isa/citadel
1
0
Fork 0
forked from brl/citadel
Code Pull Requests Activity

Implemented an initial attempt at reproducibility

Browse Source
This commit is contained in:
isa 2025-01-23 16:15:47 -05:00
parent 93d2acdb9d
commit 726784ec0e
22 changed files with 337 additions and 49 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
meta-citadel/classes/citadel-image.bbclass
View File

@ -1,8 +1,6 @@
DEPENDS:append = " make-ext4fs-native citadel-tools-native mtools-native cryptsetup-native coreutils-native"
DEPENDS:append = " citadel-tools-native mtools-native cryptsetup-native coreutils-native"
# Block size must be 4096 or dm-verity won't work # Block size must be 4096 or dm-verity won't work
EXTRA_IMAGECMD:ext4 = "-i 4096 -b 4096"
IMAGE_FSTYPES = "ext4" IMAGE_FSTYPES = "ext4"
IMAGE_OVERHEAD_FACTOR = "1.2" IMAGE_OVERHEAD_FACTOR = "1.2"
@ -16,7 +14,7 @@ do_citadel_mkimage() {
image-type = "${CITADEL_IMAGE_TYPE}" image-type = "${CITADEL_IMAGE_TYPE}"
channel = "${CITADEL_IMAGE_CHANNEL}" channel = "${CITADEL_IMAGE_CHANNEL}"
version = ${CITADEL_IMAGE_VERSION} version = ${CITADEL_IMAGE_VERSION}
timestamp = "${DATETIME}" timestamp = "${SOURCE_DATE_EPOCH}"
source = "${IMGDEPLOYDIR}/${IMAGE_LINK_NAME}.ext4" source = "${IMGDEPLOYDIR}/${IMAGE_LINK_NAME}.ext4"
compress = ${CITADEL_IMAGE_COMPRESS} compress = ${CITADEL_IMAGE_COMPRESS}
EOF EOF

51
meta-citadel/classes/make_repro_ext4fs.bbclass Normal file
View File

@ -0,0 +1,51 @@
inherit image_types
python set_image_size () {
import math
print("LOCAL set_image_size")
blocksize = 50000
rootfs_size = get_rootfs_size(d)
print("LOCAL rootfs_size")
rootfs_size = math.ceil(rootfs_size / blocksize) * blocksize
print("LOCAL rootfs_size")
d.setVar('ROOTFS_SIZE', str(rootfs_size))
d.setVarFlag('ROOTFS_SIZE', 'export', '1')
}
make_repro_ext4fs() {
fstype=ext4
extra_imagecmd=""
if [ $# -gt 1 ]; then
shift
extra_imagecmd=$@
fi
# If generating an empty image the size of the sparse block should be large
# enough to allocate an ext4 filesystem using 4096 bytes per inode, this is
# about 60K, so dd needs a minimum count of 60, with bs=1024 (bytes per IO)
eval local COUNT=\"0\"
eval local MIN_COUNT=\"60\"
if [ $ROOTFS_SIZE -lt $MIN_COUNT ]; then
eval COUNT=\"$MIN_COUNT\"
fi
# Create a sparse image block
bbdebug 1 Executing "dd if=/dev/zero of=${IMGDEPLOYDIR}/${IMAGE_NAME}.$fstype count=1 bs=1024"
bbdebug 1 "ROOTFS_SIZE: `${ROOTFS_SIZE}`"
bbdebug 1 Executing "make_ext4fs -vl ${ROOTFS_SIZE}k -T "1712775988" ${IMGDEPLOYDIR}/${IMAGE_NAME}.$fstype ${IMAGE_ROOTFS}"
make_ext4fs -vl ${ROOTFS_SIZE}k -T "1712775988" ${IMGDEPLOYDIR}/${IMAGE_NAME}.$fstype ${IMAGE_ROOTFS}
# Error codes 0-3 indicate successfull operation of fsck (no errors or errors corrected)
fsck.ext4 -pvD ${IMGDEPLOYDIR}/${IMAGE_NAME}.$fstype || [ $? -le 3 ]
# adding f makes it non-reproducible
# delete the lost+found dir's contents
# mount ${IMGDEPLOYDIR}/${IMAGE_NAME}.$fstype /tmp/image/
# find "-iname" /tmp/image/lost+found -type d -exec rm -r "{}" \;
}

10
meta-citadel/conf/templates/default/local.conf.sample
View File

@ -38,6 +38,16 @@
#MACHINE ??= "qemux86-64" #MACHINE ??= "qemux86-64"
MACHINE ?= "intel-corei7-64" MACHINE ?= "intel-corei7-64"
#
# Binary Reproducibility
#
BUILD_REPRODUCIBLE_BINARIES = "1"
export PYTHONHASHSEED = "0"
export PERL_HASH_SEED = "0"
export TZ = 'UTC'
export SOURCE_DATE_EPOCH ??= "1718285985"
REPRODUCIBLE_TIMESTAMP_ROOTFS ??= "1712775988"
DEFAULT_TIMEZONE = "America/New_York" DEFAULT_TIMEZONE = "America/New_York"
DEPLOY_DIR_IMAGE = "${TOPDIR}/images" DEPLOY_DIR_IMAGE = "${TOPDIR}/images"

2
meta-citadel/recipes-citadel/images/base-realmfs-image.bb
View File

@ -15,7 +15,7 @@ do_realmfs_mkimage() {
image-type = "realmfs" image-type = "realmfs"
channel = "${CITADEL_IMAGE_CHANNEL}" channel = "${CITADEL_IMAGE_CHANNEL}"
version = 1 version = 1
timestamp = "${DATETIME}" timestamp = "${SOURCE_DATE_EPOCH}"
source = "${REALMFS_DIR}/citadel-realmfs.ext4" source = "${REALMFS_DIR}/citadel-realmfs.ext4"
realmfs-name = "base" realmfs-name = "base"
compress = true compress = true

