Containerfile

@@ -1,65 +1,38 @@
-FROM stagex/user-alsa-lib:sx2025.02.0@sha256:5e29d15860ea2f01b7b4a614d2ffbc6bb41b87b8892138a93b4adca206105593 AS user-alsa-lib
-FROM stagex/core-bash:sx2025.02.0@sha256:ae98e66f8623629151d79fd2b574442778b50bd37511dea8da4237d4c18ce04c AS core-bash
-FROM stagex/core-bc:sx2025.02.0@sha256:8f0a8d3e86a2221f5179a1817f482013dbc5b5f8f985c1a3404a6f3975c5eda9 AS core-bc
-FROM stagex/core-busybox:sx2025.02.0@sha256:01b31cc07543733fbf6889e596427af943aba2780bc2f514a3d30bb290da7e2a AS core-busybox
-FROM stagex/user-ccid:sx2025.02.0@sha256:a2ab2199974a60fc711e881e8cda43007bd39482213fd9fa50c9580e027d6fa8 AS user-ccid
-FROM stagex/user-cpio:sx2025.02.0@sha256:d8837d12a89ef7e35c72115a7919224a3246a2e17a685b684628cc03957726ac AS user-cpio
-FROM stagex/core-curl:sx2025.02.0@sha256:b65975066d7b2256c51601749d947fa54ce9a23d4f2b46f4de7daf6f11f9730f AS core-curl
-FROM stagex/user-dtc:sx2025.02.0@sha256:39231aa3e2ca4e3ac46aa7faea4e7aee5733f425c35ae5ca83e54ce5b3629f89 AS user-dtc
-FROM stagex/user-eudev:sx2025.02.0@sha256:292ece79a82c2d2dc422d44a0d4e65dd6dde0304566a40f286e8e2ff62b59c52 AS user-eudev
-FROM stagex/user-flashtools:sx2025.02.0@sha256:1d3aa7c7e6f061e2f738b9bf01d9584786c9b96ae5f0e84d302278ae687a58cc AS user-flashtools
-FROM stagex/core-gcc:sx2025.02.0@sha256:02896413375c15cbff666fbab7c534caefc8936d53e167a6ea457a05c27e8096 AS core-gcc
-FROM stagex/user-glib:sx2025.02.0@sha256:b7e6e23e3d95b95f1e9183f3571bba21ebc2304c3ce5b545962651d29706f901 AS user-glib
-FROM stagex/core-gmp:sx2025.02.0@sha256:dfff470ef36b4383854435429fc5896b8e4f953fe7d0ec3ccff5422a651d0115 AS core-gmp
-FROM stagex/user-gpg:sx2025.02.0@sha256:df188d540aa18e8b9684941bff9a591270765141f0ad5a87a0e1d7cd9961da7a AS user-gpg
-FROM stagex/user-grub:sx2025.02.0@sha256:f2a574d88520fbc37ac233e3380d6cc89ce969e0abd36626fb04179355cf1d92 AS user-grub
-FROM stagex/user-icepick:sx2025.02.0@sha256:1d26fbf252a2ae7469b3dc4358fe11e17a54403ab184b58283798566c7f5972f AS user-icepick
-FROM stagex/user-ipxe:sx2025.02.0@sha256:bac91399972e5a12b534ee92ac6be103a9d28758c609926f168924eb9a175e4b AS user-ipxe
-FROM stagex/user-jq:sx2025.02.0@sha256:c6b5baceb4c171859d7a75c2919f12558fee7951db3fd87dae76076ac9d85fda AS user-jq
-FROM stagex/user-keyfork:sx2025.02.0@sha256:fbd40df303d57d7bc6209a7f59a64ec8ddddb2c607564591cdbae5b2acf70d2c AS user-keyfork
-FROM stagex/user-libaio:sx2025.02.0@sha256:6ec20e9f3a77c555a6bfcecd5b3461740fc6d3faa9a0f81b97ca3606819ef26b AS user-libaio
-FROM stagex/user-libassuan:sx2025.02.0@sha256:3aa891c65990114ba697d1bcf90c51515947daf932ce96d8861658391206c8c7 AS user-libassuan
-FROM stagex/core-libffi:sx2025.02.0@sha256:8b22d8fa8aa4da590fcc7257aba1b6a2eb74598f5f60a95900050bf00ce470ac AS core-libffi
-FROM stagex/user-libgcrypt:sx2025.02.0@sha256:2281a0b1093d2bc60f4208f3a34f7e01440c3dac31f122ed9b42a2417d4085c8 AS user-libgcrypt
-FROM stagex/user-libgpg-error:sx2025.02.0@sha256:902cfc4a40cc69e003dec008f4bbf86338f5984847d11f0d422f06a797e656b4 AS user-libgpg-error
-FROM stagex/user-libksba:sx2025.02.0@sha256:e6b7bd3a005a881b545b6b4066dc6392d741e1f062718428f9115db1a1edf23a AS user-libksba
-FROM stagex/user-libqrencode:sx2025.02.0@sha256:e6ed8097b670b0ea79018a50efc0cdde3968a2165b9ff3b7b96af92fc8a43b45 AS user-libqrencode
-FROM stagex/user-libseccomp:sx2025.02.0@sha256:632684b54847814367247b8d1247832fa56bb0dd8300495c342b0585cca47c10 AS user-libseccomp
-FROM stagex/user-libslirp:sx2025.02.0@sha256:29d98f357f98f91e634659b945ccbe834d37f4c9c7e243aeb8d47ed438df741d AS user-libslirp
-FROM stagex/user-libtpms:sx2025.02.0@sha256:09b410b27db7e3adbf61019fbdb6bb09fad597cb32de37f869b2f157332c771b AS user-libtpms
-FROM stagex/core-libunwind:sx2025.02.0@sha256:99e2574ace4f7dfa3d8bfc93ab69e1fd5f559924a80f5372b74ed868299e7131 AS core-libunwind
-FROM stagex/user-libusb:sx2025.02.0@sha256:b78ca9194fdb8dfb7b7177d16a156fac21e6c9822a0c35a17841400bc1a27f68 AS user-libusb
-FROM stagex/user-libzbar:sx2025.02.0@sha256:44ad89a661bc395d6b49d89a0367846f7bee40b198780777c5c7b1b3c0d49a0e AS user-libzbar
-FROM stagex/core-libzstd:sx2025.02.0@sha256:23cd975a27e218c5398efd17e1f8c491d31969ab674d3468dbf8b75ba40611ad AS core-libzstd
-FROM stagex/user-linux-airgap:sx2025.02.0@sha256:a2dbeace3ce085ba487e88b3968fea1ec29ce392f691d28c4b183e1ed9c0df4d AS user-linux-airgap
-FROM stagex/user-lzo:sx2025.02.0@sha256:b71c2944073f3fbc1fe543b9e4dfc4f59ec013a763a6209ded77b8f8bd0a33b4 AS user-lzo
-FROM stagex/user-mtools:sx2025.02.0@sha256:ea76e5f82f9833274a4438e9706779afd9b1c0b197c984c9d54c9887163ffb42 AS user-mtools
-FROM stagex/core-musl:sx2025.02.0@sha256:23d0614f60449015add2369959c89a6ea08e208302773b9a0811ce1195afc3a4 AS core-musl
-FROM stagex/user-nettle:sx2025.02.0@sha256:ec81bb00c990ceee3047632216387d350d1e753cc2a150f3d12c27872832c9ff AS user-nettle
-FROM stagex/user-npth:sx2025.02.0@sha256:82462e0c12a8d3e3196ea8b3a647e75efd6d1cc0a84b091a0bb844e0c623d9be AS user-npth
-FROM stagex/user-numactl:sx2025.02.0@sha256:b89612d78567874127522af2c73d5d0a7d5fffbb37bf4b2193affa679d7f367c AS user-numactl
-FROM stagex/user-openpgp-card-tools:sx2025.02.0@sha256:77d9f2d949548c22badbf29ff8e43a3329ef568c77c66ddbde8d9e2e2dfecb1b AS user-openpgp-card-tools
-FROM stagex/user-opensc:sx2025.02.0@sha256:985c0ea0d7ca91b0ed3b2f72c736b75f6d8a392e826f62859f2056a7222f7b75 AS user-opensc
-FROM stagex/core-openssl:sx2025.02.0@sha256:b3371fba4b4c61ddd02d97e81d0406d122a552a59f474d23822b099874690af0 AS core-openssl
-FROM stagex/user-pcsc-lite:sx2025.02.0@sha256:825708912c41d93dd38230f6f481f5876acb5b2959461504bdaa02a942f8c7b4 AS user-pcsc-lite
-FROM stagex/user-pcsc-tools:sx2025.02.0@sha256:dc609b2eb7ba44f877b481633baa86873e99739573f81fe10d5485eb5a1b4f9d AS user-pcsc-tools
-FROM stagex/user-qemu:sx2025.02.0@sha256:47653f32fb5874d91969a4b206e8f46f26f056dc2adfc88758d57208a6659b03 AS user-qemu
-FROM stagex/user-canokey-qemu:sx2025.02.0@sha256:aba3be44d4b0da2f4ee52fdc2e2cd5b4f6dd05162323015745d2fd194d3074a7 AS user-canokey-qemu
-FROM stagex/user-sdtool:sx2025.02.0@sha256:7543bbfdc39efd94820484ffdc984ec16aac29523d0533c19887d907828e7a9a AS user-sdtool
-FROM stagex/user-seabios:sx2025.02.0@sha256:03eeb1344ad5f94dccdedbb3379906b272b62e246972e9334011746c79f234cf AS user-seabios
-FROM stagex/user-sops:sx2025.02.0@sha256:dba1b3e27b0700d5160c470e2225cfe0734fe25dd1c1aef187d69e31cbb1f35e AS user-sops
-FROM stagex/core-zlib:sx2025.02.0@sha256:15860e0789afa0f3ed1bd4e9d771ecb34fbab399064f6aa69c05e71cb8822156 AS core-zlib
-FROM stagex/user-sequoia-sq:sx2025.02.0@sha256:48b9a0f425604f46a0587e6dcbf81576f32145363dcfbdb86a9c46af659996a6 AS user-sequoia-sq
-FROM stagex/user-sequoia-sq-wot:sx2025.02.0@sha256:aeedcfbe20ff38937a0157fa2047a831f187a53deb319d8bee7848cf52b0cd5f AS user-sequoia-sq-wot
-FROM stagex/core-sqlite3:sx2025.02.0@sha256:ca0e3274fbd2cdfcb418088f7147e865abe025a1cec043c1bade0f4b99185296 AS core-sqlite3
-FROM stagex/user-swtpm:sx2025.02.0@sha256:a13468396caeba89123a414500364967ac90af9541bf01b84821db487d7c7cc9 AS user-swtpm
-FROM stagex/user-syslinux:sx2025.02.0@sha256:b5e74e7384e6b1f21641296e5188073b65761724a91ae55ecaba9b7164de8c3a AS user-syslinux
-FROM stagex/user-tpm2-tools:sx2025.02.0@sha256:bf5d0c4b62dda736043843a5c59d1ed7c7aaf5e50cbcdb3976025e03384eb709 AS user-tpm2-tools
-FROM stagex/user-tpm2-tss:sx2025.02.0@sha256:816caefc95cadd4b0eaeccd0c2ee45a6093ff49ca8fa49dd3970284629523fd7 AS user-tpm2-tss
-FROM stagex/user-util-linux:sx2025.02.0@sha256:bf03b1aaa92a3877f2d2a35d2c27cf453f95545bc7c355b7d4971b58eddbf7a3 AS user-util-linux
-FROM stagex/user-xorriso:sx2025.02.0@sha256:f3b9f1eebdbc6f2e62a9d4345abb87ea81219fc4afdbdc0412a8a2110282a1a1 AS user-xorriso
-FROM stagex/core-xz:sx2025.02.0@sha256:34824f16967f6bd8ecf24c320e36dfc9cd58d5746d3c524e1b896ebdf5a2e760 AS core-xz
-FROM stagex/user-yq:sx2025.02.0@sha256:e817e39f34a7417fd151b4fb9d0d21e21242fe8dc19c0e248677426f2e478cce AS user-yq
+FROM stagex/busybox:sx2024.08.1@sha256:8cb9360041cd17e8df33c5cbc6c223875045c0c249254367ed7e0eb445720757 AS busybox
+FROM stagex/musl:sx2024.08.1@sha256:f888fcf45fabaaae3d0268bcec902ceb94edba7bf8d09ef6966ebb20e00b7127 AS musl
+FROM stagex/xorriso:sx2024.08.1@sha256:9ab45852aee077b68ea101173025be6e1cdbde93692efa4ee198e1960f02ab52 AS xorriso
+FROM stagex/syslinux:sx2024.08.1@sha256:909dcabcf13bd39b0138309f6efdeb780e01c00bf17cb1e7ee851e8b8be74d2b AS syslinux
+FROM stagex/cpio:sx2024.08.1@sha256:25afad810fbb9b1d02762030c3e43e07259a79627dbea9b66ef7f797f8377a2a AS cpio
+FROM stagex/linux-airgap:sx2024.08.1@sha256:a4fac3ca7795e171a4d1b3b634fdae1790d4f8d076f3c1ac8a38f3ece72e1ec5 AS linux-airgap
+FROM stagex/mtools:sx2024.08.1@sha256:b6202dc29906ea8d7594bce604cb676f5335cc51e75e3f12b5f619e8fc27cc28 AS mtools
+FROM stagex/xz:sx2024.08.1@sha256:f6ca72fc9096ef5f694b6b7f9b7ad323a571d9447eb5cc790042f72e69b9aad8 AS xz
+FROM stagex/eudev:sx2024.08.1@sha256:66020d28246af1d1e5f8fe3b5bca3da3cbfbd1f89cc1c616b7f8d13f61419026 AS eudev
+FROM stagex/ccid:sx2024.08.1@sha256:0f50ff4441d8b20ff73babab652fc0a563bce46385100240de4ae587012c9505 AS ccid
+FROM stagex/libusb:sx2024.08.1@sha256:c67807377fb18d2a874d975b43e37056eb4067a5be74ebf8c1f5e5ec65ae5650 AS libusb
+FROM stagex/keyfork:sx2024.08.1@sha256:bd6167d2a4a6c3b1c3f9c0accbb1fe0d5854f64997bd1d9d8d822cdf628f8baf AS keyfork
+FROM stagex/openpgp-card-tools:sx2024.08.1@sha256:088dbc336e34f16f7a8e323f114918468a7e4b13b190c43593ca7b0dffea54b4 AS openpgp-card-tools
+FROM stagex/gpg:sx2024.08.1@sha256:b5b0726171f66da437dbd24d2398cd324b96f00115770767b4f72df2547c5323 AS gpg
+FROM stagex/bash:sx2024.08.1@sha256:395e85b2f017c3fd30810d12eea5d59b015f6f5387f79bdec808ca01408cfe86 AS bash
+FROM stagex/grub:sx2024.08.1@sha256:5f382615881470e0cf9c670bead785507545a2b829b391247313f516c63355e3 AS grub
+FROM stagex/npth:sx2024.08.1@sha256:7899c399f2924c5ba0dfbce9ce6f8391e27ecd0564f0341fb85f83ba293e1ebe AS npth
+FROM stagex/libksba:sx2024.08.1@sha256:a5aac434ffd8fca96c435756fac9e300b3d06e04a15c707d09e5e8a16c0bcd89 AS libksba
+FROM stagex/libgpg-error:sx2024.08.1@sha256:e7e4797f38ba1a09ba700c91e2a5c99230f04f31e7961101a72d4e95f653f284 AS libgpg-error
+FROM stagex/libassuan:sx2024.08.1@sha256:1267bb842bcb6e8bff56e2b72599357605a5e141f76629f7e96187ae85a07197 AS libassuan
+FROM stagex/libgcrypt:sx2024.08.1@sha256:ea1906215d18688d96fc5329301af649834fe96c5eadda74c9d485623efb1f90 AS libgcrypt
+FROM stagex/jq:sx2024.08.1@sha256:0297a099ae95eed13d48bce2d4d624544857680095b6201e9919e1d5da45a6cd AS jq
+FROM stagex/yq:sx2024.08.1@sha256:10e80bd7cec3c6e0a7fd36c65bac13600368bff993ad42b03e3b787d2125e5f0 AS yq
+FROM stagex/bc:sx2024.08.1@sha256:1ecf6029ceed91dd62b08c64e49f00518edcf6c10ac4ab2fe7e8f71943607eef AS bc
+FROM stagex/zlib:sx2024.08.1@sha256:d0d6eef463a410191e086448c710441109ae72693cb074fe2b795ee033aa6c9d AS zlib
+FROM stagex/tpm2-tools:sx2024.08.1@sha256:1693d4ef7e0b7df3e9bd60088588d94b7f5bf755fde0c1be695f3c2f00ec2897 AS tpm2-tools
+FROM stagex/tpm2-tss:sx2024.08.1@sha256:5e362f43a5e0c49f774605a0e3e1b7523dc6bc775f537c206a3aaa8b8b733c93 AS tpm2-tss
+FROM stagex/openssl:sx2024.08.1@sha256:9bd55ed05263a538e6a23c0262edc356c998a24674f3b8ad008a4b117a4cdf3b AS openssl
+FROM stagex/sops:sx2024.08.1@sha256:7d8d51e41c7cab21b8ae75f557961f20405f727a21107d669080e3804d09665c AS sops
+FROM stagex/pcsc-lite:sx2024.08.1@sha256:fd9b0600f7f73f87d9d678b8b8a7119e0f9b9314c9959bd0d180c31736cb97d6 AS pcsc-lite
+FROM stagex/pcsc-tools:sx2024.08.1@sha256:d83997bda2b9500c8a4567df827a90d65efa842f9a2bb361b6f394589cf167d5 AS pcsc-tools
+FROM stagex/flashtools:sx2024.08.1@sha256:e2ac807475e66201ad50eee09bf9625ad0e97dc136818ff11775cb13a54d764b AS flashtools
+FROM stagex/libqrencode:sx2024.08.1@sha256:1927d17aaf1ad6a9910380714f0dd12c72c69f9ee1b19668bf4cc5f89cbc2b2d AS libqrencode
+FROM stagex/util-linux:sx2024.08.1@sha256:41525597d1f5648dc2318da7779e3c5194b4e6d24cb07f2f616ac539bb094d04 AS util-linux
+FROM stagex/opensc:sx2024.08.1@sha256:8da704d0078d445d3af0338764b9f3a87ba4841744c396c8eddef15466366553 AS opensc
 
