working reproduction
This commit is contained in:
parent
1f2ce99275
commit
f1c0f2f8b5
|
@ -22,7 +22,6 @@ FROM stagex/libgcrypt:sx2024.08.0@sha256:ea1906215d18688d96fc5329301af649834fe96
|
|||
FROM stagex/jq:sx2024.08.0@sha256:0297a099ae95eed13d48bce2d4d624544857680095b6201e9919e1d5da45a6cd AS jq
|
||||
FROM stagex/yq:sx2024.08.0@sha256:10e80bd7cec3c6e0a7fd36c65bac13600368bff993ad42b03e3b787d2125e5f0 AS yq
|
||||
FROM stagex/bc:sx2024.08.0@sha256:1ecf6029ceed91dd62b08c64e49f00518edcf6c10ac4ab2fe7e8f71943607eef AS bc
|
||||
FROM stagex/git:sx2024.08.0@sha256:d177bde1f1ca0f20f74502af4da17b89628683f21116573ada69f38b46d367a6 AS git
|
||||
FROM stagex/zlib:sx2024.08.0@sha256:d0d6eef463a410191e086448c710441109ae72693cb074fe2b795ee033aa6c9d AS zlib
|
||||
FROM stagex/tpm2-tools:sx2024.08.0@sha256:1693d4ef7e0b7df3e9bd60088588d94b7f5bf755fde0c1be695f3c2f00ec2897 AS tpm2-tools
|
||||
FROM stagex/tpm2-tss:sx2024.08.0@sha256:5e362f43a5e0c49f774605a0e3e1b7523dc6bc775f537c206a3aaa8b8b733c93 AS tpm2-tss
|
||||
|
@ -70,7 +69,6 @@ COPY --from=gpg . initramfs
|
|||
COPY --from=jq . initramfs
|
||||
COPY --from=yq . initramfs
|
||||
COPY --from=bc . initramfs
|
||||
COPY --from=git . initramfs
|
||||
COPY --from=flashtools . initramfs
|
||||
COPY --from=tpm2-tools . initramfs
|
||||
COPY --from=tpm2-tss . initramfs
|
||||
|
@ -93,10 +91,19 @@ COPY <<-EOF initramfs/etc/environment
|
|||
export GIT_KEY="$GIT_KEY"
|
||||
EOF
|
||||
RUN <<-EOF
|
||||
cd initramfs
|
||||
find . -print0 \
|
||||
| cpio --null --create --verbose --format=newc \
|
||||
| gzip --best > ../iso/boot/initramfs
|
||||
set -eux
|
||||
cd initramfs
|
||||
find . -exec touch -hcd "@0" "{}" +
|
||||
find . -print0 \
|
||||
| sort -z \
|
||||
| cpio \
|
||||
--null \
|
||||
--create \
|
||||
--verbose \
|
||||
--reproducible \
|
||||
--format=newc \
|
||||
| gzip --best \
|
||||
> ../iso/boot/initramfs
|
||||
EOF
|
||||
|
||||
## Grub (EFI Boot)
|
||||
|
@ -126,8 +133,9 @@ RUN <<-EOF
|
|||
gzio \
|
||||
serial \
|
||||
terminal
|
||||
find efi -exec touch -hcd "@0" "{}" +
|
||||
mformat -i iso/boot/grub/efi.img -C -f 1440 -N 0 ::
|
||||
mcopy -i iso/boot/grub/efi.img -s efi ::
|
||||
mcopy -i iso/boot/grub/efi.img -ms efi ::
|
||||
touch -md "@0" iso/boot/grub/efi.img
|
||||
EOF
|
||||
|
||||
|
@ -144,25 +152,32 @@ COPY --from=syslinux \
|
|||
|
||||
## Build Hybrid EFI/BIOS ISO
|
||||
FROM build AS install
|
||||
RUN xorrisofs \
|
||||
-output airgap.iso \
|
||||
-full-iso9660-filenames \
|
||||
-joliet \
|
||||
-rational-rock \
|
||||
-sysid LINUX \
|
||||
-volid "airgap" \
|
||||
-isohybrid-mbr iso/boot/syslinux/isohdpfx.bin \
|
||||
-eltorito-boot boot/syslinux/isolinux.bin \
|
||||
-eltorito-catalog boot/syslinux/boot.cat \
|
||||
-no-emul-boot \
|
||||
-boot-load-size 4 \
|
||||
-boot-info-table \
|
||||
-eltorito-alt-boot \
|
||||
-e boot/grub/efi.img \
|
||||
-no-emul-boot \
|
||||
-isohybrid-gpt-basdat \
|
||||
-follow-links \
|
||||
iso/
|
||||
ENV SOURCE_DATE_EPOCH=1
|
||||
# --set_all_file_dates='1'
|
||||
# --modification-date='1970010100000000' \
|
||||
RUN <<-EOF
|
||||
set -eux
|
||||
find iso -exec touch -hcd "@0" "{}" +
|
||||
xorrisofs \
|
||||
-output airgap.iso \
|
||||
-full-iso9660-filenames \
|
||||
-joliet \
|
||||
-rational-rock \
|
||||
-sysid LINUX \
|
||||
-volid "airgap" \
|
||||
-isohybrid-mbr iso/boot/syslinux/isohdpfx.bin \
|
||||
-eltorito-boot boot/syslinux/isolinux.bin \
|
||||
-eltorito-catalog boot/syslinux/boot.cat \
|
||||
-no-emul-boot \
|
||||
-boot-load-size 4 \
|
||||
-boot-info-table \
|
||||
-eltorito-alt-boot \
|
||||
-e boot/grub/efi.img \
|
||||
-no-emul-boot \
|
||||
-isohybrid-gpt-basdat \
|
||||
-follow-links \
|
||||
iso/
|
||||
EOF
|
||||
|
||||
## Minimal Autorun SD card image
|
||||
COPY sdcard sdcard
|
||||
|
@ -174,7 +189,5 @@ RUN <<-EOF
|
|||
EOF
|
||||
|
||||
FROM scratch AS package
|
||||
COPY --from=install /iso /iso
|
||||
COPY --from=install /initramfs /initramfs
|
||||
COPY --from=install /sdcard.img /
|
||||
COPY --from=install /airgap.iso /
|
||||
|
|
14
Makefile
14
Makefile
|
@ -1,17 +1,18 @@
|
|||
VERSION := $(shell git tag --points-at HEAD)
|
||||
VERSION := development
|
||||
GIT_REF := $(shell git log -1 --format=%H)
|
||||
GIT_AUTHOR := $(shell git log -1 --format=%an)
|
||||
GIT_KEY := $(shell git log -1 --format=%GP)
|
||||
GIT_TIMESTAMP := $(shell git log -1 --format=%cd --date=iso)
|
||||
VERSION := development
|
||||
export
|
||||
|
||||
## Use env vars from latest release when reproducing
|
||||
ifdef REPRODUCE
|
||||
include dist/release.env
|
||||
NO_CACHE := --no-cache
|
||||
export
|
||||
endif
|
||||
ifdef NOCACHE
|
||||
NO_CACHE := --no-cache
|
||||
endif
|
||||
|
||||
.DEFAULT_GOAL :=
|
||||
.PHONY: default
|
||||
|
@ -23,9 +24,11 @@ default: \
|
|||
## Primary targets
|
||||
|
||||
out/airgap.iso: Containerfile $(shell git ls-files rootfs)
|
||||
SOURCE_DATE_EPOCH=1 \
|
||||
docker build \
|
||||
--progress=plain \
|
||||
--output type=local,rewrite-timestamp=true,dest=out \
|
||||
--build-arg SOURCE_DATE_EPOCH=1 \
|
||||
--build-arg VERSION="$(VERSION)" \
|
||||
--build-arg GIT_REF="$(GIT_REF)" \
|
||||
--build-arg GIT_AUTHOR="$(GIT_AUTHOR)" \
|
||||
|
@ -76,8 +79,9 @@ clean:
|
|||
rm -rf out
|
||||
|
||||
.PHONY: release
|
||||
release: default
|
||||
release: clean
|
||||
rm -rf dist/*
|
||||
$(MAKE) NOCACHE=1 VERSION=$(VERSION)
|
||||
cp -R out/release.env out/airgap.iso out/manifest.txt dist/
|
||||
|
||||
.PHONY: sign
|
||||
|
@ -106,7 +110,7 @@ verify: | dist/manifest.txt
|
|||
|
||||
.PHONY: reproduce
|
||||
reproduce: clean | out
|
||||
$(MAKE) REPRODUCE=true
|
||||
$(MAKE) REPRODUCE=true NOCACHE=1
|
||||
diff -q out/manifest.txt dist/manifest.txt;
|
||||
|
||||
out:
|
||||
|
|
Loading…
Reference in New Issue