3
meta-citadel/recipes-citadel/images/citadel-extra-image.bb
View File

@ -18,7 +18,8 @@ CITADEL_IMAGE_VERSION = "${CITADEL_IMAGE_VERSION_extra}"
CITADEL_IMAGE_TYPE = "extra" CITADEL_IMAGE_TYPE = "extra"
require citadel-image.inc require citadel-image.inc
inherit citadel-image inherit citadel-image make_repro_ext4fs
IMAGE_CMD:ext4 = "make_repro_ext4fs"
ROOTFS_POSTPROCESS_COMMAND += "write_manifest_file; " ROOTFS_POSTPROCESS_COMMAND += "write_manifest_file; "

60
meta-citadel/recipes-citadel/images/citadel-installer-image.bb
View File

@ -139,8 +139,51 @@ write_boot_image() {
fi fi
bbdebug 1 Creating ${IMAGE_SIZE} block msdos image at ${IMAGE_PATH} bbdebug 1 Creating ${IMAGE_SIZE} block msdos image at ${IMAGE_PATH}
mkdosfs -n boot -C ${IMAGE_PATH} ${IMAGE_SIZE} mkdosfs --invariant -i 2e24ec82 -n BOOT -C ${IMAGE_PATH} ${IMAGE_SIZE}
mcopy -i ${IMAGE_PATH} -s ${IMAGE_ROOTFS}/* ::/
###############################################################################
echo "Running mmd and mcopy per file and dir to place files in the final fat32 image reproducibly"
INDIR=${IMAGE_ROOTFS}
# mmd is silly and requires this line to know where the image file is
echo "drive x: file=\"${IMAGE_PATH}\"" > ~/.mtoolsrc
echo ${OUTDIR}
for file in $(ls ${INDIR}/ | sort)
do
if [ -d ${INDIR}/${file} ] ; then
echo "lvl 1 mmd ${file}"
mmd x:/${file}
for file1 in $(ls ${INDIR}/${file}/ | sort)
do
if [ -d ${INDIR}/${file}/${file1} ] ; then
echo "lvl 2 mmd ${file}/${file1}"
mmd x:/${file}/${file1}
for file2 in $(ls ${INDIR}/${file}/${file1}/ | sort)
do
echo "lvl 2 mmd ${file}/${file1}/${file2}"
if [ -d ${INDIR}/${file}/${file1}/${file2} ] ; then
mmd x:/${file}/${file1}/${file2}
else
echo "lvl 4 mcopy ${INDIR}/${file}/${file1}/${file2}"
mcopy -i ${IMAGE_PATH} -vs ${INDIR}/${file}/${file1}/${file2} ::/${file}/${file1}/
fi
done
else
echo "lvl 2 mcopy ${INDIR}/${file}/${file1}"
mcopy -i ${IMAGE_PATH} -vs ${INDIR}/${file}/${file1} ::/${file}/
fi
done
else
echo "lvl 2 mcopy ${INDIR}/${file}"
mcopy -i ${IMAGE_PATH} -vs ${INDIR}/${file} ::/
fi
done
###############################################################################
syslinux --directory syslinux --install ${IMAGE_PATH} syslinux --directory syslinux --install ${IMAGE_PATH}
} }
@ -160,18 +203,31 @@ write_installer_image() {
bbdebug 1 Creating ${TOTAL_IMAGE_BLOCKS} block empty image file at ${INSTALLER_IMAGE} bbdebug 1 Creating ${TOTAL_IMAGE_BLOCKS} block empty image file at ${INSTALLER_IMAGE}
truncate -s ${TOTAL_IMAGE_BLOCKS}K ${INSTALLER_IMAGE} truncate -s ${TOTAL_IMAGE_BLOCKS}K ${INSTALLER_IMAGE}
parted -s ${INSTALLER_IMAGE} mklabel msdos parted -s ${INSTALLER_IMAGE} mklabel msdos
# now set disk Identifier manually to make reproducible
# thank you mook765 @ https://askubuntu.com/questions/1250224/how-to-change-partuuid
bash -c "sed -e 's/\s*\([\+0-9a-zA-Z]*\).*/\1/' <<EOF | fdisk ${INSTALLER_IMAGE}
x
i
0x60123f76
r
w
EOF"
offset=32 offset=32
end=$(expr ${offset} + ${BOOT_IMAGE_SECTORS} - 1) end=$(expr ${offset} + ${BOOT_IMAGE_SECTORS} - 1)
bbdebug 1 parted -s ${INSTALLER_IMAGE} unit s mkpart fat32 ${offset} ${end} bbdebug 1 parted -s ${INSTALLER_IMAGE} unit s mkpart fat32 ${offset} ${end}
parted -s ${INSTALLER_IMAGE} unit s mkpart primary fat32 ${offset} ${end} parted -s ${INSTALLER_IMAGE} unit s mkpart primary fat32 ${offset} ${end}
parted -s ${INSTALLER_IMAGE} set 1 boot on parted -s ${INSTALLER_IMAGE} set 1 boot on
bbdebug 1 dd if=${BOOT_IMAGE} of=${INSTALLER_IMAGE} seek=${offset} count=${BOOT_IMAGE_SECTORS} conv=sparse,nocreat,notrunc bbdebug 1 dd if=${BOOT_IMAGE} of=${INSTALLER_IMAGE} seek=${offset} count=${BOOT_IMAGE_SECTORS} conv=sparse,nocreat,notrunc
dd if=${BOOT_IMAGE} of=${INSTALLER_IMAGE} seek=${offset} count=${BOOT_IMAGE_SECTORS} conv=sparse,nocreat,notrunc dd if=${BOOT_IMAGE} of=${INSTALLER_IMAGE} seek=${offset} count=${BOOT_IMAGE_SECTORS} conv=sparse,nocreat,notrunc
dd bs=440 count=1 conv=notrunc if=${RECIPE_SYSROOT}/usr/share/syslinux/mbr.bin of=${INSTALLER_IMAGE} dd bs=440 count=1 conv=notrunc if=${RECIPE_SYSROOT}/usr/share/syslinux/mbr.bin of=${INSTALLER_IMAGE}
parted -s ${INSTALLER_IMAGE} unit s print parted -s ${INSTALLER_IMAGE} unit s print
# thank you Anade @ https://superuser.com/questions/1247972/how-to-change-vfat-partition-uuid
printf "\x"12"\x"34"\x"AB"\x"CD"" | dd bs=1 seek=67 count=4 conv=notrunc of=${INSTALLER_IMAGE}
} }
do_fetch[noexec] = "1" do_fetch[noexec] = "1"

