From f1c0f2f8b503ae0cbdb8532588c99aeec0ed6524 Mon Sep 17 00:00:00 2001
From: "Lance R. Vick" <lance@lrvick.net>
Date: Sun, 4 Aug 2024 13:11:28 -0700
Subject: [PATCH] working reproduction

---
 Containerfile | 69 ++++++++++++++++++++++++++++++---------------------
 Makefile      | 14 +++++++----
 2 files changed, 50 insertions(+), 33 deletions(-)

diff --git a/Containerfile b/Containerfile
index 16afbdb..ac3d19a 100644
--- a/Containerfile
+++ b/Containerfile
@@ -22,7 +22,6 @@ FROM stagex/libgcrypt:sx2024.08.0@sha256:ea1906215d18688d96fc5329301af649834fe96
 FROM stagex/jq:sx2024.08.0@sha256:0297a099ae95eed13d48bce2d4d624544857680095b6201e9919e1d5da45a6cd AS jq
 FROM stagex/yq:sx2024.08.0@sha256:10e80bd7cec3c6e0a7fd36c65bac13600368bff993ad42b03e3b787d2125e5f0 AS yq
 FROM stagex/bc:sx2024.08.0@sha256:1ecf6029ceed91dd62b08c64e49f00518edcf6c10ac4ab2fe7e8f71943607eef AS bc
-FROM stagex/git:sx2024.08.0@sha256:d177bde1f1ca0f20f74502af4da17b89628683f21116573ada69f38b46d367a6 AS git
 FROM stagex/zlib:sx2024.08.0@sha256:d0d6eef463a410191e086448c710441109ae72693cb074fe2b795ee033aa6c9d AS zlib
 FROM stagex/tpm2-tools:sx2024.08.0@sha256:1693d4ef7e0b7df3e9bd60088588d94b7f5bf755fde0c1be695f3c2f00ec2897 AS tpm2-tools
 FROM stagex/tpm2-tss:sx2024.08.0@sha256:5e362f43a5e0c49f774605a0e3e1b7523dc6bc775f537c206a3aaa8b8b733c93 AS tpm2-tss
@@ -70,7 +69,6 @@ COPY --from=gpg . initramfs
 COPY --from=jq . initramfs
 COPY --from=yq . initramfs
 COPY --from=bc . initramfs
-COPY --from=git . initramfs
 COPY --from=flashtools . initramfs
 COPY --from=tpm2-tools . initramfs
 COPY --from=tpm2-tss . initramfs
@@ -93,10 +91,19 @@ COPY <<-EOF initramfs/etc/environment
     export GIT_KEY="$GIT_KEY"
 EOF
 RUN <<-EOF
-	cd initramfs
-	find . -print0 \
-	| cpio --null --create --verbose --format=newc \
-	| gzip --best > ../iso/boot/initramfs
+    set -eux
+    cd initramfs
+    find . -exec touch -hcd "@0" "{}" +
+    find . -print0 \
+    | sort -z \
+    | cpio \
+        --null \
+        --create \
+        --verbose \
+        --reproducible \
+        --format=newc \
+    | gzip --best \
+    > ../iso/boot/initramfs
 EOF
 
 ## Grub (EFI Boot)
@@ -126,8 +133,9 @@ RUN <<-EOF
         gzio \
         serial \
         terminal
+    find efi -exec touch -hcd "@0" "{}" +
     mformat -i iso/boot/grub/efi.img -C -f 1440 -N 0 ::
-    mcopy -i iso/boot/grub/efi.img -s efi ::
+    mcopy -i iso/boot/grub/efi.img -ms efi ::
     touch -md "@0" iso/boot/grub/efi.img
 EOF
 
