROOTFS} | cut -f1)
 #    BLOCKS=$(expr ${BLOCKS} \* 12 / 10)
 #    SIZE=$(expr ${BLOCKS} \* 1024)
 #    echo "Size is ${SIZE}"
+    build_make_ext4fs
     BLOCKS=$(expr 440 \* 1024)
     # allow online resize up to 32G
     dd if=/dev/zero of=${WORKDIR}/citadel-realmfs.ext4 seek=${BLOCKS} count=0 bs=4096
-    mkfs.ext4 -d ${ROOTFS} -i 4096 -b 4096 -F ${WORKDIR}/citadel-realmfs.ext4 ${BLOCKS} || exit 1
+    ${WORKDIR}/make_ext4fs/make_ext4fs -l 2G -T "1712775988" -b 4096 ${WORKDIR}/citadel-realmfs.ext4 ${ROOTFS} || exit 1
 }
 
 usage() {
@@ -156,7 +189,6 @@ try_config() {
 }
     
 WORKDIR="$(pwd)/realmfs"
-BUILDFILE=""
 
 DO_TAR=0
 DO_XZ=0
@@ -223,7 +255,7 @@ if [ "$EUID" -ne 0 ]; then
     exit 1
 fi
 
-if [[ -z ${BUILDFILE} ]]; then
+if [[ -z ${BUILDFILE-} ]]; then
     BUILDFILE=$(try_config "${PWD}/build.conf" || try_config "${REALMFS_BUILDER_BASE}/basic-image.conf") || fatal "Could not find a configuration file to use"
 fi
 
@@ -245,7 +277,6 @@ run_debootstrap
 
 run_chroot_stage
 
-
 info "rootfs build is completed:"
 info "    $(du -sh ${ROOTFS})"
 
diff --git a/scripts/docker/Dockerfile b/scripts/docker/Dockerfile
index c99312a..4097bad 100644
--- a/scripts/docker/Dockerfile
+++ b/scripts/docker/Dockerfile
@@ -30,7 +30,12 @@ RUN apt update && apt install -y gawk \
     file \
     liblz4-tool \
     zstd \
-    xwayland
+    xwayland \
+    mmdebstrap \
+    apt-utils \
+    usrmerge \
+    faketime \
+    diffoscope
 
 # python
 RUN echo "en_US.UTF-8 UTF-8" > /etc/locale.gen
@@ -38,6 +43,7 @@ RUN locale-gen
 RUN update-locale LANG=en_US.UTF-8
 ENV LC_ALL en_US.UTF-8
 ENV LC_CTYPE en_US.UTF-8
+ENV LC_COLLATE en_US.UTF-8
 
 RUN useradd -ms /bin/bash builder
 RUN echo "builder ALL=(ALL) NOPASSWD: ALL" >> /etc/sudoers