3
meta-citadel/recipes-citadel/images/citadel-kernel-image.bb
View File

@ -7,7 +7,8 @@ CITADEL_IMAGE_VERSION = "${CITADEL_IMAGE_VERSION_kernel}"
CITADEL_IMAGE_TYPE = "kernel" CITADEL_IMAGE_TYPE = "kernel"
require citadel-image.inc require citadel-image.inc
inherit citadel-image inherit citadel-image make_repro_ext4fs
IMAGE_CMD:ext4 = "make_repro_ext4fs"
do_rootfs[depends] += "citadel-kernel:do_deploy" do_rootfs[depends] += "citadel-kernel:do_deploy"

5
meta-citadel/recipes-citadel/images/citadel-rootfs-image.bb
View File

@ -15,7 +15,10 @@ CITADEL_IMAGE_VERSION = "${CITADEL_IMAGE_VERSION_rootfs}"
CITADEL_IMAGE_TYPE = "rootfs" CITADEL_IMAGE_TYPE = "rootfs"
require citadel-image.inc require citadel-image.inc
inherit citadel-image inherit citadel-image make_repro_ext4fs
IMAGE_CMD:ext4 = "make_repro_ext4fs"
IMAGE_OVERHEAD_FACTOR = "1.34"
set_blank_user_password() { set_blank_user_password() {
sed -i 's%^citadel::%citadel:!:%' ${IMAGE_ROOTFS}/etc/shadow sed -i 's%^citadel::%citadel:!:%' ${IMAGE_ROOTFS}/etc/shadow

8
meta-citadel/recipes-kernel/citadel-kernel/files/defconfig
View File

@ -875,6 +875,10 @@ CONFIG_FUNCTION_ALIGNMENT_16B=y
CONFIG_FUNCTION_ALIGNMENT=16 CONFIG_FUNCTION_ALIGNMENT=16
# end of General architecture-dependent options # end of General architecture-dependent options
KBUILD_BUILD_TIMESTAMP="1718377347"
KBUILD_BUILD_USER="citadel"
KBUILD_BUILD_HOST="subgraph"
CONFIG_RT_MUTEXES=y CONFIG_RT_MUTEXES=y
CONFIG_BASE_SMALL=0 CONFIG_BASE_SMALL=0
CONFIG_MODULE_SIG_FORMAT=y CONFIG_MODULE_SIG_FORMAT=y
@ -888,7 +892,7 @@ CONFIG_MODULE_UNLOAD=y
# CONFIG_MODULE_SRCVERSION_ALL is not set # CONFIG_MODULE_SRCVERSION_ALL is not set
CONFIG_MODULE_SIG=y CONFIG_MODULE_SIG=y
# CONFIG_MODULE_SIG_FORCE is not set # CONFIG_MODULE_SIG_FORCE is not set
CONFIG_MODULE_SIG_ALL=y CONFIG_MODULE_SIG_ALL=n
CONFIG_MODULE_SIG_SHA1=y CONFIG_MODULE_SIG_SHA1=y
# CONFIG_MODULE_SIG_SHA256 is not set # CONFIG_MODULE_SIG_SHA256 is not set
# CONFIG_MODULE_SIG_SHA384 is not set # CONFIG_MODULE_SIG_SHA384 is not set
@ -6825,7 +6829,7 @@ CONFIG_SIGNED_PE_FILE_VERIFICATION=y
# #
# Certificates for signature checking # Certificates for signature checking
# #
CONFIG_MODULE_SIG_KEY="certs/signing_key.pem" CONFIG_MODULE_SIG_KEY=""
CONFIG_MODULE_SIG_KEY_TYPE_RSA=y CONFIG_MODULE_SIG_KEY_TYPE_RSA=y
# CONFIG_MODULE_SIG_KEY_TYPE_ECDSA is not set # CONFIG_MODULE_SIG_KEY_TYPE_ECDSA is not set
CONFIG_SYSTEM_TRUSTED_KEYRING=y CONFIG_SYSTEM_TRUSTED_KEYRING=y

82
meta-citadel/recipes-kernel/citadel-kernel/files/kernel_key.pem Normal file
View File

@ -0,0 +1,82 @@
-----BEGIN PRIVATE KEY-----
MIIJQwIBADANBgkqhkiG9w0BAQEFAASCCS0wggkpAgEAAoICAQCmK+LsbpL99cvA
8bCrbmPUcTvcPIF3K7HTjhWBcWD+QXXZhFPRuA8yPOHbOjRyPvIbzCKaFTpEuxVk
eVozLAEhMviDaQAzoq7Xajzz9r++uTu1W7HyH6gvNLxVmDdv2d2JLZZQNfOfPwql
AGscdMhfg0sKEfvspJoSm1TAae+5/GrbRDse6xuhcghm4TE3TJb6CR1VlRcy07oi
Ep+zTHAV2aTz4PGaYVAn5T1GuBSsioULd+abhN1D/LcZD6oY6Cmzb8PA9KL0fJQ3
25iNmJ+VzJjM7EQbRudlbHr0XlYS6uG+MbVl2qyWuMSnkxCOuoA2JV+ZOa0cG8pZ
ROENSq+/KEocpqKTYEwI1XKCQbSnHr5TZwJDSnUJNt/yFKAfy8th4UyapLpzAzrs
VKcwY6pZSiab1ig6nOz3UNVV6yZAbpYcNRm6arQauytApr39AlIdh7aTJsmQ7BEH
b3GhTz+sX4kgEJEyciW1o2Ec6LLB46ZNUijSwZFxmvHAzWWZm3Ae4FEBaPqhTSoc
6YjZNKdmS1zi0PDN1KK692H4tHdxXUXK5zMAwMiU9J9ZIgeiqTBYiQMSWsEWO+BT
lrNh0D2ifbhKnSL3/154m5OZxIJ+fwZ4r22iDFkzZEoAlBUan0KYMHRnuNNQoV+G
wrUpGfyjobeQIrXR6zKOg0EfqojCiwIDAQABAoICAEDtwf+/HuljiudLqMv7WL+Q
NSMTc0TkylmO2YFYE12Vp15EMdousKVhG6ElB4wiY0iQRW7uX3OupCe7sQ5wocpe
l7MFKqKCbQ3XwZRT9E0qJJXzC78/NmCnmvVZAkROnRz2NpcF1bkCEX8ygCfAy/Bi
JUZ8i3LGSDt//Sgn3JdP9VLSwMUOeZ/mJjlIwYnJf+6X9CHWHRfrmf2pSERvWBZ5
kdYHLXA0mPTVwlEpKU7X2y+FfJKE4k4n50VAFSchQ/YMdDEnharBKMsAn4WoPqby
KDxeDyiXVmAPeKWWXMyMgYNm+emf/bLw5EpUEPKsFd/ST53X5vemNjUWUFd4uN13
DL12tKDzmYfzsXzAAnBcLTrxS1dAYu5V3ejd8Tx1HleYMJuzlBQesQ6sjsE2DaGI
HxV2fxyFrNhjcEjNvJnYLGX6rg5Me7yGu3kcgeLlHALiixYFiIR7vHaKvmg0b+na
0tO0sp4mitdynfrVAMDosLrFW8jRX2jOM3ttOOl91Xa0UvJrk2qavc9rauGTO4KX
dHJ90SGf7JdkYKaSaq+eNu+6WHfBYVv8teOTu7Qi7dl/xHSdphR9eq/FRaEidxDF
v/tYlS5va2yGA9pAbthNS8SQIp2OJupZOyGBhfVpvLemiUeGPqSKBFuocTN4DQ94
aligiY4mBNO63dz16l4BAoIBAQDjA51zfmrkL4du3H6DMSs/lqZqvjcbcRg96wb3
r7wpiug7beyv5RrtieSzN/0Y8thggvyOslNsu/dPqVxtufeP3xvSRzrde9En+2Tl
Xa00WxcqNVUu+FqYg0LRXqvQzbvtDCyaszqlvlvM7PqkY+14QBvkZ+HYydd5PN6p
+3gN7rHUIAX1+JbkN+Q8TmQYdvCiQ52QRXXHi4w+h9Sy7+iXbbgtxqqyYR4JjOzT
wTBz8bTxxfD+z0Cwge83VVmGrjRrYCkn9u8PQKinII8lbLTO5UBo/49P2jujFAh4
dC1uW4VOPKS2DT4eMizQYQqQuaQdw8gp8L2BlBTlpXOVrGSLAoIBAQC7Y4Njmyqt
SDjepsPptYVAtyrg10yK4vvWGXciLSwhqqHH5dk3gtOGnyV5yB3a5WoNRH6El4ct
ss5tH5iEpE6zVcsgN2dl+JS6bjJcNfwwaDOmxMgYrBaCFzcJcW/R1Fet+pV7kni6
pNzuAemu/u3Wb7sNckMom9VHOksBbRfSucoApKkwKMClHUmDs9eLjkn0JXZlRHHW
iM0SLO6Q4oWzIQRw0AA+MGMRgH95UyOCfLi36ifhlqti29uaXvuntKgcizHcvIR0
rI0TOLscoyoA3YvKp4oZQlNXaDJ0TEl2R++/FXTJ29VGFMG+QVh93qhEKGUyZWkx
JpzZMJC3etoBAoIBAQCct7Mrtxsd2j3555gjA3+iz2KlkBlFBYdBv4240gXo++8k
j9d0+onjcG2E1+MPJR8BSYwHCs6S4xRxVy7qxRZFqTVwriHSIxcaLe/SdCANY9ET
H2xmF6ebYApxtZSRemYA2IW2aoLTRx3i07qYYC/g8wkOXjTIz1bEaKQi3upbW+xB
z7Wtv+aTOI6En210gi/PJTSSE5GipxCzXlwVB5AfcexTFbJjoK320+XurZDAih1r
R0X+8p7q+1hkb7R1SLABbIoc/9i7Q9zqO4z2vhv4NMWJdtu9uZ+wDjVmynVOmTnm
7/CZiXzXpbXQSR3dGXtV3QHDCmIZIVxnyReJPVDPAoIBAEi24epJ8PKS3vaPMeDD