@@ -144,25 +152,32 @@ COPY --from=syslinux \
 
 ## Build Hybrid EFI/BIOS ISO
 FROM build AS install
-RUN xorrisofs \
-    -output airgap.iso \
-    -full-iso9660-filenames \
-    -joliet \
-    -rational-rock \
-    -sysid LINUX \
-    -volid "airgap" \
-    -isohybrid-mbr iso/boot/syslinux/isohdpfx.bin \
-    -eltorito-boot boot/syslinux/isolinux.bin \
-    -eltorito-catalog boot/syslinux/boot.cat \
-    -no-emul-boot \
-    -boot-load-size 4 \
-    -boot-info-table \
-    -eltorito-alt-boot \
-    -e boot/grub/efi.img \
-    -no-emul-boot \
-    -isohybrid-gpt-basdat \
-    -follow-links \
-   iso/
+ENV SOURCE_DATE_EPOCH=1
+# --set_all_file_dates='1'
+# --modification-date='1970010100000000' \
+RUN <<-EOF
+    set -eux
+    find iso -exec touch -hcd "@0" "{}" +
+    xorrisofs \
+        -output airgap.iso \
+        -full-iso9660-filenames \
+        -joliet \
+        -rational-rock \
+        -sysid LINUX \
+        -volid "airgap" \
+        -isohybrid-mbr iso/boot/syslinux/isohdpfx.bin \
+        -eltorito-boot boot/syslinux/isolinux.bin \
+        -eltorito-catalog boot/syslinux/boot.cat \
+        -no-emul-boot \
+        -boot-load-size 4 \
+        -boot-info-table \
+        -eltorito-alt-boot \
+        -e boot/grub/efi.img \
+        -no-emul-boot \
+        -isohybrid-gpt-basdat \
+        -follow-links \
+        iso/
+EOF
 
 ## Minimal Autorun SD card image
 COPY sdcard sdcard
@@ -174,7 +189,5 @@ RUN <<-EOF
 EOF
 
 FROM scratch AS package
-COPY --from=install /iso /iso
-COPY --from=install /initramfs /initramfs
 COPY --from=install /sdcard.img /
 COPY --from=install /airgap.iso /
diff --git a/Makefile b/Makefile
index 4420b0c..64fe464 100644
--- a/Makefile
+++ b/Makefile
@@ -1,17 +1,18 @@
-VERSION := $(shell git tag --points-at HEAD)
+VERSION := development
 GIT_REF := $(shell git log -1 --format=%H)
 GIT_AUTHOR := $(shell git log -1 --format=%an)
 GIT_KEY := $(shell git log -1 --format=%GP)
 GIT_TIMESTAMP := $(shell git log -1 --format=%cd --date=iso)
-VERSION := development
 export
 
 ## Use env vars from latest release when reproducing
 ifdef REPRODUCE
 include dist/release.env
-NO_CACHE := --no-cache
 export
 endif
+ifdef NOCACHE
+NO_CACHE := --no-cache
+endif
 
 .DEFAULT_GOAL :=
 .PHONY: default
@@ -23,9 +24,11 @@ default: \
 ## Primary targets
 
 out/airgap.iso: Containerfile $(shell git ls-files rootfs)
+	SOURCE_DATE_EPOCH=1 \
 	docker build \
 		--progress=plain \
 		--output type=local,rewrite-timestamp=true,dest=out \
+		--build-arg SOURCE_DATE_EPOCH=1 \
 		--build-arg VERSION="$(VERSION)" \
 		--build-arg GIT_REF="$(GIT_REF)" \
 		--build-arg GIT_AUTHOR="$(GIT_AUTHOR)" \
@@ -76,8 +79,9 @@ clean:
 	rm -rf out
 
 .PHONY: release
-release: default
+release: clean
 	rm -rf dist/*
+	$(MAKE) NOCACHE=1 VERSION=$(VERSION)
 	cp -R out/release.env out/airgap.iso out/manifest.txt dist/
 
 .PHONY: sign
@@ -106,7 +110,7 @@ verify: | dist/manifest.txt
 
 .PHONY: reproduce
 reproduce: clean | out
-	$(MAKE) REPRODUCE=true
+	$(MAKE) REPRODUCE=true NOCACHE=1
 	diff -q out/manifest.txt dist/manifest.txt;
 
 out: