release: 2024.8.0

GIT_KEY GIT_PUBKEY
working reproduction
2024-08-04 14:17:11 -07:00 · 2024-08-04 13:29:39 -07:00 · 2024-08-04 13:11:28 -07:00 · 2024-08-04 13:10:24 -07:00 · 2024-08-03 15:52:30 -07:00
8 changed files with 83 additions and 41 deletions
--- a/.gitignore
+++ b/.gitignore
@ -1,3 +1,4 @@
 cache/
 out/
 out*/
 .*
--- a/33
+++ b/33
@ -22,7 +22,6 @@ FROM stagex/libgcrypt:sx2024.08.0@sha256:ea1906215d18688d96fc5329301af649834fe96
 FROM stagex/jq:sx2024.08.0@sha256:0297a099ae95eed13d48bce2d4d624544857680095b6201e9919e1d5da45a6cd AS jq
 FROM stagex/yq:sx2024.08.0@sha256:10e80bd7cec3c6e0a7fd36c65bac13600368bff993ad42b03e3b787d2125e5f0 AS yq
 FROM stagex/bc:sx2024.08.0@sha256:1ecf6029ceed91dd62b08c64e49f00518edcf6c10ac4ab2fe7e8f71943607eef AS bc
 FROM stagex/git:sx2024.08.0@sha256:d177bde1f1ca0f20f74502af4da17b89628683f21116573ada69f38b46d367a6 AS git
 FROM stagex/zlib:sx2024.08.0@sha256:d0d6eef463a410191e086448c710441109ae72693cb074fe2b795ee033aa6c9d AS zlib
 FROM stagex/tpm2-tools:sx2024.08.0@sha256:1693d4ef7e0b7df3e9bd60088588d94b7f5bf755fde0c1be695f3c2f00ec2897 AS tpm2-tools
 FROM stagex/tpm2-tss:sx2024.08.0@sha256:5e362f43a5e0c49f774605a0e3e1b7523dc6bc775f537c206a3aaa8b8b733c93 AS tpm2-tss
@ -40,7 +39,7 @@ ARG VERSION development
 ARG GIT_TIMESTAMP null
 ARG GIT_AUTHOR null
 ARG GIT_REF null
-ARG GIT_KEY null
+ARG GIT_PUBKEY null
 COPY --from=busybox . /
 COPY --from=musl . /
 COPY --from=xorriso . /
@ -70,7 +69,6 @@ COPY --from=gpg . initramfs
 COPY --from=jq . initramfs
 COPY --from=yq . initramfs
 COPY --from=bc . initramfs
 COPY --from=git . initramfs
 COPY --from=flashtools . initramfs
 COPY --from=tpm2-tools . initramfs
 COPY --from=tpm2-tss . initramfs
@ -90,13 +88,22 @@ COPY <<-EOF initramfs/etc/environment
    export GIT_TIMESTAMP="$GIT_TIMESTAMP"
    export GIT_AUTHOR="$GIT_AUTHOR"
    export GIT_REF="$GIT_REF"
-    export GIT_KEY="$GIT_KEY"
+    export GIT_PUBKEY="$GIT_PUBKEY"
 EOF
 RUN <<-EOF
    set -eux
    cd initramfs
    find . -exec touch -hcd "@0" "{}" +
    find . -print0 \
-	| cpio --null --create --verbose --format=newc \
+    | sort -z \
-	| gzip --best > ../iso/boot/initramfs
+    | cpio \
        --null \
        --create \
        --verbose \
        --reproducible \
        --format=newc \
    | gzip --best \
    > ../iso/boot/initramfs
 EOF
 ## Grub (EFI Boot)
@ -126,8 +133,9 @@ RUN <<-EOF
        gzio \
        serial \
        terminal
    find efi -exec touch -hcd "@0" "{}" +
    mformat -i iso/boot/grub/efi.img -C -f 1440 -N 0 ::
-    mcopy -i iso/boot/grub/efi.img -s efi ::
+    mcopy -i iso/boot/grub/efi.img -ms efi ::
    touch -md "@0" iso/boot/grub/efi.img
 EOF
@ -144,7 +152,13 @@ COPY --from=syslinux \
 ## Build Hybrid EFI/BIOS ISO
 FROM build AS install
-RUN xorrisofs \
+ENV SOURCE_DATE_EPOCH=1
 # --set_all_file_dates='1'
 # --modification-date='1970010100000000' \
 RUN <<-EOF
    set -eux
    find iso -exec touch -hcd "@0" "{}" +
    xorrisofs \
        -output airgap.iso \
        -full-iso9660-filenames \
        -joliet \
@ -163,6 +177,7 @@ RUN xorrisofs \
        -isohybrid-gpt-basdat \
        -follow-links \
        iso/
 EOF
 ## Minimal Autorun SD card image
 COPY sdcard sdcard
@ -174,7 +189,5 @@ RUN <<-EOF
 EOF
 FROM scratch AS package
 COPY --from=install /iso /iso
 COPY --from=install /initramfs /initramfs
 COPY --from=install /sdcard.img /
 COPY --from=install /airgap.iso /
--- a/26
+++ b/26
@ -1,15 +1,17 @@
-VERSION := $(shell git tag --points-at HEAD)
+VERSION := development
 GIT_REF := $(shell git log -1 --format=%H)
 GIT_AUTHOR := $(shell git log -1 --format=%an)
-GIT_KEY := $(shell git log -1 --format=%GP)
+GIT_PUBKEY := $(shell git log -1 --format=%GP)
 GIT_TIMESTAMP := $(shell git log -1 --format=%cd --date=iso)
 VERSION := development
 export
 ## Use env vars from latest release when reproducing
 ifdef REPRODUCE
-    include dist/release.env
+include dist/release.env
-    export
+export
 endif
 ifdef NOCACHE
 NO_CACHE := --no-cache
 endif
 .DEFAULT_GOAL :=
@ -22,14 +24,17 @@ default: \
 ## Primary targets
 out/airgap.iso: Containerfile $(shell git ls-files rootfs)
 	SOURCE_DATE_EPOCH=1 \
 	docker build \
 		--progress=plain \
-		--output type=local,dest=out \
+		--output type=local,rewrite-timestamp=true,dest=out \
 		--build-arg SOURCE_DATE_EPOCH=1 \
 		--build-arg VERSION="$(VERSION)" \
 		--build-arg GIT_REF="$(GIT_REF)" \
 		--build-arg GIT_AUTHOR="$(GIT_AUTHOR)" \
-		--build-arg GIT_KEY="$(GIT_KEY)" \
+		--build-arg GIT_PUBKEY="$(GIT_PUBKEY)" \
 		--build-arg GIT_TIMESTAMP="$(GIT_TIMESTAMP)" \
 		$(NO_CACHE) \
 		-f Containerfile \
 		.
@ -74,8 +79,9 @@ clean:
 	rm -rf out
 .PHONY: release
-release: default
+release: clean
 	rm -rf dist/*
 	$(MAKE) NOCACHE=1 VERSION=$(VERSION)
 	cp -R out/release.env out/airgap.iso out/manifest.txt dist/
 .PHONY: sign
@ -104,7 +110,7 @@ verify: | dist/manifest.txt
 .PHONY: reproduce
 reproduce: clean | out
-	$(MAKE) REPRODUCE=true
+	$(MAKE) REPRODUCE=true NOCACHE=1
 	diff -q out/manifest.txt dist/manifest.txt;
 out:
@ -114,7 +120,7 @@ out/release.env: $(shell git ls-files) | out
 	echo 'VERSION=$(VERSION)'              > out/release.env
 	echo 'GIT_REF=$(GIT_REF)'             >> out/release.env
 	echo 'GIT_AUTHOR=$(GIT_AUTHOR)'       >> out/release.env
-	echo 'GIT_KEY=$(GIT_KEY)'             >> out/release.env
+	echo 'GIT_PUBKEY=$(GIT_PUBKEY)'             >> out/release.env
 	echo 'GIT_TIMESTAMP=$(GIT_TIMESTAMP)' >> out/release.env
 out/manifest.txt: out/airgap.iso out/release.env | out
--- a/README.md
+++ b/README.md
@ -66,6 +66,18 @@ make attest
 make sign
 ```
 ## Provisioning ##
 1. Write airgap.iso to CD-ROM or SD Card
  a. `dd if=out/airgap.iso of=/dev/sda bs=1M conv=sync status=progress`
  b. `cdrecord out/airgap.iso`
 2. Verify media still produces expected hash
  ```
  sha256sum out/airgap.iso
  head -c $(stat -c '%s' airgap.iso) /dev/sda | sha256sum
  ```
 ## Setup ##
 Assumes target is running Pureboot or Coreboot/heads
--- a/dist/airgap.iso
+++ b/dist/airgap.iso
--- a/dist/manifest.txt
+++ b/dist/manifest.txt
@ -0,0 +1,2 @@
 a78a023a9532927f0e7af7ce1177b8286fdfa425670d166932f46ee90abcafe8 airgap.iso
 bc742e2b08089bb2e685a71a45e1ab28d7bf6151bf06417e1bc729eb60353e0d release.env
--- a/dist/release.env
+++ b/dist/release.env
@ -0,0 +1,5 @@
 VERSION=2024.8.0
 GIT_REF=3cb460b72ed3fb03ac98c737852e19a154e58a7c
 GIT_AUTHOR=Lance R. Vick
 GIT_PUBKEY=6B61ECD76088748C70590D55E90A401336C8AAA9
 GIT_TIMESTAMP=2024-08-04 13:29:39 -0700
--- a/rootfs/etc/profile
+++ b/rootfs/etc/profile
@ -18,5 +18,5 @@ echo "  - Version: $VERSION"
 echo "  - Date: $GIT_TIMESTAMP"
 echo "  - Committer: $GIT_AUTHOR"
 echo "  - Commit: $GIT_REF"
-echo "  - Key: $GIT_KEY"
+echo "  - Key: $GIT_PUBKEY"
 echo ""
Author	SHA1	Message	Date
Lance Vick	dc8515ea02	release: 2024.8.0	2024-08-04 14:17:11 -07:00
Lance Vick	3cb460b72e	GIT_KEY GIT_PUBKEY	2024-08-04 13:29:39 -07:00
Lance Vick	f1c0f2f8b5	working reproduction	2024-08-04 13:11:28 -07:00
Lance Vick	1f2ce99275	ignore additional folders	2024-08-04 13:10:24 -07:00
Lance Vick	721ffad1f0	cache/determinism fixes and doc updates	2024-08-03 15:52:30 -07:00
		`@ -0,0 +1,2 @@`
							`a78a023a9532927f0e7af7ce1177b8286fdfa425670d166932f46ee90abcafe8 airgap.iso`
							`bc742e2b08089bb2e685a71a45e1ab28d7bf6151bf06417e1bc729eb60353e0d release.env`