To ensure integrity against build machine or developer compromise, we should be able to produce identical binaries when building the same source on two different (but possibly identically configured) machines.
Team: anonym, lamby, bertagaz, u, kibi and intrigeri
Export last changelog entry's timestamp as SOURCE_DATE_EPOCH (refs: #5630).
Don't include /var/cache/ldconfig/aux-cache in the ISO (refs: #5630).
It causes reproducibility issues, and is not needed strictly speaking.
Don't include monkeysphere private key in the ISO (refs: #5630).
It causes reproducibility issues and should not be shared among all
Tails systems. Thankfully it is only useful when using monkeysphere
to authenticate users connecting to the Tails system, and we don't
ship SSHd, so 1. shipping that key previously was not a security issue;
2. we don't have to generate this key at boot time.
Merge remote-tracking branch 'lamby/regenerate-fontconfig' into feature/5630-deterministic-builds
Don't ship /etc/console-setup/cached_setup_keyboard.sh in the ISO.
It's useless since it refers to a file in /tmp that won't exist anyway,
and it causes reproducibility issues.
Don't ship /root/.gnupg/trustdb.gpg in the ISO: it's not needed and causes reproducibility issues (refs: #5630).
Pretend that tails-keyring.gpg is created at $SOURCE_DATE_EPOCH, to make its content deterministic (refs: #5630).
Drop mtime clamping: lb_chroot_reproducible does that for us already (refs: #5630).
Don't pass -mkfs-fixed-time to mksquashfs, instead rely on having it honor $SOURCE_DATE_EPOCH (refs: #5630).
This reverts commit 0f56eea534f6cde1bee912cc51ceeb435790df80.
Normalize timestamps of files in config/chroot_local-includes before building.
Ensure /etc/resolv.conf is owned by root:root in the SquashFS.
lb_chroot_resolv will "cp -a" it from the source tree, so it inherits its
ownership from the whoever cloned the Git repository. This has two problems.
First, this results in unsafe permissions on this file (e.g. a Vagrant build
results in the 'amnesia' user having write access to it). Second, building with
a different user results in a non-deterministic SquashFS.
Pass a fixed MBR ID to isohybrid (refs: #5630).
Otherwise, a random one is used, that makes the build unreproducible even when
the content of the ISO filesystem matches.
Reproducible builds post-processing: don't try deleting /etc/ssl/certs/java/cacerts that's not shipped anymore (refs: #5630).
Reproducible builds post-processing: don't try deleting /usr/lib/jvm/java-8-openjdk-amd64/jre/lib/amd64/server/classes.jsa, that's not shipped anymore (refs: #5630).
#22 Updated by lamby over 2 years ago
fontconfig issues should be resolved with: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=857892
#25 Updated by intrigeri over 2 years ago
- Target version changed from 2017 to Tails_3.2
- Feature Branch deleted (
- This branch has nothing interesting now that we generate the fontconfig cache in a reproducible manner. I've renamed it to wip/feature/5630-deterministic-builds so it doesn't eat precious cycles on our CI infra. And anyway the only non-merge commit it has on top of testing is a trivial revert.
- Setting a target version that's before the sponsor deadline.