Skip to content
This repository was archived by the owner on Jan 22, 2026. It is now read-only.
This repository was archived by the owner on Jan 22, 2026. It is now read-only.

Constellation images are not reproducible #3465

Open
Open
Constellation images are not reproducible#3465
Assignees
burgerdev
Labels
bugSomething isn't workingknown issueThis is a known issue of the latest release
@burgerdev

Description

@burgerdev
burgerdev
opened on Oct 30, 2024

Issue description

The build process for the constellation images is not deterministic.

During image creation, we add an additional system user etcd to the user database. The user's shadow entry contains a date of last password change which is set to the date of the build. This results in a different rootfs, a different dm-verity tag and different image measurements.

Workaround

  1. Stick close to the reproducible builds workflow.

  2. Check out the commit prior to the tagged commit to be verified:

    git checkout v2.19.0~1

  3. Modify the build process to use a static "last changed" date for the password (the date of the release commit).

    git apply <<EOF
diff --git a/image/base/BUILD.bazel b/image/base/BUILD.bazel
index 9028b8376..2928787f1 100644
--- a/image/base/BUILD.bazel
+++ b/image/base/BUILD.bazel
@@ -30,6 +30,7 @@ copy_to_directory(
     mkosi_image(
         name = "base_" + kernel_variant,
         srcs = [
+            "mkosi.finalize",
             "mkosi.postinst",
             "mkosi.prepare",
         ] + glob([
diff --git a/image/base/mkosi.finalize b/image/base/mkosi.finalize
new file mode 100755
index 000000000..f832f5d0a
--- /dev/null
+++ b/image/base/mkosi.finalize
@@ -0,0 +1,8 @@
+#!/usr/bin/env bash
+set -euxo pipefail
+
+# Disable password age for Constellation sysusers.
+tmp=\$(mktemp)
+cp -a "\${BUILDROOT}/etc/shadow-" "\${tmp}"
+mkosi-chroot chage -d "$(date -d "$(git log -1 --format=%ad --date=short)" +%s | awk '{print int($1/86400+0.5)}')" etcd
+cp -a "\${tmp}" "\${BUILDROOT}/etc/shadow-"
EOF

  4. Build the release images:

    bazel build //image/system:stable

  5. Calculate the expected measurements for the local images and compare with the measurements configured by constellation config fetch-measurements.

    bazel run --run_under sudo //image/measured-boot/cmd -- bazel-bin/image/system/$IMAGE/constellation.raw /tmp/measurements.json

Version

This affects v2.19.0 and older releases.

Metadata

Metadata

Assignees

Labels

bugSomething isn't workingknown issueThis is a known issue of the latest release

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions