First public release (v0.4.0)

Dockerfile

@@ -0,0 +1,34 @@
+FROM debian:9.4-slim@sha256:91e111a5c5314bc443be24cf8c0d59f19ffad6b0ea8ef8f54aedd41b8203e3e1
+
+ENV DEBIAN_FRONTEND noninteractive
+
+COPY create-iso.sh .
+COPY variables.sh .
+COPY SHA256SUMS .
+COPY tools/ /tools/
+
+RUN sha256sum -c SHA256SUMS
+
+RUN . ./variables.sh && \
+    rm -f /etc/apt/sources.list && \
+    echo "deb http://snapshot.debian.org/archive/debian/$(date --date "$DATE" '+%Y%m%dT%H%M%SZ') $DIST main" >> /etc/apt/sources.list && \
+    echo "deb http://snapshot.debian.org/archive/debian/$(date --date "$DATE" '+%Y%m%dT%H%M%SZ') "$DIST"-updates main" >> /etc/apt/sources.list && \
+    echo "deb http://snapshot.debian.org/archive/debian-security/$(date --date "$DATE" '+%Y%m%dT%H%M%SZ') "$DIST"/updates main" >> /etc/apt/sources.list
+
+RUN apt-get update -o Acquire::Check-Valid-Until=false && \
+    apt-get install -o Acquire::Check-Valid-Until=false --no-install-recommends --yes \
+    liblzo2-2 xorriso debootstrap \
+    locales && \
+    sed -i -e 's/# en_US.UTF-8 UTF-8/en_US.UTF-8 UTF-8/g' /etc/locale.gen && \
+    locale-gen en_US.UTF-8
+
+ENV LANG en_US.UTF-8
+ENV LANGUAGE en_US:en
+ENV LC_ALL en_US.UTF-8
+
+RUN dpkg-reconfigure locales
+
+RUN dpkg -i /tools/squashfs-tools_4.3-3.0tails4_amd64.deb && \
+    dpkg -i /tools/debuerreotype_0.7-1_all.deb
+
+CMD ["/create-iso.sh"]

LICENSE.md

@@ -0,0 +1,14 @@
+Copyright (c) 2018 Internet Corporation for Assigned Names and Numbers
+("ICANN")
+
+Permission to use, copy, modify, and distribute this software for any
+purpose with or without fee is hereby granted, provided that the above
+copyright notice and this permission notice appear in all copies.
+
+THE SOFTWARE IS PROVIDED “AS IS" AND ICANN DISCLAIMS ALL WARRANTIES
+WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL ICANN BE LIABLE FOR ANY
+SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.

Makefile

@@ -0,0 +1,30 @@
+RELEASE = 0.4.0
+
+.PHONY: usage build remove run copy all default
+
+usage:
+	@echo "Please provide an option:"
+	@echo " make build	--- Build the COEN ISO image"
+	@echo " make run	--- Run a container to build the ISO image"
+	@echo " make remove	--- Remove the container"
+	@echo " make copy	--- Copy the ISO image into the host directory"
+	@echo " make all	--- Execute build, remove, run and copy"
+
+build:
+	docker build -t coen:$(RELEASE) .
+
+remove:
+	-docker rm coen
+
+run:
+	docker run -i -t \
+	--privileged \
+	--name=coen \
+	coen:$(RELEASE)
+
+copy:
+	-docker cp coen:/opt/coen-${RELEASE}-amd64.iso .
+
+all: build remove run copy
+
+default: usage

README.md

@@ -0,0 +1,126 @@
+# Ceremony Operating ENvironment (COEN)
+
+COEN is a live operating system consisting of:
+
+- A custom Debian GNU/Linux Live CD
+- The [Key Management Tools](https://github.com/iana-org/dnssec-keytools)
+- The AEP Keyper PKCS#11 provider
+- Assorted utilities.
+
+## Reproducible ISO image to make The Root Zone DNSSEC Key Signing Key Ceremony System more Trustworthy
+
+This **Reproducible** ISO image provide a verifiable process to obtain the same
+hash every time at build the ISO image to increase the confidence in the DNSSEC Key
+Signing Key (KSK) for the Root Zone.
+
+### What are reproducible builds?
+
+Quoted from https://reproducible-builds.org
+
+> Reproducible builds are a set of software development practices that create a
+verifiable path from human readable source code to the binary code used by
+computers.
+>
+> Most aspects of software verification are done on source code, as that is what
+humans can reasonably understand. But most of the time, computers require
+software to be first built into a long string of numbers to be used. With
+reproducible builds, multiple parties can redo this process independently and
+ensure they all get exactly the same result. We can thus gain confidence that a
+distributed binary code is indeed coming from a given source code.
+
+## Acknowledgments
+
+This project cannot be possible without:
+- The [Reproducible Builds](https://reproducible-builds.org/) project
+- [Debian as trust anchor](https://wiki.debian.org/ReproducibleBuilds)
+- [Debuerreotype](https://github.com/debuerreotype/debuerreotype) a reproducible, snapshot-based Debian rootfs builder ([License](https://github.com/debuerreotype/debuerreotype/blob/master/LICENSE))
+- (The Amnesic Incognito Live System)[https://tails.boum.org/index.en.html] ([License](https://tails.boum.org/doc/about/license/index.en.html))
+
+## Requirements for building the ISO image
+
+Building the ISO image requires:
+
+* [Docker](https://www.docker.com/). The recommended Docker version is 18.03.
+* SELinux to be disabled. SELinux must be completely disabled rather than with **permissive mode** since the behave is differently.
+
+### Disabling SELinux
+
+If you are running a Red Hat based distribution, including RHEL, CentOS and
+Fedora, you will probably have the SELinux security module installed.
+
+To check your SELinux mode, run `sestatus` and check the output.
+
+If you see **enforcing** or **permissive** on *"Current mode"*, SELinux is
+enabled and enforcing rules or is enable and log rather than enforce errors.
+
+> **Warning** before proceeding with this, disabling SELinux also disables the
+generation of file contexts so an entire system relabeling is needed afterwards.
+
+To disable SELinux:
+
+- Edit `/etc/sysconfig/selinux` or `/etc/selinux/config` depending of your distro
+- Set the `SELINUX` parameter to `disabled`
+- For the changes to take effect, you need to **reboot** the machine, since
+SELinux is running within the kernel
+- Check the status of SELinux using `sestatus` command
+
+## Building the ISO image
+
+Execute the following commands to build the ISO image:
+
+```
+git clone https://github.com/iana-org/coen && \
+cd coen && \
+make all
+```
+* If you have a error executing `make all` as a non-root user, try to
+execute `sudo make all`.
+
+This will build a docker image with the proper environment to build the
+ISO. Then will run a container executing a bash script to build the ISO and
+if the build succeeded it will copy the resulting ISO into the host directory.
+
+You can execute `make` command to see more options.
+
+## Contributing
+
+### If the build failed
+
+Please send us an issue report at https://github.com/iana-org/coen with the error
+that is displayed in your terminal window.
+
+### If the reproduction succeeded
+
+Congrats for successfully reproducing the ISO image!
+
+You can compute the SHA-256 checksum of the resulting ISO image by yourself:
+
+```
+sha256sum coen-0.4.0-amd64.iso
+```
+or
+```
+shasum -a 256 coen-0.4.0-amd64.iso
+```
+
+Then, comparing it with the following checksum:
+
+```
+8105b885b176741d25ef9d391c6a302aed3f6c916093a621a865cb90d560774f  coen-0.4.0-amd64.iso
+```
+
+### If the reproduction failed
+
+Please help us to improve it. You can install `diffoscope` https://diffoscope.org/
+and download the image from:
+https://github.com/iana-org/coen/releases/tag/v0.4.0-20180311
+and then compare it with your image executing the following command:
+
+```
+diffoscope \
+  --text diffoscope.txt \
+  path/to/public/coen-0.4.0-amd64.iso \
+  path/to/your/coen-0.4.0-amd64.iso
+```
+Please send us an issue report at https://github.com/iana-org/coen attaching the
+diffoscope.txt file.

SHA256SUMS

@@ -0,0 +1,24 @@
+f9fd8d851d5a855cfa97eafe062418fb97e9cb574bab77326e9a34f9e8aa2c98  ./create-iso.sh
+c93b498e8599dd2368ae92622aee2342a312f84ae216eb2ece659fa9e4864ca3  ./tools/debuerreotype_0.7-1_all.deb
+dbed950a8b2e9c35dd76002e414268697a4b84749625753266c13bfbfa5eccb8  ./tools/hooks/00-install-ksk-packages.sh
+fa97bedd94635866336547f7f5c2aaeff10e8533ed86e4819d3820d8ccb1c862  ./tools/hooks/01-fix-fontconfig-cache.sh
+86441e5494f5444c4d14c6e78d0250d86706e4422fc030d538197b0a60ddf5bf  ./tools/hooks/02-fix-initramfs-tools.sh
+fc6ad08b3d8d5fd08e64e031b31766355a6faa4249971fca17fd382f42318df1  ./tools/hooks/03-fix-gtk-immodules-cache.sh
+76b8539898c19f12f9f1ef26da6b1514cb44dfd2b79f34ae81f2494259a763d6  ./tools/hooks/04-fix-gdk-pixbuf-glib2.0-shadow.sh
+b0cb9c6e8ca58353afc5643ba184fc24a501c6f091c354b720ecce736171a951  ./tools/hooks/05-fix-non-reproducible-files.sh
+72e4e673e75466fddd5f3964e3db3f941e0d40214ec37f167fe425b33e60e1c0  ./tools/mksquashfs-excludes
+390fdc4c915aeed379196335e672d6a9af6677e6d675093f8855c85953aae246  ./tools/packages/fontconfig-config_2.11.0-6.7.0tails4_all.deb
+892a2c0b4f8e4874161165cb253755b3bd695ce238b30c3b8e5447ff269c2740  ./tools/packages/fontconfig_2.11.0-6.7.0tails4_amd64.deb
+01db265c90f351367c73cd7ecedeca2f490374579320c5240feecdc70040917e  ./tools/packages/gir1.2-gtk-3.0_3.22.11-1.0tails1_amd64.deb
+4e49e6161a93424700ced09d0225574d3f6dd406ba9f9e14c36a50e870faab16  ./tools/packages/gtk-update-icon-cache_3.22.11-1.0tails1_amd64.deb
+db1d9dcd6d0c9587136c5a65419ee9eaa7a8a20c163dd2718cd826056a893819  ./tools/packages/initramfs-tools-core_0.130.0tails1_all.deb
+36c39407b505015a80e666726018edad37211d594b862238475d59d3de4e0da9  ./tools/packages/initramfs-tools_0.130.0tails1_all.deb
+93e954744ec11e1d6837a792e26cc93b88f0735f7184337c4e65babca65503ab  ./tools/packages/ksk-tools-0.1.0coen_amd64.deb
+2080347093bc714b92d2f02e9c19e51ca23804776c2b52958c25630330b25f1d  ./tools/packages/ksk-xfce-custom-0.1.0coen_amd64.deb
+933adbbead4fd8ced095b5f43fd82b092298aaf95436d8b051b2ee9a4abee917  ./tools/packages/libfontconfig1_2.11.0-6.7.0tails4_amd64.deb
+a8946b779ccf305da8dadefa9d7d9402ccfe756246dd70a251e4375076a83648  ./tools/packages/libgtk-3-0_3.22.11-1.0tails1_amd64.deb
+605e3c77857d9c55932c7f497f56c70d46af65af59600e5507f42aea3832a848  ./tools/packages/libgtk-3-common_3.22.11-1.0tails1_all.deb
+a0ae2652c5ca8461752f17ab22aa385c588481351b7b4aeb199a3d23d6479c34  ./tools/packages/libgtk2.0-0_2.24.31-2.0tails1_amd64.deb
+0862890d70bafeb6b4a7a1c1da05c90569e0147522d6526fad6d146d6335b79f  ./tools/packages/libgtk2.0-common_2.24.31-2.0tails1_all.deb
+5c7ab880233139bc213d2ef214dc6c433eac488eaa51f8d59c4eb791fa777293  ./tools/squashfs-tools_4.3-3.0tails4_amd64.deb
+eb66b37b4c0a81285e0c2fa18787b942fdee63a4d1c25cb4343ab50c03d1524a  ./variables.sh