vnSRX0MmaJ5QXDcFZLRPYRujUen26CZhTuGjafBq1iL1+QQy+wFKp3r1MqMnqpB2
DdALT6ottaLdJiF9127ux/Ckzr49CASC6q0KgyHX8fMzed6aKV1tRgnvJYf6GAr/
A529d5FNMIBWkBl2plpkUeVEkP1U6A43EiJATiGcLN0Lluj1jI7ZU29TYHhYFS8F
p6oN+uIn5KA9OIQ3H8Adod7ltOwxIc6pH9JZzEqH5xF5ye5hmTS1tpRrzMaTsg/3
xLnXPoKiJrWMhjiZx1JXs/4BBihZFBusgYMTVOcWBle5igQAxNwcfAhFmoGxFccN
FgECggEBAIsMbpB0hcbH6bIWSARRobhPL2Ka8zJ4d8ZfhpjPv8ZXNKoV4Ki/i57v
IxlXi+t4NPqcWWUf3W0InFPjkkpNPpXQF1dMK4qdevOFikw7KINtjCI0iSvWEzTj
gIFGXfZcFnBXqYiuc56YUKLQOncyR7M0RxBCWAe70coMB1msMz/TaknlnkAg4ghV
TEN7LEd7GAQYzIAlsjd4boX4duiZndvPgG9V8eaUo1EWzcfD/0H8vk60HwRyfbkg
O9ERb+x6sKYtR0pJoYRuahjKd6SoKPswi+hdOZDO076Xf9ORHTHqV/CznEtVA3Vc
DDvz8/gvqoDgvAWlCrsjmZEffJizVcw=
-----END PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
MIIFKDCCAxCgAwIBAgIUE6rC+QfVn02trZ7Ead27i9ds4NYwDQYJKoZIhvcNAQEL
BQAwLjEsMCoGA1UEAwwjQnVpbGQgdGltZSBhdXRvZ2VuZXJhdGVkIGtlcm5lbCBr
ZXkwIBcNMjQwMjI4MTk1ODA4WhgPMjEyNDAyMDQxOTU4MDhaMC4xLDAqBgNVBAMM
I0J1aWxkIHRpbWUgYXV0b2dlbmVyYXRlZCBrZXJuZWwga2V5MIICIjANBgkqhkiG
9w0BAQEFAAOCAg8AMIICCgKCAgEApivi7G6S/fXLwPGwq25j1HE73DyBdyux044V
gXFg/kF12YRT0bgPMjzh2zo0cj7yG8wimhU6RLsVZHlaMywBITL4g2kAM6Ku12o8
8/a/vrk7tVux8h+oLzS8VZg3b9ndiS2WUDXznz8KpQBrHHTIX4NLChH77KSaEptU
wGnvufxq20Q7HusboXIIZuExN0yW+gkdVZUXMtO6IhKfs0xwFdmk8+DxmmFQJ+U9
RrgUrIqFC3fmm4TdQ/y3GQ+qGOgps2/DwPSi9HyUN9uYjZiflcyYzOxEG0bnZWx6
9F5WEurhvjG1ZdqslrjEp5MQjrqANiVfmTmtHBvKWUThDUqvvyhKHKaik2BMCNVy
gkG0px6+U2cCQ0p1CTbf8hSgH8vLYeFMmqS6cwM67FSnMGOqWUomm9YoOpzs91DV
VesmQG6WHDUZumq0GrsrQKa9/QJSHYe2kybJkOwRB29xoU8/rF+JIBCRMnIltaNh
HOiyweOmTVIo0sGRcZrxwM1lmZtwHuBRAWj6oU0qHOmI2TSnZktc4tDwzdSiuvdh
+LR3cV1FyuczAMDIlPSfWSIHoqkwWIkDElrBFjvgU5azYdA9on24Sp0i9/9eeJuT
mcSCfn8GeK9togxZM2RKAJQVGp9CmDB0Z7jTUKFfhsK1KRn8o6G3kCK10esyjoNB
H6qIwosCAwEAAaM8MDowDAYDVR0TAQH/BAIwADALBgNVHQ8EBAMCB4AwHQYDVR0O
BBYEFHA0T2bpAZaELFDODMgvpSjwQNCEMA0GCSqGSIb3DQEBCwUAA4ICAQAOvHct
yaAn0kCoxAZbMEs8NYxbqxSydLX0YOcV6iF+mS2LQOGQ1mlyOBiFgExjR3XKo6kB
PRjnd8WuwDcBIHqzK9XBYgm8yCz1oOezVG/J9gvxF47QY3X7EC7M4B0MNGgPpETw
kXTGIl1x8qXwbD/KwvQkdaRJsZ4uoIHQZOYzvy4M85pV0II5xoESAR/MPrCFQO7O
/oqWNWs1LEt7XsRzH7mSZWfZ//mr0Kl6n7865i0ocCPv+4nyyT4CWv/0UEeWIKPK
ChJE+lOpSdiidq2+uyJDN5ali5413nhOx0LY/aziE7JB4x5Ami3DOsGE23y/5Cho
YWwW8EP3+9M5TVVxrji//I7g2MLQvXAtcwvhaucdrQybgKfQDCnjUSKhYi0WeX+e
esDj0uVPVrHgbj5QdFIHeuc9F15beVpt3dBa+qYRUdt5J+XaXYxKS43dhz/RQh20
Z1961O343/Gy023CqI/Ljs8P37CVhhldSWYntlMa39rg7GJPXeQZ1AN/3/2od1ay
ZaC9FRUTcmoD/TiD14aHHJLwf3tvj/vzmxCzp18mzBVtUE3Ts0uKDkE7F7EVnh5y
SWz8gehB8tUtsdZPeZqgIKQGCsWhIqD4Ir3csMpyPw+vGKxE6ZzzMr9TvwQpj/NI
G0wlChzo9EPL58kJEUFhnY0WFhRn1OWfZStiiQ==
-----END CERTIFICATE-----

5
meta-citadel/recipes-support/libbytesize/libbytesize_2.6.bb → meta-citadel/recipes-support/libbytesize/libbytesize_2.10.bb
View File

@ -7,10 +7,9 @@ SECTION = "devel/lib"
LIC_FILES_CHKSUM = "file://LICENSE;md5=c07cb499d259452f324bb90c3067d85c" LIC_FILES_CHKSUM = "file://LICENSE;md5=c07cb499d259452f324bb90c3067d85c"
S = "${WORKDIR}/git" S = "${WORKDIR}/git"
B = "${S}"
SRCREV = "c9864f4dd03736839f40d225da494cb1eb64e654" SRCREV = "6e83cc6f6dff4f126fc79284e0c3c1c50123380d"
SRC_URI = "git://github.com/rhinstaller/libbytesize;branch=master;protocol=https" SRC_URI = "git://github.com/storaged-project/libbytesize;branch=main;protocol=https"
inherit gettext autotools pkgconfig python3native inherit gettext autotools pkgconfig python3native

29
meta-citadel/recipes-support/make-ext4fs/make-ext4fs.bb Normal file
View File

@ -0,0 +1,29 @@
DESCRIPTION = "Ext4 creation utility used here because it outputs reproducible builds"
HOMEPAGE = "https://git.subgraph.com.com/isa/make_ext4"
LICENSE = "Apache-2.0"
LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/Apache-2.0;md5=89aea4e17d99a7cacdbeed46a0096b10"
SRCREV = "5c201be7d72aff735da27e17c29852e0cefe3e52"
SRC_URI = "git://git.subgraph.com/isa/make_ext4fs.git;protocol=https;branch=master"
DEPENDS = "zlib-native"
inherit pkgconfig native
PACKAGECONFIG = ""
S = "${WORKDIR}/git"
BBCLASSEXTEND = "native"
do_compile () {
export LDFLAGS=""
oe_runmake
}
do_install () {
pwd
ls
install -d ${D}${bindir}
install -m 755 -T ${B}/make_ext4fs ${D}${bindir}/make_ext4fs
}

13
meta-citadel/recipes-support/nss/nss_3.74.bb
View File

@ -76,6 +76,7 @@ do_compile:prepend:class-native() {
do_compile() { do_compile() {
export NSPR_INCLUDE_DIR=${STAGING_INCDIR}/nspr export NSPR_INCLUDE_DIR=${STAGING_INCDIR}/nspr
export NSS_FIPS_DISABLED
export CROSS_COMPILE=1 export CROSS_COMPILE=1
export NATIVE_CC="${BUILD_CC}" export NATIVE_CC="${BUILD_CC}"
@ -247,18 +248,6 @@ do_install:append:class-target() {
PACKAGE_WRITE_DEPS += "nss-native" PACKAGE_WRITE_DEPS += "nss-native"
pkg_postinst:${PN} () {
for I in $D${libdir}/lib*.chk; do
DN=`dirname $I`
BN=`basename $I .chk`
FN=$DN/$BN.so
shlibsign -i $FN
if [ $? -ne 0 ]; then
echo "shlibsign -i $FN failed"
fi
done
}
PACKAGES =+ "${PN}-smime" PACKAGES =+ "${PN}-smime"
FILES:${PN}-smime = "\ FILES:${PN}-smime = "\
${bindir}/smime \ ${bindir}/smime \

28
meta-gnome/recipes-gnome/libgtop/libgtop/0001-Fix-reproducibility-issue.patch Normal file
View File

@ -0,0 +1,28 @@
From 805d67b57d1b229f8fafc942df51e7a3b830889a Mon Sep 17 00:00:00 2001
From: isa <isa@subgraph.com>
Date: Thu, 7 Mar 2024 22:06:04 +0000
Subject: [PATCH] Fix reproducibility issue
---
src/daemon/Makefile.am | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/src/daemon/Makefile.am b/src/daemon/Makefile.am
index e7eb1f2..d486819 100644
--- a/src/daemon/Makefile.am
+++ b/src/daemon/Makefile.am
@@ -13,10 +13,10 @@
##
AM_CPPFLAGS = $(LIBGTOP_CFLAGS) @AM_CPPFLAGS@ -D_BSD \
- -DLIBGTOP_COMPILE_SYSTEM="\"`uname -s`\"" \
- -DLIBGTOP_COMPILE_RELEASE="\"`uname -r`\"" \
- -DLIBGTOP_COMPILE_VERSION="\"`uname -v`\"" \
- -DLIBGTOP_COMPILE_MACHINE="\"`uname -m`\""
+ -DLIBGTOP_COMPILE_SYSTEM="\"Linux\"" \
+ -DLIBGTOP_COMPILE_RELEASE="\"6.7.4\"" \
+ -DLIBGTOP_COMPILE_VERSION="\"SMP PREEMPT_DYNAMIC\"" \
+ -DLIBGTOP_COMPILE_MACHINE="\"x86_64\""
if LIBGTOP_NEED_SERVER
suid_sysdeps = $(top_builddir)/sysdeps/@sysdeps_dir@/libgtop_sysdeps_suid-2.0.la

1
meta-gnome/recipes-gnome/libgtop/libgtop_2.41.3.bb
View File

@ -7,6 +7,7 @@ inherit gnomebase lib_package gtk-doc gobject-introspection gettext upstream-ver
ANY_OF_DISTRO_FEATURES = "${GTK3DISTROFEATURES}" ANY_OF_DISTRO_FEATURES = "${GTK3DISTROFEATURES}"
SRC_URI += " file://0001-Fix-reproducibility-issue.patch"
SRC_URI[archive.sha256sum] = "775676df958e2ea2452f7568f28b2ea581063d312773dd5c0b7624c1b9b2da8c" SRC_URI[archive.sha256sum] = "775676df958e2ea2452f7568f28b2ea581063d312773dd5c0b7624c1b9b2da8c"
DEPENDS = "glib-2.0 libxau" DEPENDS = "glib-2.0 libxau"

2
realmfs-builder/basic-image.conf
View File

@ -1 +1 @@
PACKAGES="man manpages neovim iputils-ping tmux vifm gnome-terminal firefox nautilus eog evince unzip x264 yelp" PACKAGES="man manpages neovim iputils-ping tmux vifm gnome-terminal firefox-esr nautilus eog evince unzip x264 yelp"

2
realmfs-builder/build-template.conf
View File

@ -26,7 +26,7 @@ PACKAGES="man manpages vim-nox iputils-ping tmux gnome-terminal firefox nautilus
# they can just be deleted. Or you can keep them, the result will be the same. # they can just be deleted. Or you can keep them, the result will be the same.
# #
DEBIAN_RELEASE="bullseye" DEBIAN_RELEASE="bookworm"
DEBIAN_MIRROR="https://deb.debian.org/debian" DEBIAN_MIRROR="https://deb.debian.org/debian"
# #

2
realmfs-builder/common.inc
View File

@ -1,6 +1,6 @@
: ${DEBIAN_MIRROR:="https://deb.debian.org/debian"} : ${DEBIAN_MIRROR:="https://deb.debian.org/debian"}
: ${DEBIAN_RELEASE:="bullseye"} : ${DEBIAN_RELEASE:="bookworm"}
BASE_PACKAGES="iproute2 less xz-utils sudo dbus libpam-systemd openssh-client packagekit-gtk3-module libcanberra-gtk3-module libpulse0 fonts-roboto-hinted bash-completion" BASE_PACKAGES="iproute2 less xz-utils sudo dbus libpam-systemd openssh-client packagekit-gtk3-module libcanberra-gtk3-module libpulse0 fonts-roboto-hinted bash-completion"

2
realmfs-builder/realmfs-modules/create-user
View File

@ -1,6 +1,6 @@
info "Creating user account" info "Creating user account"
useradd -s /bin/bash -m user useradd -s /bin/bash -m user
echo "user:user" | chpasswd echo "user:user" | chpasswd -c NONE
usermod -aG sudo user usermod -aG sudo user
echo "export DISPLAY=:0" >> /home/user/.bashrc echo "export DISPLAY=:0" >> /home/user/.bashrc

1
realmfs-builder/realmfs-modules/write-apt-sources
View File

@ -3,6 +3,5 @@ info "Writing /etc/apt/sources.list"
{ {
echo "deb ${DEBIAN_MIRROR} ${DEBIAN_RELEASE} main contrib non-free" echo "deb ${DEBIAN_MIRROR} ${DEBIAN_RELEASE} main contrib non-free"
echo "deb ${DEBIAN_MIRROR}-security ${DEBIAN_RELEASE}-security main contrib non-free" echo "deb ${DEBIAN_MIRROR}-security ${DEBIAN_RELEASE}-security main contrib non-free"
echo "deb ${DEBIAN_MIRROR} unstable main"
} > /etc/apt/sources.list } > /etc/apt/sources.list

