commit 5190c478076ae4f4923dd6de7b7e0d9f213139ed Author: Kim Davies Date: Thu Jul 12 14:34:25 2018 -0700 First public release (v0.4.0) diff --git a/Dockerfile b/Dockerfile new file mode 100644 index 0000000..06cb9f2 --- /dev/null +++ b/Dockerfile @@ -0,0 +1,34 @@ +FROM debian:9.4-slim@sha256:91e111a5c5314bc443be24cf8c0d59f19ffad6b0ea8ef8f54aedd41b8203e3e1 + +ENV DEBIAN_FRONTEND noninteractive + +COPY create-iso.sh . +COPY variables.sh . +COPY SHA256SUMS . +COPY tools/ /tools/ + +RUN sha256sum -c SHA256SUMS + +RUN . ./variables.sh && \ + rm -f /etc/apt/sources.list && \ + echo "deb http://snapshot.debian.org/archive/debian/$(date --date "$DATE" '+%Y%m%dT%H%M%SZ') $DIST main" >> /etc/apt/sources.list && \ + echo "deb http://snapshot.debian.org/archive/debian/$(date --date "$DATE" '+%Y%m%dT%H%M%SZ') "$DIST"-updates main" >> /etc/apt/sources.list && \ + echo "deb http://snapshot.debian.org/archive/debian-security/$(date --date "$DATE" '+%Y%m%dT%H%M%SZ') "$DIST"/updates main" >> /etc/apt/sources.list + +RUN apt-get update -o Acquire::Check-Valid-Until=false && \ + apt-get install -o Acquire::Check-Valid-Until=false --no-install-recommends --yes \ + liblzo2-2 xorriso debootstrap \ + locales && \ + sed -i -e 's/# en_US.UTF-8 UTF-8/en_US.UTF-8 UTF-8/g' /etc/locale.gen && \ + locale-gen en_US.UTF-8 + +ENV LANG en_US.UTF-8 +ENV LANGUAGE en_US:en +ENV LC_ALL en_US.UTF-8 + +RUN dpkg-reconfigure locales + +RUN dpkg -i /tools/squashfs-tools_4.3-3.0tails4_amd64.deb && \ + dpkg -i /tools/debuerreotype_0.7-1_all.deb + +CMD ["/create-iso.sh"] diff --git a/LICENSE.md b/LICENSE.md new file mode 100644 index 0000000..8f18e19 --- /dev/null +++ b/LICENSE.md @@ -0,0 +1,14 @@ +Copyright (c) 2018 Internet Corporation for Assigned Names and Numbers +("ICANN") + +Permission to use, copy, modify, and distribute this software for any +purpose with or without fee is hereby granted, provided that the above +copyright notice and this permission notice appear in all copies. + +THE SOFTWARE IS PROVIDED “AS IS" AND ICANN DISCLAIMS ALL WARRANTIES +WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF +MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL ICANN BE LIABLE FOR ANY +SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES +WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN +ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF +OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. diff --git a/Makefile b/Makefile new file mode 100644 index 0000000..812ae35 --- /dev/null +++ b/Makefile @@ -0,0 +1,30 @@ +RELEASE = 0.4.0 + +.PHONY: usage build remove run copy all default + +usage: + @echo "Please provide an option:" + @echo " make build --- Build the COEN ISO image" + @echo " make run --- Run a container to build the ISO image" + @echo " make remove --- Remove the container" + @echo " make copy --- Copy the ISO image into the host directory" + @echo " make all --- Execute build, remove, run and copy" + +build: + docker build -t coen:$(RELEASE) . + +remove: + -docker rm coen + +run: + docker run -i -t \ + --privileged \ + --name=coen \ + coen:$(RELEASE) + +copy: + -docker cp coen:/opt/coen-${RELEASE}-amd64.iso . + +all: build remove run copy + +default: usage diff --git a/README.md b/README.md new file mode 100644 index 0000000..3a4f159 --- /dev/null +++ b/README.md @@ -0,0 +1,126 @@ +# Ceremony Operating ENvironment (COEN) + +COEN is a live operating system consisting of: + +- A custom Debian GNU/Linux Live CD +- The [Key Management Tools](https://github.com/iana-org/dnssec-keytools) +- The AEP Keyper PKCS#11 provider +- Assorted utilities. + +## Reproducible ISO image to make The Root Zone DNSSEC Key Signing Key Ceremony System more Trustworthy + +This **Reproducible** ISO image provide a verifiable process to obtain the same +hash every time at build the ISO image to increase the confidence in the DNSSEC Key +Signing Key (KSK) for the Root Zone. + +### What are reproducible builds? + +Quoted from https://reproducible-builds.org + +> Reproducible builds are a set of software development practices that create a +verifiable path from human readable source code to the binary code used by +computers. +> +> Most aspects of software verification are done on source code, as that is what +humans can reasonably understand. But most of the time, computers require +software to be first built into a long string of numbers to be used. With +reproducible builds, multiple parties can redo this process independently and +ensure they all get exactly the same result. We can thus gain confidence that a +distributed binary code is indeed coming from a given source code. + +## Acknowledgments + +This project cannot be possible without: +- The [Reproducible Builds](https://reproducible-builds.org/) project +- [Debian as trust anchor](https://wiki.debian.org/ReproducibleBuilds) +- [Debuerreotype](https://github.com/debuerreotype/debuerreotype) a reproducible, snapshot-based Debian rootfs builder ([License](https://github.com/debuerreotype/debuerreotype/blob/master/LICENSE)) +- (The Amnesic Incognito Live System)[https://tails.boum.org/index.en.html] ([License](https://tails.boum.org/doc/about/license/index.en.html)) + +## Requirements for building the ISO image + +Building the ISO image requires: + +* [Docker](https://www.docker.com/). The recommended Docker version is 18.03. +* SELinux to be disabled. SELinux must be completely disabled rather than with **permissive mode** since the behave is differently. + +### Disabling SELinux + +If you are running a Red Hat based distribution, including RHEL, CentOS and +Fedora, you will probably have the SELinux security module installed. + +To check your SELinux mode, run `sestatus` and check the output. + +If you see **enforcing** or **permissive** on *"Current mode"*, SELinux is +enabled and enforcing rules or is enable and log rather than enforce errors. + +> **Warning** before proceeding with this, disabling SELinux also disables the +generation of file contexts so an entire system relabeling is needed afterwards. + +To disable SELinux: + +- Edit `/etc/sysconfig/selinux` or `/etc/selinux/config` depending of your distro +- Set the `SELINUX` parameter to `disabled` +- For the changes to take effect, you need to **reboot** the machine, since +SELinux is running within the kernel +- Check the status of SELinux using `sestatus` command + +## Building the ISO image + +Execute the following commands to build the ISO image: + +``` +git clone https://github.com/iana-org/coen && \ +cd coen && \ +make all +``` +* If you have a error executing `make all` as a non-root user, try to +execute `sudo make all`. + +This will build a docker image with the proper environment to build the +ISO. Then will run a container executing a bash script to build the ISO and +if the build succeeded it will copy the resulting ISO into the host directory. + +You can execute `make` command to see more options. + +## Contributing + +### If the build failed + +Please send us an issue report at https://github.com/iana-org/coen with the error +that is displayed in your terminal window. + +### If the reproduction succeeded + +Congrats for successfully reproducing the ISO image! + +You can compute the SHA-256 checksum of the resulting ISO image by yourself: + +``` +sha256sum coen-0.4.0-amd64.iso +``` +or +``` +shasum -a 256 coen-0.4.0-amd64.iso +``` + +Then, comparing it with the following checksum: + +``` +8105b885b176741d25ef9d391c6a302aed3f6c916093a621a865cb90d560774f coen-0.4.0-amd64.iso +``` + +### If the reproduction failed + +Please help us to improve it. You can install `diffoscope` https://diffoscope.org/ +and download the image from: +https://github.com/iana-org/coen/releases/tag/v0.4.0-20180311 +and then compare it with your image executing the following command: + +``` +diffoscope \ + --text diffoscope.txt \ + path/to/public/coen-0.4.0-amd64.iso \ + path/to/your/coen-0.4.0-amd64.iso +``` +Please send us an issue report at https://github.com/iana-org/coen attaching the +diffoscope.txt file. diff --git a/SHA256SUMS b/SHA256SUMS new file mode 100644 index 0000000..c160644 --- /dev/null +++ b/SHA256SUMS @@ -0,0 +1,24 @@ +f9fd8d851d5a855cfa97eafe062418fb97e9cb574bab77326e9a34f9e8aa2c98 ./create-iso.sh +c93b498e8599dd2368ae92622aee2342a312f84ae216eb2ece659fa9e4864ca3 ./tools/debuerreotype_0.7-1_all.deb +dbed950a8b2e9c35dd76002e414268697a4b84749625753266c13bfbfa5eccb8 ./tools/hooks/00-install-ksk-packages.sh +fa97bedd94635866336547f7f5c2aaeff10e8533ed86e4819d3820d8ccb1c862 ./tools/hooks/01-fix-fontconfig-cache.sh +86441e5494f5444c4d14c6e78d0250d86706e4422fc030d538197b0a60ddf5bf ./tools/hooks/02-fix-initramfs-tools.sh +fc6ad08b3d8d5fd08e64e031b31766355a6faa4249971fca17fd382f42318df1 ./tools/hooks/03-fix-gtk-immodules-cache.sh +76b8539898c19f12f9f1ef26da6b1514cb44dfd2b79f34ae81f2494259a763d6 ./tools/hooks/04-fix-gdk-pixbuf-glib2.0-shadow.sh +b0cb9c6e8ca58353afc5643ba184fc24a501c6f091c354b720ecce736171a951 ./tools/hooks/05-fix-non-reproducible-files.sh +72e4e673e75466fddd5f3964e3db3f941e0d40214ec37f167fe425b33e60e1c0 ./tools/mksquashfs-excludes +390fdc4c915aeed379196335e672d6a9af6677e6d675093f8855c85953aae246 ./tools/packages/fontconfig-config_2.11.0-6.7.0tails4_all.deb +892a2c0b4f8e4874161165cb253755b3bd695ce238b30c3b8e5447ff269c2740 ./tools/packages/fontconfig_2.11.0-6.7.0tails4_amd64.deb +01db265c90f351367c73cd7ecedeca2f490374579320c5240feecdc70040917e ./tools/packages/gir1.2-gtk-3.0_3.22.11-1.0tails1_amd64.deb +4e49e6161a93424700ced09d0225574d3f6dd406ba9f9e14c36a50e870faab16 ./tools/packages/gtk-update-icon-cache_3.22.11-1.0tails1_amd64.deb +db1d9dcd6d0c9587136c5a65419ee9eaa7a8a20c163dd2718cd826056a893819 ./tools/packages/initramfs-tools-core_0.130.0tails1_all.deb +36c39407b505015a80e666726018edad37211d594b862238475d59d3de4e0da9 ./tools/packages/initramfs-tools_0.130.0tails1_all.deb +93e954744ec11e1d6837a792e26cc93b88f0735f7184337c4e65babca65503ab ./tools/packages/ksk-tools-0.1.0coen_amd64.deb +2080347093bc714b92d2f02e9c19e51ca23804776c2b52958c25630330b25f1d ./tools/packages/ksk-xfce-custom-0.1.0coen_amd64.deb +933adbbead4fd8ced095b5f43fd82b092298aaf95436d8b051b2ee9a4abee917 ./tools/packages/libfontconfig1_2.11.0-6.7.0tails4_amd64.deb +a8946b779ccf305da8dadefa9d7d9402ccfe756246dd70a251e4375076a83648 ./tools/packages/libgtk-3-0_3.22.11-1.0tails1_amd64.deb +605e3c77857d9c55932c7f497f56c70d46af65af59600e5507f42aea3832a848 ./tools/packages/libgtk-3-common_3.22.11-1.0tails1_all.deb +a0ae2652c5ca8461752f17ab22aa385c588481351b7b4aeb199a3d23d6479c34 ./tools/packages/libgtk2.0-0_2.24.31-2.0tails1_amd64.deb +0862890d70bafeb6b4a7a1c1da05c90569e0147522d6526fad6d146d6335b79f ./tools/packages/libgtk2.0-common_2.24.31-2.0tails1_all.deb +5c7ab880233139bc213d2ef214dc6c433eac488eaa51f8d59c4eb791fa777293 ./tools/squashfs-tools_4.3-3.0tails4_amd64.deb +eb66b37b4c0a81285e0c2fa18787b942fdee63a4d1c25cb4343ab50c03d1524a ./variables.sh diff --git a/create-iso.sh b/create-iso.sh new file mode 100755 index 0000000..3aab2d2 --- /dev/null +++ b/create-iso.sh @@ -0,0 +1,170 @@ +#!/bin/bash +# Main script for ISO image creation + +set -x # Print each command before executing it +set -e # Exit immediately should a command fail +set -u # Treat unset variables as an error and exit immediately + +source ./variables.sh + +# Creating a working directory +mkdir -p $WD + +# Setting up the base Debian rootfs environment +debuerreotype-init $WD/chroot $DIST $DATE --arch=$ARCH +# root without password +debuerreotype-chroot $WD/chroot passwd -d root +# Installing all needed packages for COEN +debuerreotype-apt-get $WD/chroot update +debuerreotype-chroot $WD/chroot DEBIAN_FRONTEND=noninteractive apt-get -o Acquire::Check-Valid-Until=false install \ + --no-install-recommends --yes \ + linux-image-amd64 live-boot systemd-sysv \ + syslinux syslinux-common isolinux +debuerreotype-chroot $WD/chroot DEBIAN_FRONTEND=noninteractive apt-get -o Acquire::Check-Valid-Until=false install \ + --no-install-recommends --yes \ + iproute2 ifupdown pciutils usbutils dosfstools eject exfat-utils \ + vim links2 xpdf cups cups-bsd enscript libbsd-dev tree openssl less iputils-ping \ + xserver-xorg-core xserver-xorg xfce4 xfce4-terminal xfce4-panel lightdm system-config-printer \ + xterm gvfs thunar-volman xfce4-power-manager +debuerreotype-apt-get $WD/chroot --yes --purge autoremove +debuerreotype-apt-get $WD/chroot --yes clean + +# Applying hooks +for FIXES in $HOOK_DIR/* +do + $FIXES +done + +# Setting network +echo "coen" > $WD/chroot/etc/hostname + +cat > $WD/chroot/etc/hosts << EOF +127.0.0.1 localhost coen +192.168.0.2 hsm +EOF + +cat > $WD/chroot/etc/network/interfaces.d/coen-network << EOF +auto lo +iface lo inet loopback + +auto eth0 +iface eth0 inet static + address 192.168.0.1 + netmask 255.255.255.0 +EOF + +# Profile in .bashrc to work with xfce terminal +echo "export PATH=:/opt/icann/bin:/opt/Keyper/bin:\$PATH" >> $WD/chroot/root/.bashrc +# ls with color +sed -i -r -e '9s/^#//' \ + -e '10s/^#//' \ + -e '11s/^#//' \ + $WD/chroot/root/.bashrc + +# Configure autologin +for NUMBER in $(seq 1 6) + do + mkdir -p $WD/chroot/etc/systemd/system/getty@tty${NUMBER}.service.d + +cat > $WD/chroot/etc/systemd/system/getty@tty${NUMBER}.service.d/live-config_autologin.conf << EOF +[Service] +Type=idle +ExecStart= +ExecStart=-/sbin/agetty --autologin root --noclear %I \$TERM +TTYVTDisallocate=no +EOF +done + +# XFCE root auto login +sed -i -r -e "s|^#.*autologin-user=.*\$|autologin-user=root|" \ + -e "s|^#.*autologin-user-timeout=.*\$|autologin-user-timeout=0|" \ + $WD/chroot/etc/lightdm/lightdm.conf + +sed -i --regexp-extended \ + '11s/.*/#&/' \ + $WD/chroot/etc/pam.d/lightdm-autologin + +# Disabling lastlog since autologin is enabled +sed -i '/^[^#].*pam_lastlog\.so/s/^/# /' $WD/chroot/etc/pam.d/login + +# Making sure that the xscreensaver is off +rm -f $WD/chroot/etc/xdg/autostart/xscreensaver.desktop + +# Defining mount point /media/ for HSMFD, HSMFD1 and KSRFD +cat > $WD/chroot/etc/udev/rules.d/99-udisks2.rules << EOF +# UDISKS_FILESYSTEM_SHARED +# ==1: mount filesystem to a shared directory (/media/VolumeName) +# ==0: mount filesystem to a private directory (/run/media/USER/VolumeName) +# See udisks(8) +ENV{ID_FS_USAGE}=="filesystem|other|crypto", ENV{UDISKS_FILESYSTEM_SHARED}="1" +EOF + +# Creating boot directories +mkdir -p $WD/image/live +mkdir -p $WD/image/isolinux + +# Copying bootloader +cp -p $WD/chroot/boot/vmlinuz-* $WD/image/live/vmlinuz +cp -p $WD/chroot/boot/initrd.img-* $WD/image/live/initrd.img + +# Creating the isolinux bootloader +cat > $WD/image/isolinux/isolinux.cfg << EOF +UI menu.c32 + +prompt 0 +menu title coen-${RELEASE} + +timeout 1 + +label coen-${RELEASE} Live amd64 +menu label ^coen-${RELEASE} amd64 +menu default +kernel /live/vmlinuz +append initrd=/live/initrd.img boot=live locales=en_US.UTF-8 keymap=us language=us net.ifnames=0 timezone=Etc/UTC live-media=removable nopersistence selinux=0 STATICIP=frommedia modprobe.blacklist=pcspkr,hci_uart,btintel,btqca,btbcm,bluetooth,snd_hda_intel,snd_hda_codec_realtek,snd_soc_skl,snd_soc_skl_ipc,snd_soc_sst_ipc,snd_soc_sst_dsp,snd_hda_ext_core,snd_soc_sst_match,snd_soc_core,snd_compress,snd_hda_core,snd_pcm,snd_timer,snd,soundcore + +EOF + +# Coping files for ISO booting +cp -p $WD/chroot/usr/lib/ISOLINUX/isolinux.bin $WD/image/isolinux/ +cp -p $WD/chroot/usr/lib/ISOLINUX/isohdpfx.bin $WD/image/isolinux/ +cp -p $WD/chroot/usr/lib/syslinux/modules/bios/menu.c32 $WD/image/isolinux/ +cp -p $WD/chroot/usr/lib/syslinux/modules/bios/hdt.c32 $WD/image/isolinux/ +cp -p $WD/chroot/usr/lib/syslinux/modules/bios/ldlinux.c32 $WD/image/isolinux/ +cp -p $WD/chroot/usr/lib/syslinux/modules/bios/libutil.c32 $WD/image/isolinux/ +cp -p $WD/chroot/usr/lib/syslinux/modules/bios/libmenu.c32 $WD/image/isolinux/ +cp -p $WD/chroot/usr/lib/syslinux/modules/bios/libcom32.c32 $WD/image/isolinux/ +cp -p $WD/chroot/usr/lib/syslinux/modules/bios/libgpl.c32 $WD/image/isolinux/ +cp -p $WD/chroot/usr/share/misc/pci.ids $WD/image/isolinux/ + +# Fixing dates to SOURCE_DATE_EPOCH +debuerreotype-fixup $WD/chroot + +# Fixing main folder timestamps to SOURCE_DATE_EPOCH +find "$WD/" -exec touch --no-dereference --date="@$SOURCE_DATE_EPOCH" '{}' + + +# Compressing the chroot environment into a squashfs +mksquashfs $WD/chroot/ $WD/image/live/filesystem.squashfs -comp xz -Xbcj x86 -b 1024K -Xdict-size 1024K -no-exports -processors 1 -no-fragments -wildcards -ef $TOOL_DIR/mksquashfs-excludes + +# Setting permissions for squashfs.img +chmod 644 $WD/image/live/filesystem.squashfs + +# Fixing squashfs folder timestamps to SOURCE_DATE_EPOCH +find "$WD/image/" -exec touch --no-dereference --date="@$SOURCE_DATE_EPOCH" '{}' + + +# Creating the iso +xorriso -outdev $ISONAME -volid COEN \ + -map $WD/image/ / -chmod 0755 / -- -boot_image isolinux dir=/isolinux \ + -boot_image isolinux system_area=$WD/chroot/usr/lib/ISOLINUX/isohdpfx.bin \ + -boot_image isolinux partition_entry=gpt_basdat + +echo "Calculating SHA-256 HASH of the $ISONAME" +NEWHASH=$(sha256sum < "${ISONAME}") + if [ "$NEWHASH" != "$SHASUM" ] + then + echo "ERROR: SHA-256 hashes mismatched reproduction failed" + echo "Please send us an issue report: https://github.com/iana-org/coen" + else + echo "Successfully reproduced coen-${RELEASE}" + fi + +# END diff --git a/tools/debuerreotype_0.7-1_all.deb b/tools/debuerreotype_0.7-1_all.deb new file mode 100644 index 0000000..55f3381 Binary files /dev/null and b/tools/debuerreotype_0.7-1_all.deb differ diff --git a/tools/hooks/00-install-ksk-packages.sh b/tools/hooks/00-install-ksk-packages.sh new file mode 100755 index 0000000..f649859 --- /dev/null +++ b/tools/hooks/00-install-ksk-packages.sh @@ -0,0 +1,29 @@ +#!/bin/bash +# Installs KSK software and XFCE customisation from Debian packages + +set -x # Print each command before executing it +set -e # Exit immediately should a command fail +set -u # Treat unset variables as an error and exit immediately + +PKG1="ksk-tools-0.1.0coen_amd64.deb" +SHAPKG1="93e954744ec11e1d6837a792e26cc93b88f0735f7184337c4e65babca65503ab -" + +PKG2="ksk-xfce-custom-0.1.0coen_amd64.deb" +SHAPKG2="2080347093bc714b92d2f02e9c19e51ca23804776c2b52958c25630330b25f1d -" + +for PKG in "${PKG1} ${SHAPKG1}" "${PKG2} ${SHAPKG2}" +do + set -- $PKG # parses variable PKG $1 name and $2 hash and $3 "-" + cp $PACKAGE_DIR/$1 $WD/chroot/tmp + echo "Calculating SHA-256 HASH of the $1" + HASH=$(sha256sum < "$WD/chroot/tmp/$1") + if [ "$HASH" != "$2 $3" ] + then + echo "ERROR: SHA-256 hashes mismatched" + exit 1 + fi + debuerreotype-chroot $WD/chroot dpkg -i /tmp/$1 + rm -f $WD/chroot/tmp/$1 +done + +# END diff --git a/tools/hooks/01-fix-fontconfig-cache.sh b/tools/hooks/01-fix-fontconfig-cache.sh new file mode 100755 index 0000000..125148f --- /dev/null +++ b/tools/hooks/01-fix-fontconfig-cache.sh @@ -0,0 +1,35 @@ +#!/bin/bash +# fontconfig generates non-reproducible cache files under +# /var/cache/fontconfig +# Reference https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=864082 +# The fontconfig packages from tails fixed the above + +set -x # Print each command before executing it +set -e # Exit immediately should a command fail +set -u # Treat unset variables as an error and exit immediately + +PKG1="fontconfig-config_2.11.0-6.7.0tails4_all.deb" +SHAPKG1="390fdc4c915aeed379196335e672d6a9af6677e6d675093f8855c85953aae246 -" + +PKG2="libfontconfig1_2.11.0-6.7.0tails4_amd64.deb" +SHAPKG2="933adbbead4fd8ced095b5f43fd82b092298aaf95436d8b051b2ee9a4abee917 -" + +PKG3="fontconfig_2.11.0-6.7.0tails4_amd64.deb" +SHAPKG3="892a2c0b4f8e4874161165cb253755b3bd695ce238b30c3b8e5447ff269c2740 -" + +for PKG in "${PKG1} ${SHAPKG1}" "${PKG2} ${SHAPKG2}" "${PKG3} ${SHAPKG3}" +do + set -- $PKG # parses variable PKG $1 name and $2 hash and $3 "-" + cp $PACKAGE_DIR/$1 $WD/chroot/tmp + echo "Calculating SHA-256 HASH of the $1" + HASH=$(sha256sum < "$WD/chroot/tmp/$1") + if [ "$HASH" != "$2 $3" ] + then + echo "ERROR: SHA-256 hashes mismatched" + exit 1 + fi + debuerreotype-chroot $WD/chroot dpkg -i /tmp/$1 + rm -f $WD/chroot/tmp/$1 +done + +# END diff --git a/tools/hooks/02-fix-initramfs-tools.sh b/tools/hooks/02-fix-initramfs-tools.sh new file mode 100755 index 0000000..3c56d83 --- /dev/null +++ b/tools/hooks/02-fix-initramfs-tools.sh @@ -0,0 +1,31 @@ +#!/bin/bash +# mkinitramfs generates non-reproducible ramdisk images +# Reference https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=845034 +# The initramfs-tools packages from tails fixed the above + +set -x # Print each command before executing it +set -e # Exit immediately should a command fail +set -u # Treat unset variables as an error and exit immediately + +PKG1="initramfs-tools-core_0.130.0tails1_all.deb" +SHAPKG1="db1d9dcd6d0c9587136c5a65419ee9eaa7a8a20c163dd2718cd826056a893819 -" + +PKG2="initramfs-tools_0.130.0tails1_all.deb" +SHAPKG2="36c39407b505015a80e666726018edad37211d594b862238475d59d3de4e0da9 -" + +for PKG in "${PKG1} ${SHAPKG1}" "${PKG2} ${SHAPKG2}" +do + set -- $PKG # parses variable PKG $1 name and $2 hash and $3 "-" + cp $PACKAGE_DIR/$1 $WD/chroot/tmp + echo "Calculating SHA-256 HASH of the $1" + HASH=$(sha256sum < "$WD/chroot/tmp/$1") + if [ "$HASH" != "$2 $3" ] + then + echo "ERROR: SHA-256 hashes mismatched" + exit 1 + fi + debuerreotype-chroot $WD/chroot dpkg -i /tmp/$1 + rm -f $WD/chroot/tmp/$1 +done + +# END diff --git a/tools/hooks/03-fix-gtk-immodules-cache.sh b/tools/hooks/03-fix-gtk-immodules-cache.sh new file mode 100755 index 0000000..224962d --- /dev/null +++ b/tools/hooks/03-fix-gtk-immodules-cache.sh @@ -0,0 +1,44 @@ +#!/bin/bash +# gtk+2.0 and gtk+3.0 immodules.cache is not reproducible +# Reference https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=872729 +# and https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=875700 +# The gtk+ packages from tails fixed the above + +set -x # Print each command before executing it +set -e # Exit immediately should a command fail +set -u # Treat unset variables as an error and exit immediately + +PKG1="libgtk2.0-common_2.24.31-2.0tails1_all.deb" +SHAPKG1="0862890d70bafeb6b4a7a1c1da05c90569e0147522d6526fad6d146d6335b79f -" + +PKG2="libgtk2.0-0_2.24.31-2.0tails1_amd64.deb" +SHAPKG2="a0ae2652c5ca8461752f17ab22aa385c588481351b7b4aeb199a3d23d6479c34 -" + +PKG3="gir1.2-gtk-3.0_3.22.11-1.0tails1_amd64.deb" +SHAPKG3="01db265c90f351367c73cd7ecedeca2f490374579320c5240feecdc70040917e -" + +PKG4="gtk-update-icon-cache_3.22.11-1.0tails1_amd64.deb" +SHAPKG4="4e49e6161a93424700ced09d0225574d3f6dd406ba9f9e14c36a50e870faab16 -" + +PKG5="libgtk-3-common_3.22.11-1.0tails1_all.deb" +SHAPKG5="605e3c77857d9c55932c7f497f56c70d46af65af59600e5507f42aea3832a848 -" + +PKG6="libgtk-3-0_3.22.11-1.0tails1_amd64.deb" +SHAPKG6="a8946b779ccf305da8dadefa9d7d9402ccfe756246dd70a251e4375076a83648 -" + +for PKG in "${PKG1} ${SHAPKG1}" "${PKG2} ${SHAPKG2}" "${PKG3} ${SHAPKG3}" "${PKG4} ${SHAPKG4}" "${PKG5} ${SHAPKG5}" "${PKG6} ${SHAPKG6}" +do + set -- $PKG # parses variable PKG $1 name and $2 hash and $3 "-" + cp $PACKAGE_DIR/$1 $WD/chroot/tmp + echo "Calculating SHA-256 HASH of the $1" + HASH=$(sha256sum < "$WD/chroot/tmp/$1") + if [ "$HASH" != "$2 $3" ] + then + echo "ERROR: SHA-256 hashes mismatched" + exit 1 + fi + debuerreotype-chroot $WD/chroot dpkg -i /tmp/$1 + rm -f $WD/chroot/tmp/$1 +done + +# END diff --git a/tools/hooks/04-fix-gdk-pixbuf-glib2.0-shadow.sh b/tools/hooks/04-fix-gdk-pixbuf-glib2.0-shadow.sh new file mode 100755 index 0000000..00ce156 --- /dev/null +++ b/tools/hooks/04-fix-gdk-pixbuf-glib2.0-shadow.sh @@ -0,0 +1,33 @@ +#!/bin/bash +# gdk-pixbuf's loaders.cache is not reproducible +# Reference https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=875704 +# giomodule.cache is not reproducible +# Reference https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=873625 +# The file /etc/shadow is not reproducible +# Reference https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=857803 +# The packages from sid (unstable) fixed the above + +set -x # Print each command before executing it +set -e # Exit immediately should a command fail +set -u # Treat unset variables as an error and exit immediately + +# Adding sid (unstable) to /etc/apt/sources.list +debuerreotype-chroot $WD/chroot sed -i "$ a\deb \ +http://snapshot.debian.org/archive/debian/$(date --date "$DATE" '+%Y%m%dT%H%M%SZ') \ +sid main" /etc/apt/sources.list + +# Installing sid (unstable) packages +debuerreotype-apt-get $WD/chroot update +debuerreotype-chroot $WD/chroot DEBIAN_FRONTEND=noninteractive apt-get -o Acquire::Check-Valid-Until=false install \ + --no-install-recommends --yes -t sid \ + gir1.2-gdkpixbuf-2.0 libgdk-pixbuf2.0-common libgdk-pixbuf2.0-0 \ + libglib2.0-0 \ + login passwd +debuerreotype-apt-get $WD/chroot --yes --purge autoremove +debuerreotype-apt-get $WD/chroot --yes clean + +# Turning off the shadow passwords +debuerreotype-chroot $WD/chroot shadowconfig off +debuerreotype-chroot $WD/chroot rm -f /etc/shadow- + +# END diff --git a/tools/hooks/05-fix-non-reproducible-files.sh b/tools/hooks/05-fix-non-reproducible-files.sh new file mode 100755 index 0000000..bcd8778 --- /dev/null +++ b/tools/hooks/05-fix-non-reproducible-files.sh @@ -0,0 +1,21 @@ +#!/bin/bash +# Fixing non-reproducible files + +set -x # Print each command before executing it +set -e # Exit immediately should a command fail +set -u # Treat unset variables as an error and exit immediately + +# Truncating the snakeoil SSL key pair and deleting the symbolic link generated +# by ssl-cert because is not reproducible + +debuerreotype-chroot $WD/chroot truncate -s 0 /etc/ssl/certs/ssl-cert-snakeoil.pem +debuerreotype-chroot $WD/chroot truncate -s 0 /etc/ssl/private/ssl-cert-snakeoil.key +debuerreotype-chroot $WD/chroot find "/etc/ssl/certs" -lname "ssl-cert-snakeoil.pem" -exec rm -f '{}' + + +# Truncating not reproducible file +debuerreotype-chroot $WD/chroot truncate -s 0 /etc/machine-id + +# Removing python compiled bytecode +debuerreotype-chroot $WD/chroot find "/usr" -name "*.pyc" -exec rm -f '{}' + + +# END diff --git a/tools/mksquashfs-excludes b/tools/mksquashfs-excludes new file mode 100644 index 0000000..d01337d --- /dev/null +++ b/tools/mksquashfs-excludes @@ -0,0 +1,10 @@ +boot/* +tmp/* +var/lib/apt/lists/* +usr/share/doc/* +usr/share/icons/*/.icon-theme.cache +usr/share/icons/*/icon-theme.cache +var/cache/debconf/* +var/lib/dpkg/info/*.md5sums +var/lib/systemd/catalog/database +var/log/* diff --git a/tools/packages/fontconfig-config_2.11.0-6.7.0tails4_all.deb b/tools/packages/fontconfig-config_2.11.0-6.7.0tails4_all.deb new file mode 100644 index 0000000..b7de434 Binary files /dev/null and b/tools/packages/fontconfig-config_2.11.0-6.7.0tails4_all.deb differ diff --git a/tools/packages/fontconfig_2.11.0-6.7.0tails4_amd64.deb b/tools/packages/fontconfig_2.11.0-6.7.0tails4_amd64.deb new file mode 100644 index 0000000..effbb07 Binary files /dev/null and b/tools/packages/fontconfig_2.11.0-6.7.0tails4_amd64.deb differ diff --git a/tools/packages/gir1.2-gtk-3.0_3.22.11-1.0tails1_amd64.deb b/tools/packages/gir1.2-gtk-3.0_3.22.11-1.0tails1_amd64.deb new file mode 100644 index 0000000..3409348 Binary files /dev/null and b/tools/packages/gir1.2-gtk-3.0_3.22.11-1.0tails1_amd64.deb differ diff --git a/tools/packages/gtk-update-icon-cache_3.22.11-1.0tails1_amd64.deb b/tools/packages/gtk-update-icon-cache_3.22.11-1.0tails1_amd64.deb new file mode 100644 index 0000000..d4e1c7f Binary files /dev/null and b/tools/packages/gtk-update-icon-cache_3.22.11-1.0tails1_amd64.deb differ diff --git a/tools/packages/initramfs-tools-core_0.130.0tails1_all.deb b/tools/packages/initramfs-tools-core_0.130.0tails1_all.deb new file mode 100644 index 0000000..1f2a814 Binary files /dev/null and b/tools/packages/initramfs-tools-core_0.130.0tails1_all.deb differ diff --git a/tools/packages/initramfs-tools_0.130.0tails1_all.deb b/tools/packages/initramfs-tools_0.130.0tails1_all.deb new file mode 100644 index 0000000..e48af48 Binary files /dev/null and b/tools/packages/initramfs-tools_0.130.0tails1_all.deb differ diff --git a/tools/packages/ksk-tools-0.1.0coen_amd64.deb b/tools/packages/ksk-tools-0.1.0coen_amd64.deb new file mode 100644 index 0000000..a502491 Binary files /dev/null and b/tools/packages/ksk-tools-0.1.0coen_amd64.deb differ diff --git a/tools/packages/ksk-xfce-custom-0.1.0coen_amd64.deb b/tools/packages/ksk-xfce-custom-0.1.0coen_amd64.deb new file mode 100644 index 0000000..0289289 Binary files /dev/null and b/tools/packages/ksk-xfce-custom-0.1.0coen_amd64.deb differ diff --git a/tools/packages/libfontconfig1_2.11.0-6.7.0tails4_amd64.deb b/tools/packages/libfontconfig1_2.11.0-6.7.0tails4_amd64.deb new file mode 100644 index 0000000..c02c566 Binary files /dev/null and b/tools/packages/libfontconfig1_2.11.0-6.7.0tails4_amd64.deb differ diff --git a/tools/packages/libgtk-3-0_3.22.11-1.0tails1_amd64.deb b/tools/packages/libgtk-3-0_3.22.11-1.0tails1_amd64.deb new file mode 100644 index 0000000..4d43bb9 Binary files /dev/null and b/tools/packages/libgtk-3-0_3.22.11-1.0tails1_amd64.deb differ diff --git a/tools/packages/libgtk-3-common_3.22.11-1.0tails1_all.deb b/tools/packages/libgtk-3-common_3.22.11-1.0tails1_all.deb new file mode 100644 index 0000000..c6e1e53 Binary files /dev/null and b/tools/packages/libgtk-3-common_3.22.11-1.0tails1_all.deb differ diff --git a/tools/packages/libgtk2.0-0_2.24.31-2.0tails1_amd64.deb b/tools/packages/libgtk2.0-0_2.24.31-2.0tails1_amd64.deb new file mode 100644 index 0000000..2ddb35f Binary files /dev/null and b/tools/packages/libgtk2.0-0_2.24.31-2.0tails1_amd64.deb differ diff --git a/tools/packages/libgtk2.0-common_2.24.31-2.0tails1_all.deb b/tools/packages/libgtk2.0-common_2.24.31-2.0tails1_all.deb new file mode 100644 index 0000000..363a263 Binary files /dev/null and b/tools/packages/libgtk2.0-common_2.24.31-2.0tails1_all.deb differ diff --git a/tools/squashfs-tools_4.3-3.0tails4_amd64.deb b/tools/squashfs-tools_4.3-3.0tails4_amd64.deb new file mode 100644 index 0000000..7725b73 Binary files /dev/null and b/tools/squashfs-tools_4.3-3.0tails4_amd64.deb differ diff --git a/variables.sh b/variables.sh new file mode 100755 index 0000000..3ad02da --- /dev/null +++ b/variables.sh @@ -0,0 +1,19 @@ +#!/bin/bash +# Configuration for creation of the ISO image. This script is executed by +# create-iso.sh + +set -x # Print each command before executing it +set -e # Exit immediately should a command fail +set -u # Treat unset variables as an error and exit immediately + +export RELEASE=0.4.0 # Release version number +export DATE=20180311 # Timestamp to use for version packages (`date +%Y%m%d`) +export DIST=stretch # Debian distribution to base image on +export ARCH=amd64 # Target architecture +export SHASUM="8105b885b176741d25ef9d391c6a302aed3f6c916093a621a865cb90d560774f -" # ISO image SHA-256 +export SOURCE_DATE_EPOCH="$(date --utc --date="$DATE" +%s)" # defined by reproducible-builds.org +export WD=/opt/coen-${RELEASE} # Working directory to create the image +export ISONAME=${WD}-${ARCH}.iso # Final name of the ISO image +export TOOL_DIR=/tools # Location to install the tools +export HOOK_DIR=$TOOL_DIR/hooks # Hooks +export PACKAGE_DIR=$TOOL_DIR/packages # Packages