 FROM scratch AS base
 ARG VERSION development
@@ -67,84 +40,48 @@ ARG GIT_TIMESTAMP null
 ARG GIT_AUTHOR null
 ARG GIT_REF null
 ARG GIT_PUBKEY null
-COPY --from=core-busybox . /
-COPY --from=core-musl . /
-COPY --from=core-xz . /
-COPY --from=user-xorriso . /
-COPY --from=user-cpio . /
-COPY --from=user-mtools . /
-COPY --from=user-grub . /
-
-FROM base AS dev
-COPY --from=core-gcc . /
-COPY --from=core-zlib . /
-COPY --from=user-glib . /
-COPY --from=user-alsa-lib . /
-COPY --from=user-lzo . /
-COPY --from=user-dtc . /
-COPY --from=user-numactl . /
-COPY --from=user-libaio . /
-COPY --from=user-libseccomp . /
-COPY --from=core-libffi . /
-COPY --from=core-libzstd . /
-COPY --from=user-libslirp . /
-COPY --from=user-seabios . /
-COPY --from=user-ipxe . /
-COPY --from=user-qemu . /
-COPY --from=user-canokey-qemu . /
-COPY --from=user-swtpm . /
-COPY --from=core-openssl . /
-COPY --from=core-curl . /
-COPY --from=user-libtpms . /
-COPY --from=user-tpm2-tss . /
-COPY --from=user-tpm2-tools . /
+COPY --from=busybox . /
+COPY --from=musl . /
+COPY --from=xorriso . /
+COPY --from=cpio . /
+COPY --from=mtools . /
+COPY --from=xz . /
+COPY --from=grub . /
 
 FROM base AS build
 
 ## Kernel
-COPY --from=user-linux-airgap /bzImage iso/boot/vmlinuz
+COPY --from=linux-airgap /bzImage iso/boot/vmlinuz
 
 ## Initramfs
-COPY --from=core-busybox . initramfs
-COPY --from=user-eudev . initramfs
-COPY --from=core-musl . initramfs
-COPY --from=core-zlib . initramfs
-COPY --from=user-npth . initramfs
-COPY --from=user-libksba . initramfs
-COPY --from=user-libgpg-error . initramfs
-COPY --from=user-libassuan . initramfs
-COPY --from=user-libgcrypt . initramfs
-COPY --from=core-bash . initramfs
-COPY --from=user-gpg . initramfs
-COPY --from=user-jq . initramfs
-COPY --from=user-yq . initramfs
-COPY --from=core-bc . initramfs
-COPY --from=user-flashtools . initramfs
-COPY --from=core-curl . initramfs
-COPY --from=user-tpm2-tools . initramfs
-COPY --from=user-tpm2-tss . initramfs
-COPY --from=core-openssl . initramfs
-COPY --from=user-libusb . initramfs
-COPY --from=user-ccid . initramfs
-COPY --from=user-pcsc-lite . initramfs
-COPY --from=user-pcsc-tools . initramfs
-COPY --from=user-libqrencode . initramfs
-COPY --from=core-gmp . initramfs
-COPY --from=core-libunwind . initramfs
-COPY --from=user-nettle . initramfs
-COPY --from=user-opensc . initramfs
-COPY --from=user-util-linux . initramfs
-COPY --from=user-sops . initramfs
-COPY --from=core-gcc /usr/lib/libgcc* initramfs/usr/lib/
-COPY --from=core-sqlite3 . initramfs
-COPY --from=user-sdtool . initramfs
-RUN chmod +x initramfs/usr/bin/sdtool
-COPY --from=user-openpgp-card-tools . initramfs
-COPY --from=user-sequoia-sq . initramfs
-COPY --from=user-sequoia-sq-wot . initramfs
-COPY --from=user-libzbar . initramfs
-COPY --from=user-keyfork . initramfs
-COPY --from=user-icepick . initramfs
+COPY --from=busybox . initramfs
+COPY --from=eudev . initramfs
+COPY --from=musl . initramfs
+COPY --from=zlib . initramfs
+COPY --from=npth . initramfs
+COPY --from=libksba . initramfs
+COPY --from=libgpg-error . initramfs
+COPY --from=libassuan . initramfs
+COPY --from=libgcrypt . initramfs
+COPY --from=keyfork . initramfs
+COPY --from=bash . initramfs
+COPY --from=gpg . initramfs
+COPY --from=jq . initramfs
+COPY --from=yq . initramfs
+COPY --from=bc . initramfs
+COPY --from=flashtools . initramfs
+COPY --from=tpm2-tools . initramfs
+COPY --from=tpm2-tss . initramfs
+COPY --from=openssl . initramfs
+COPY --from=libusb . initramfs
+COPY --from=ccid . initramfs
+COPY --from=pcsc-lite . initramfs
+COPY --from=pcsc-tools . initramfs
+COPY --from=openpgp-card-tools . initramfs
+COPY --from=libqrencode . initramfs
+COPY --from=opensc . initramfs
+COPY --from=util-linux . initramfs
+COPY --from=sops . initramfs
 COPY rootfs/ initramfs
 COPY <<-EOF initramfs/etc/environment
     export VERSION="$VERSION"
@@ -204,7 +141,7 @@ EOF
 
 ## Syslinux (BIOS Boot)
 COPY config/syslinux.cfg iso/boot/syslinux/
-COPY --from=user-syslinux \
+COPY --from=syslinux \
     /usr/share/syslinux/isohdpfx.bin \
     /usr/share/syslinux/isolinux.bin \
     /usr/share/syslinux/ldlinux.c32 \
@@ -216,10 +153,10 @@ COPY --from=user-syslinux \
 ## Build Hybrid EFI/BIOS ISO
 FROM build AS install
 ENV SOURCE_DATE_EPOCH=1
+# --set_all_file_dates='1'
+# --modification-date='1970010100000000' \
 RUN <<-EOF
     set -eux
-    dd if=/dev/zero bs=1M count=10 >> user.img
-    mformat -v user -i user.img -N 0 ::
     find iso -exec touch -hcd "@0" "{}" +
     xorrisofs \
         -output airgap.iso \
@@ -239,10 +176,31 @@ RUN <<-EOF
         -no-emul-boot \
         -isohybrid-gpt-basdat \
         -follow-links \
-        -append_partition 3 0xb user.img \
         iso/
 EOF
 
+# Need sfdisk from util-linux
+COPY --from=util-linux . .
+RUN <<-EOF
+    set -eux
+    # Increase the size of the ISO by 512 MB to create space for the third partition
+    dd if=/dev/zero bs=1M count=512 >> airgap.iso
+
+    # Append a new partition that uses the additional space
+    echo ", +" | sfdisk --append airgap.iso
+
+    # Set the newly added third partition to FAT32
+    sfdisk --part-type airgap.iso 3 b
+
+    # Calculate the byte offset of the third partition
+    # This is done by finding the end of the first partition using fdisk, adding 1 sector, 
+    # and multiplying by 512 (since each sector is 512 bytes).
+    OFFSET=$(fdisk -l airgap.iso | awk '/^airgap.iso1/ {print ($4 + 1) * 512}')
+
+    # Format the third partition as FAT32 and label it 'USER'
+    mformat -v USER -i airgap.iso@@$OFFSET ::
+EOF
+
 ## Minimal Autorun SD card image
 COPY sdcard sdcard
 RUN <<-EOF

Makefile

@@ -1,21 +1,17 @@
 VERSION := development
 GIT_REF := $(shell git log -1 --format=%H)
 GIT_AUTHOR := $(shell git log -1 --format=%an)
-GIT_PUBKEY := $(shell git log -1 --format=%GK)
+GIT_PUBKEY := $(shell git log -1 --format=%GP)
 GIT_TIMESTAMP := $(shell git log -1 --format=%cd --date=iso)
-EFI := false
-,:=,
 export
 
 ## Use env vars from latest release when reproducing
 ifdef REPRODUCE
-	include dist/release.env
-	export
+include dist/release.env
+export
 endif
-
-## Prevents use of caching when building docker image
 ifdef NOCACHE
-	NO_CACHE := --no-cache
+NO_CACHE := --no-cache
 endif
 
 .DEFAULT_GOAL :=
@@ -44,57 +40,52 @@ out/airgap.iso: Containerfile $(shell git ls-files rootfs)
 
 ## Development Targets
 
-out/dev-shell.digest: Containerfile | out
-	docker build --target dev -f Containerfile -q . > $@
-
-.PHONY: shell
-shell: out/dev-shell.digest
-	docker run -it $(shell cat $<) /bin/sh
-
 .PHONY: vm
-vm: out/dev-shell.digest out/airgap.iso out/sdcard.img
-	docker run -it -v ./out:/out $(shell cat $<) sh -c "\
-		swtpm socket \
-			--tpmstate dir=. \
-			--ctrl type=unixio,path=vtpm-sock \
-			--tpm2 & \
-		qemu-system-x86_64 \
-			-m 4G \
-			-machine pc \
-			-chardev socket,id=chrtpm,path=vtpm-sock \
-			-usb -device canokey,file=/out/canokey-file \
-			-tpmdev emulator,id=tpm0,chardev=chrtpm \
-			-device tpm-tis,tpmdev=tpm0 \
-			-usb \
-			-device sdhci-pci \
-			-device sd-card,drive=external \
-			-drive id=external,if=none,format=raw,file=out/sdcard.img \
-			-device usb-storage,drive=usbdrive \
-			$(if $(filter $(EFI),true) ,\
-				-bios /usr/share/ovmf/OVMF.fd \
-				-drive id=boot$(,)if=virtio$(,)format=raw$(,)file=out/airgap.iso \
-			,\
-				-drive id=usbdrive,if=none,format=raw,file=out/airgap.iso \
-				-boot order=c \
-			) \
-			$(if (,$(wildcard /dev/kvm)),,-cpu host --accel kvm) \
-			-nographic; \
-		"
+vm: vm-bios
 
-## Release, Signing, Verification, and Reproduction Targets
+.PHONY: vm-bios
+vm-bios: out/airgap.iso
+	qemu-system-x86_64 \
+		-m 4G \
+		-machine pc \
+		-serial stdio \
+		-usb \
+		-device sdhci-pci \
+		-device sd-card,drive=external \
+		-usbdevice tablet \
+		-drive id=external,if=none,format=raw,file=out/sdcard.img \
+		-display gtk,show-menubar=off,zoom-to-fit=on \
+        -device usb-storage,drive=usbdrive \
+        -drive id=usbdrive,if=none,format=raw,file=out/airgap.iso \
+		-boot order=c
+
+.PHONY: vm-efi
+vm-efi: out/airgap.iso
+	qemu-system-x86_64 \
+		-m 4G \
+		-machine pc \
+		-serial stdio \
+		-bios /usr/share/ovmf/OVMF.fd \
+		-usb \
+		-device sdhci-pci \
+		-device sd-card,drive=external \
+		-usbdevice tablet \
+		-drive id=external,if=none,format=raw,file=out/sdcard.img \
+		-display gtk,show-menubar=off,zoom-to-fit=on \
+        -device usb-storage,drive=usbdrive \
+        -drive id=usbdrive,if=none,format=raw,file=out/airgap.iso \
+		-boot order=c
+
+## Signing, Verification, and Release Targets
 
 .PHONY: clean
 clean:
 	rm -rf out
 
-.PHONY: update
-update:
-	python3 src/update.py
-
 .PHONY: release
 release: clean
-	$(MAKE) NOCACHE=1 VERSION=$(VERSION)
 	rm -rf dist/*
+	$(MAKE) NOCACHE=1 VERSION=$(VERSION)
 	cp -R out/release.env out/airgap.iso out/manifest.txt dist/
 
 .PHONY: sign
@@ -133,7 +124,7 @@ out/release.env: $(shell git ls-files) | out
 	echo 'VERSION=$(VERSION)'              > out/release.env
 	echo 'GIT_REF=$(GIT_REF)'             >> out/release.env
 	echo 'GIT_AUTHOR=$(GIT_AUTHOR)'       >> out/release.env
-	echo 'GIT_PUBKEY=$(GIT_PUBKEY)'       >> out/release.env
+	echo 'GIT_PUBKEY=$(GIT_PUBKEY)'             >> out/release.env
 	echo 'GIT_TIMESTAMP=$(GIT_TIMESTAMP)' >> out/release.env
 
 out/manifest.txt: out/airgap.iso out/release.env | out

README.md

@@ -57,7 +57,7 @@ make release
 ### Reproduce an existing release
 
 ```
-make reproduce 
+make attest
 ```
 
 ### Sign an existing release
@@ -128,46 +128,3 @@ make vm
 ```
 make shell
 ```
-
-## Hardware Compatibility ##
-
-### Tested Models
-
-* Purism Librem 14
-
-* HP 13" Intel Celeron - 4GB Memory - 64GB eMMC, HP 14-dq0052dx, SKU: 6499749, UPC: 196548430192, DCS: 6.768.5321, ~USD $179.99
-
-* Lenovo 14" Flex 5i FHD Touchscreen 2-in-1 Laptop - Intel Core i3-1215U - 8GB Memory - Intel UHD Graphics, SKU: 6571565, ~USD $379.99
-
-### Disabling Secure Boot 
-
-AirgapOS can't be booted using secure boot. Therefore it has to be disabled. Alternative systems like Heads may be used.
-
-#### Instructions to Disable Secure Boot in BIOS
-
-1. Restart your computer
-
-2. **Enter BIOS/UEFI Setup**:
-   - As your computer starts up, press the appropriate key to enter the BIOS/UEFI setup. Common keys include:
-     - **F2** (Dell, Acer, Lenovo)
-     - **Delete** (ASUS, MSI)
-     - **F10** (HP)
-     - **Esc** (Some systems)
-   - You may see a prompt on the screen indicating which key to press
-
-3. **Navigate to the Secure Boot Option**:
-   - Once in the BIOS/UEFI setup, use the arrow keys to navigate through the menus. Look for a tab or section labeled **"Boot," "Security,"** or **"Authentication."**
-   - The exact location of the Secure Boot option can vary, so you may need to explore a bit
-
-4. **Locate Secure Boot**:
-   - Find the **Secure Boot** option within the selected menu. It may be listed as **"Secure Boot Control"** or simply **"Secure Boot."**
-
-5. **Disable Secure Boot**:
-   - Select the Secure Boot option and change its setting to **Disabled**. This is usually done by pressing **Enter** and then selecting **Disabled** from the options.
-
-6. **Save Changes and Exit**:
-   - After disabling Secure Boot, navigate to the **Exit** tab or section.
-   - Choose the option to **Save Changes and Exit**. Confirm any prompts that appear to save your changes.
-
-7. **Reboot Your Computer**:
-   - Your computer will restart. Secure Boot should now be disabled.

config/grub.cfg

@@ -1,5 +1,5 @@
 set timeout=1
 menuentry "Linux Airgap" {
-    linux /boot/vmlinuz init=/init console=ttyS0 console=tty0 ro loglevel=3
+    linux /boot/vmlinuz init=/init console=ttyS0 console=tty0 ro
     initrd /boot/initramfs
 }

dist/manifest.36C8AAA9.asc

@@ -0,0 +1,16 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAABCgAdFiEEZ1U/vaRrtxq9LgsLjkeh7DWhVR0FAma0fbsACgkQjkeh7DWh
+VR0lYBAAsjKcqgoSM73lck4gSga3CWtTfZ/k7azr98HnUw5InTyTwvna2sRGL3jb
+Q0pUhrPVQVmjXSyxD/hR/uLuiAfUn2Gyhp1MZS3C7jmFcRsxCJzNbByv/2bUS2+U
+5TaCoxmM8SdxTqcBIyYylKzZ4ub0t3bCWUt2uPqdSqslgEReeqbzzE3jpmiUfmHE
+daaZhZa3iPEr7vqq00jUGFuSEdxQCQkty0nZHzfGhHwbliiUGyH6/bb+u4v5eGYH
+VEyRq0CWFgw5sywpSf3UZjR0fkd0do9z6Li1ggN2GV63I4oT3L1LltcMXtgfMp+B
+SA3gz7/mJsMqM6H2ZWqUgJAZw/mZCGStftSnOTKdyEtpzagNNeePa5f4kM1ZuHF6
+ehSl1nbnCeCPfedS8+oUm3v8qWiFLXz4tmYvBnfDWaUXIYpNOrvJPtatdinTNRfl
+nglyEt6Olc+3vEqkrEl7JFu13Gl92mbuhhelKjM/VDheHBUZ6yrso1aLbyruO+wm
+RxL3pQSCNfAnIQpSdkXga5gVvbZDDISBast3qHFuZaZFbo2p24hw0HnLAfyCrxgF
+JnN3x2qqRlTzQSrVr4EEXUwUqpt5LlnQ3kDLNVYhXuqTdmyETj1YGnAXkqV/D+Z7
+B7hlDdddXI5d0yDoYPAmF9N7XJCasdfutnO/8IfZ/eE989jYybE=
+=eruT
+-----END PGP SIGNATURE-----

dist/manifest.8E401478A3FBEF72.asc

@@ -0,0 +1,16 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAABCgAdFiEEiII6deyqeGsP84sUjkAUeKP773IFAma0f0IACgkQjkAUeKP7
+73I33w//SaGbbM9z8SYsWhii1SBnfs6NVQSwdBoO20C4gFdmZkPVDak3QoCAioaC
+GjlEOEDb7SXfWi3n2z72P97dswN6dG1IxQKR1N913IWzUUEXGR0phaC+o0P1/f74
+MXrcUDLwwJwZsA/0zMV6gHvONEqwgmfEO4WrEB/Ty7ueoJjsmQ2oauWytlh8CVDR
+3HFwiVoAjRC2d0vKj0eL2n9pNQNEYKb+oJ/gq3sk2L8qPs1vThQguHADvqmi6V3w
++4tZqviksPXb+sve3VTsKFDbd5AXvcRY4TbPawQ5W7Aa6iK9W/yA10+zXvcHoGrA
+6iMR94yI9eprBkqoeoxr2MHPk+8d9xXB16hY/h+OCPibkFFfPST9GDFcp0nk1JFH
+b0bbpanBsxwN3IxTAL0a7iD2nxftZHjgiZib1lhdhLg35o9iou1V0fRPwdjepS3o
+2TBvKhtNncUW/87ZhxhdkTI/iUvS0iem3KHUQXkM+ziOC5zGf+PYvMCuy2P0oSei
+731aVOgxKbpEZHY0pTkuqG7U4+RWZ+KJEnxETcZWoCeY9DW/u2Dx5hukeZJbvmUo
+111vBoziyocgKvKi5S3ctZaAwm2wNsE0TU/o5u9+Q5ST1wgsKJF+F0laCUQcDPwM
+UyM5VznH31pChrlzRiUcsm0lMvDkx+JfTSBPOgzABMAcQ3YuTSk=
+=e+q6
+-----END PGP SIGNATURE-----

dist/manifest.DC4B7D1F52E0BA4D.asc

@@ -1,16 +0,0 @@
------BEGIN PGP SIGNATURE-----
-
-iQIzBAABCgAdFiEE4QZ4HgB6uRyYnbMyRKhs/x/fDoUFAmfCNtYACgkQRKhs/x/f
-DoVzmQ//cLQHFTu/EbgxbS8qgVv+kuVR7+KPAxDyY89pIKdTrKWzfrUvY+A3YfS0
-hsXhehjmVNzaxFxWQvZ+iRBMSv3ypR/6/ui5DwpalLlnlWiFFlW/0lYakpuR1oa3
-iq2CrlN9QdZ5de2jJXJilIYlkWRgyj8HQ/p3d+XzNLQ4Wtl9m8kQTSZ0tnfWDCi5
-dFf+y7VjlgQSAwsC8T21zbH7P0ZwkaUhd8+ybEVB4oazZaMUdr0Zftu1Snp432Yu
-PKeJWT+8RsrTr57Hvf0JFTTbJKyAqe+3VbwRV66FOn2ycxCyJT6JuRJ/SzmhiCRu
-YeYdev7LEZFIUKoTSWL51DdyQfOuw+oC3v28c8hSDlwT/KD+x/JFbAI5+ln1O+HY
-LjB+bDeE0bD4oWHrJn3hul+iKeFjXpfj8gYqURJuF+IJ0epOv1G2JB8brzM9vtJK
-Sgu0A0kvOTpzdvyHALeHY6OtUlgD8dG/wuD/mheR242f4OjDfxcVM5Y966waCxMb
-jwgdS8sBAn417ZNAtw6biUmx3W8qdYsDzYJS4kvkWeqsUS8KtfV2b3RAlNkrxUsR
-sBhB6opEEzzpbMgXhRcS2mA+PDQGSksE09tTOlxuwtmYeXTowspVTzcnGgXcFyb+
-mpBD+uRwR2FBcKSiqlNA3XHIMLDYb3gx7RvmroHeqqtAkQPAALc=
-=8hAc
------END PGP SIGNATURE-----

dist/manifest.E90A401336C8AAA9.asc

@@ -1,16 +0,0 @@
------BEGIN PGP SIGNATURE-----
-
-iQIzBAABCgAdFiEEZ1U/vaRrtxq9LgsLjkeh7DWhVR0FAmfBsAQACgkQjkeh7DWh
-VR2Gbg/+N80OV8+qrnamiy2p7IlAvfWi5sepTTDTjL+jXNb9DdIaUIPSFFe0bBf8
-hp75G/y7gZpuubuy8n4hKf0j2IeIZez9j+HDGicAIcdSaNij4aES65r6w7xi2AAn
-s4dWw+yJSymni24iwQkP6csu0ja+aauB7/0U6VHtL4w2GxjcXGZU0FXToQ6fB8hv
-TavjBlyv5D/a9QKdyaNulEYMF7fvpxe+lMoF4miq3goLiI3DuFM+NH5P48nN1W4G
-AHH9OUHFRMBdZUGTYF4i5KJGNnfryRIR99J3L2n9xKetwOpz8bLxinjEZG8tjws5
-RQ3IlwvW/6jNSDt2zU6dk1DKYx3inndlA9BvJtkrksig/OB9HaxosjrOaI267OCc
-iM7xNIZQxJJ9UTOSA5Q1QTHxu2wzYL6GaHlilD7RZEZn0X4O4JveH3zeCdLwMk2l
-kf27XbFxLMf/7q8ekPJl791pPBRD6A+v0FNw8WedgQwd/Pdg9qTerRoVKXsmCUGr
-tXBiobDnZ2daE5iB96PGJsACE+Jat+QEwWrE3V3ILun9ewu3TP5LUQMYEktS0UHd
-fFdXO790GK+TZKvyJ0z7J0VBoGHS+D/1G35VLAHyNQXULOYK56GKwpwZeHVWykVt
-h7cnGBwo+IfdMTYN6h7U9l35nj06HtRbylB2VVZdtWV3FediqSg=
-=9U0u
------END PGP SIGNATURE-----

dist/manifest.txt

@@ -1,2 +1,2 @@
-46c1b23cadb6c03b175e713d91b809c91a2768273249b1bd2506d05307dff9de airgap.iso
-c09b5ab32791fa001c004e7b59cd0a6f0f9f3a3503cb600a8ec2c19d2e2b00c1 release.env
+fe92783ef775ccc5e32baefb26f951b7f37ed26ecbb4601a068e20b31bebadbb airgap.iso
+b714c963bd8b1f3a38295821f0a3521bc64f97c1023c49d22a2e7433385b1a09 release.env

dist/release.env

@@ -1,5 +1,5 @@
-VERSION=2025.02.0
-GIT_REF=dca180550e7b317938f40793aacbbbeede216b9f
+VERSION=2024.8.1
+GIT_REF=ea623cc147741b0a753ce4ea7aabe512df9a2ef9
 GIT_AUTHOR=Lance R. Vick
-GIT_PUBKEY=8E47A1EC35A1551D
-GIT_TIMESTAMP=2025-02-28 04:26:59 -0800
+GIT_PUBKEY=6B61ECD76088748C70590D55E90A401336C8AAA9
+GIT_TIMESTAMP=2024-08-08 00:34:41 -0700

rootfs/etc/init.d/S01syslogd

@@ -13,7 +13,7 @@ SYSLOGD_ARGS=""
 start() {
 	printf 'Starting %s: ' "$DAEMON"
 	# shellcheck disable=SC2086 # we need the word splitting
-	start-stop-daemon -b -m -S -q -p "$PIDFILE" -x "/bin/$DAEMON" \
+	start-stop-daemon -b -m -S -q -p "$PIDFILE" -x "/sbin/$DAEMON" \
 		-- -n $SYSLOGD_ARGS
 	status=$?
 	if [ "$status" -eq 0 ]; then

rootfs/etc/init.d/S02klogd

@@ -13,7 +13,7 @@ KLOGD_ARGS=""
 start() {
 	printf 'Starting %s: ' "$DAEMON"
 	# shellcheck disable=SC2086 # we need the word splitting
-	start-stop-daemon -b -m -S -q -p "$PIDFILE" -x "/bin/$DAEMON" \
+	start-stop-daemon -b -m -S -q -p "$PIDFILE" -x "/sbin/$DAEMON" \
 		-- -n $KLOGD_ARGS
 	status=$?
 	if [ "$status" -eq 0 ]; then

rootfs/etc/inittab

@@ -13,7 +13,6 @@
 ::sysinit:/bin/mount -t sysfs sysfs /sys
 ::sysinit:/bin/mount -t proc proc /proc
 ::sysinit:/bin/mount -o remount,rw /
-::sysinit:/bin/mkdir /var/log
 null::sysinit:/bin/ln -sf /proc/self/fd /dev/fd
 null::sysinit:/bin/ln -sf /proc/self/fd/0 /dev/stdin
 null::sysinit:/bin/ln -sf /proc/self/fd/1 /dev/stdout
@@ -21,12 +20,12 @@ null::sysinit:/bin/ln -sf /proc/self/fd/2 /dev/stderr
 # now run any rc scripts
 ::sysinit:/etc/init.d/rcS
 
-# Put shells on the serial terminal and console
-console::respawn:-/bin/bash
-ttyS0::respawn:-/bin/bash
+# Put a getty on the serial port
+#console::respawn:/sbin/getty -L  console 0 vt100 # GENERIC_SERIAL
+::respawn:-/bin/bash
 
 # Stuff to do for the 3-finger salute
-::ctrlaltdel:/sbin/reboot
+#::ctrlaltdel:/sbin/reboot
 
 # Stuff to do before rebooting
 ::shutdown:/etc/init.d/rcK

rootfs/etc/profile

@@ -2,7 +2,6 @@ export EDITOR=/bin/vi
 export PATH="/usr/local/bin:/bin:/sbin:/usr/bin:/usr/sbin"
 export PS1="[\h \t] \\$ "
 export GNUPGHOME=/.gnupg
-export XDG_RUNTIME_DIR=/tmp
 source /etc/environment
 cd /root
 clear

src/update.py

@@ -1,29 +0,0 @@
-#!/usr/bin/env python3
-from requests import Session
-from fileinput import FileInput
-
-target = "Containerfile"
-source = "https://codeberg.org/stagex/stagex/raw/branch/main/digests/"
-stages = ["core","user","bootstrap"]
-
-digests = {}
-for stage in stages:
-    response = Session().get(f"{source}{stage}.txt")
-    for line in response.iter_lines():
-        if not line:
-            continue
-        digest,name = line.decode("utf-8").split(" ")
-        digests[name] = digest
-
-with FileInput(target, inplace=True, backup='.bak') as f:
-    for line in f:
-        if line.startswith("FROM stagex/"):
-            name = line.split("/")[1].split(":")[0]
-            tag = line.split(":")[1].split("@")[0]
-            if name not in digests:
-                for stage in stages:
-                    if f"{stage}-{name}" in digests:
-                        name = f"{stage}-{name}"
-            print(f"FROM stagex/{name}:{tag}@sha256:{digests[name]} AS {name}")
-        else:
-            print(line,end='')