59
realmfs-builder/stage-one.sh
View File

@ -29,22 +29,43 @@ setup_rootfs() {
} }
run_debootstrap() { run_debootstrap() {
#[[ -f ${CACHE_DIR}/lock ]] && rm -f ${CACHE_DIR}/lock
#mkdir --parents ${CACHE_DIR} ${ROOTFS}/var/cache/apt/archives
[[ -f ${CACHE_DIR}/lock ]] && rm -f ${CACHE_DIR}/lock #info "Bind mounting ${CACHE_DIR} to ${ROOTFS}/var/cache/apt/archives"
mkdir --parents ${CACHE_DIR} ${ROOTFS}/var/cache/apt/archives #mount --bind ${CACHE_DIR} ${ROOTFS}/var/cache/apt/archives
info "Bind mounting ${CACHE_DIR} to ${ROOTFS}/var/cache/apt/archives" info "Launching mmdebstrap"
mount --bind ${CACHE_DIR} ${ROOTFS}/var/cache/apt/archives
info "Launching debootstrap" export SOURCE_DATE_EPOCH="1718285985"
debootstrap --verbose --merged-usr --variant=minbase \ mmdebstrap --variant=minbase \
--include=systemd-sysv,locales \ --include=systemd-sysv,locales,ca-certificates \
${DEBIAN_RELEASE} ${ROOTFS} ${DEBIAN_MIRROR} ${DEBIAN_RELEASE} ${ROOTFS} ${DEBIAN_MIRROR}
} }
setup_chroot() { make_reproducible() {
#umount ${ROOTFS}/var/cache/apt/archives
rm -rdf ${ROOTFS}/var/cache/*
rm ${ROOTFS}/var/log/apt/term.log
rm ${ROOTFS}/var/log/apt/history.log
rm ${ROOTFS}/var/log/bootstrap.log || true
rm ${ROOTFS}/var/log/fontconfig.log || true
rm ${ROOTFS}/var/log/dpkg.log
rm ${ROOTFS}/var/log/alternatives.log
rm ${ROOTFS}/var/log/eipp.log.xz || true
rm -rdf ${ROOTFS}/var/lib/apt/lists/*
awk -i inplace -F":" '{OFS=FS}{ $3="1" ; print }' ${ROOTFS}/etc/shadow # do not record date of last password change
echo "bf58db8bc11448788138633a01a06cdd" > ${ROOTFS}/etc/machine-id
echo "bf58db8bc11448788138633a01a06cdd" > ${ROOTFS}/var/lib/dbus/machine-id
echo -e "# Generated during realmfs build\nnameserver 192.168.4.1" > ${ROOTFS}/etc/resolv.conf
echo -e "# File generated during realmfs build\nLC_COLLATE=C\nLANG=en_US.UTF-8" > ${ROOTFS}/etc/default/locale
}
setup_chroot() {
mount chproc ${ROOTFS}/proc -t proc mount chproc ${ROOTFS}/proc -t proc
mount chsys ${ROOTFS}/sys -t sysfs mount chsys ${ROOTFS}/sys -t sysfs
mount chtmp ${ROOTFS}/tmp -t tmpfs mount chtmp ${ROOTFS}/tmp -t tmpfs
@ -60,10 +81,11 @@ setup_chroot() {
} }
cleanup_chroot() { cleanup_chroot() {
make_reproducible
umount ${ROOTFS}/proc umount ${ROOTFS}/proc
umount ${ROOTFS}/sys umount ${ROOTFS}/sys
umount ${ROOTFS}/tmp umount ${ROOTFS}/tmp
umount ${ROOTFS}/var/cache/apt/archives
# Remove cache files in case we are creating a tarball for distribution # Remove cache files in case we are creating a tarball for distribution
rm -f ${ROOTFS}/var/cache/apt/pkgcache.bin rm -f ${ROOTFS}/var/cache/apt/pkgcache.bin
@ -71,7 +93,6 @@ cleanup_chroot() {
} }
run_chroot_stage() { run_chroot_stage() {
setup_chroot setup_chroot
# #
@ -103,15 +124,27 @@ generate_tarball() {
echo echo
} }
build_make_ext4fs() {
cd ${WORKDIR}
if [ ! -d "make_ext4fs" ]; then
git clone https://git.subgraph.com/isa/make_ext4fs.git
fi
cd make_ext4fs
git checkout 5c201be7d72aff735da27e17c29852e0cefe3e52
make
cd ../..
}
generate_image() { generate_image() {
# BLOCKS=$(du -ks ${ROOTFS} | cut -f1) # BLOCKS=$(du -ks ${ROOTFS} | cut -f1)
# BLOCKS=$(expr ${BLOCKS} \* 12 / 10) # BLOCKS=$(expr ${BLOCKS} \* 12 / 10)
# SIZE=$(expr ${BLOCKS} \* 1024) # SIZE=$(expr ${BLOCKS} \* 1024)
# echo "Size is ${SIZE}" # echo "Size is ${SIZE}"
build_make_ext4fs
BLOCKS=$(expr 440 \* 1024) BLOCKS=$(expr 440 \* 1024)
# allow online resize up to 32G # allow online resize up to 32G
dd if=/dev/zero of=${WORKDIR}/citadel-realmfs.ext4 seek=${BLOCKS} count=0 bs=4096 dd if=/dev/zero of=${WORKDIR}/citadel-realmfs.ext4 seek=${BLOCKS} count=0 bs=4096
mkfs.ext4 -d ${ROOTFS} -i 4096 -b 4096 -F ${WORKDIR}/citadel-realmfs.ext4 ${BLOCKS} || exit 1 ${WORKDIR}/make_ext4fs/make_ext4fs -l 2G -T "1712775988" -b 4096 ${WORKDIR}/citadel-realmfs.ext4 ${ROOTFS} || exit 1
} }
usage() { usage() {
@ -156,7 +189,6 @@ try_config() {
} }
WORKDIR="$(pwd)/realmfs" WORKDIR="$(pwd)/realmfs"
BUILDFILE=""
DO_TAR=0 DO_TAR=0
DO_XZ=0 DO_XZ=0
@ -223,7 +255,7 @@ if [ "$EUID" -ne 0 ]; then
exit 1 exit 1
fi fi
if [[ -z ${BUILDFILE} ]]; then if [[ -z ${BUILDFILE-} ]]; then
BUILDFILE=$(try_config "${PWD}/build.conf" || try_config "${REALMFS_BUILDER_BASE}/basic-image.conf") || fatal "Could not find a configuration file to use" BUILDFILE=$(try_config "${PWD}/build.conf" || try_config "${REALMFS_BUILDER_BASE}/basic-image.conf") || fatal "Could not find a configuration file to use"
fi fi
@ -245,7 +277,6 @@ run_debootstrap
run_chroot_stage run_chroot_stage
info "rootfs build is completed:" info "rootfs build is completed:"
info " $(du -sh ${ROOTFS})" info " $(du -sh ${ROOTFS})"

8
scripts/docker/Dockerfile
View File

@ -30,7 +30,12 @@ RUN apt update && apt install -y gawk \
file \ file \
liblz4-tool \ liblz4-tool \
zstd \ zstd \
xwayland xwayland \
mmdebstrap \
apt-utils \
usrmerge \
faketime \
diffoscope
# python # python
RUN echo "en_US.UTF-8 UTF-8" > /etc/locale.gen RUN echo "en_US.UTF-8 UTF-8" > /etc/locale.gen
@ -38,6 +43,7 @@ RUN locale-gen
RUN update-locale LANG=en_US.UTF-8 RUN update-locale LANG=en_US.UTF-8
ENV LC_ALL en_US.UTF-8 ENV LC_ALL en_US.UTF-8
ENV LC_CTYPE en_US.UTF-8 ENV LC_CTYPE en_US.UTF-8
ENV LC_COLLATE en_US.UTF-8
RUN useradd -ms /bin/bash builder RUN useradd -ms /bin/bash builder
RUN echo "builder ALL=(ALL) NOPASSWD: ALL" >> /etc/sudoers RUN echo "builder ALL=(ALL) NOPASSWD: ALL" >> /etc/sudoers