create-iso.sh

@@ -0,0 +1,170 @@
+#!/bin/bash
+# Main script for ISO image creation
+
+set -x   # Print each command before executing it
+set -e   # Exit immediately should a command fail
+set -u   # Treat unset variables as an error and exit immediately
+
+source ./variables.sh
+
+# Creating a working directory
+mkdir -p $WD
+
+# Setting up the base Debian rootfs environment
+debuerreotype-init $WD/chroot $DIST $DATE --arch=$ARCH
+# root without password
+debuerreotype-chroot $WD/chroot passwd -d root
+# Installing all needed packages for COEN
+debuerreotype-apt-get $WD/chroot update
+debuerreotype-chroot $WD/chroot DEBIAN_FRONTEND=noninteractive apt-get -o Acquire::Check-Valid-Until=false install \
+    --no-install-recommends --yes \
+    linux-image-amd64 live-boot systemd-sysv \
+    syslinux syslinux-common isolinux
+debuerreotype-chroot $WD/chroot DEBIAN_FRONTEND=noninteractive apt-get -o Acquire::Check-Valid-Until=false install \
+    --no-install-recommends --yes \
+    iproute2 ifupdown pciutils usbutils dosfstools eject exfat-utils \
+    vim links2 xpdf cups cups-bsd enscript libbsd-dev tree openssl less iputils-ping \
+    xserver-xorg-core xserver-xorg xfce4 xfce4-terminal xfce4-panel lightdm system-config-printer \
+    xterm gvfs thunar-volman xfce4-power-manager
+debuerreotype-apt-get $WD/chroot --yes --purge autoremove
+debuerreotype-apt-get $WD/chroot --yes clean
+
+# Applying hooks
+for FIXES in $HOOK_DIR/*
+do
+  $FIXES
+done
+
+# Setting network
+echo "coen" > $WD/chroot/etc/hostname
+
+cat > $WD/chroot/etc/hosts << EOF
+127.0.0.1       localhost coen
+192.168.0.2     hsm
+EOF
+
+cat > $WD/chroot/etc/network/interfaces.d/coen-network << EOF
+auto lo
+iface lo inet loopback
+
+auto eth0
+iface eth0 inet static
+  address 192.168.0.1
+  netmask 255.255.255.0
+EOF
+
+# Profile in .bashrc to work with xfce terminal
+echo "export PATH=:/opt/icann/bin:/opt/Keyper/bin:\$PATH" >> $WD/chroot/root/.bashrc
+# ls with color
+sed -i -r -e '9s/^#//' \
+          -e '10s/^#//' \
+          -e '11s/^#//' \
+    $WD/chroot/root/.bashrc
+
+# Configure autologin
+for NUMBER in $(seq 1 6)
+		do
+      mkdir -p $WD/chroot/etc/systemd/system/getty@tty${NUMBER}.service.d
+
+cat > $WD/chroot/etc/systemd/system/getty@tty${NUMBER}.service.d/live-config_autologin.conf << EOF
+[Service]
+Type=idle
+ExecStart=
+ExecStart=-/sbin/agetty --autologin root --noclear %I \$TERM
+TTYVTDisallocate=no
+EOF
+done
+
+# XFCE root auto login
+sed -i -r -e "s|^#.*autologin-user=.*\$|autologin-user=root|" \
+          -e "s|^#.*autologin-user-timeout=.*\$|autologin-user-timeout=0|" \
+    $WD/chroot/etc/lightdm/lightdm.conf
+
+sed -i --regexp-extended \
+    '11s/.*/#&/' \
+    $WD/chroot/etc/pam.d/lightdm-autologin
+
+# Disabling lastlog since autologin is enabled
+sed -i '/^[^#].*pam_lastlog\.so/s/^/# /' $WD/chroot/etc/pam.d/login
+
+# Making sure that the xscreensaver is off
+rm -f $WD/chroot/etc/xdg/autostart/xscreensaver.desktop
+
+# Defining mount point /media/ for HSMFD, HSMFD1 and KSRFD
+cat > $WD/chroot/etc/udev/rules.d/99-udisks2.rules << EOF
+# UDISKS_FILESYSTEM_SHARED
+# ==1: mount filesystem to a shared directory (/media/VolumeName)
+# ==0: mount filesystem to a private directory (/run/media/USER/VolumeName)
+# See udisks(8)
+ENV{ID_FS_USAGE}=="filesystem|other|crypto", ENV{UDISKS_FILESYSTEM_SHARED}="1"
+EOF
+
+# Creating boot directories
+mkdir -p $WD/image/live
+mkdir -p $WD/image/isolinux
+
+# Copying bootloader
+cp -p $WD/chroot/boot/vmlinuz-* $WD/image/live/vmlinuz
+cp -p $WD/chroot/boot/initrd.img-* $WD/image/live/initrd.img
+
+# Creating the isolinux bootloader
+cat > $WD/image/isolinux/isolinux.cfg << EOF
+UI menu.c32
+
+prompt 0
+menu title coen-${RELEASE}
+
+timeout 1
+
+label coen-${RELEASE} Live amd64
+menu label ^coen-${RELEASE} amd64
+menu default
+kernel /live/vmlinuz
+append initrd=/live/initrd.img boot=live locales=en_US.UTF-8 keymap=us language=us net.ifnames=0 timezone=Etc/UTC live-media=removable nopersistence selinux=0 STATICIP=frommedia modprobe.blacklist=pcspkr,hci_uart,btintel,btqca,btbcm,bluetooth,snd_hda_intel,snd_hda_codec_realtek,snd_soc_skl,snd_soc_skl_ipc,snd_soc_sst_ipc,snd_soc_sst_dsp,snd_hda_ext_core,snd_soc_sst_match,snd_soc_core,snd_compress,snd_hda_core,snd_pcm,snd_timer,snd,soundcore
+
+EOF
+
+# Coping files for ISO booting
+cp -p $WD/chroot/usr/lib/ISOLINUX/isolinux.bin $WD/image/isolinux/
+cp -p $WD/chroot/usr/lib/ISOLINUX/isohdpfx.bin $WD/image/isolinux/
+cp -p $WD/chroot/usr/lib/syslinux/modules/bios/menu.c32 $WD/image/isolinux/
+cp -p $WD/chroot/usr/lib/syslinux/modules/bios/hdt.c32 $WD/image/isolinux/
+cp -p $WD/chroot/usr/lib/syslinux/modules/bios/ldlinux.c32 $WD/image/isolinux/
+cp -p $WD/chroot/usr/lib/syslinux/modules/bios/libutil.c32 $WD/image/isolinux/
+cp -p $WD/chroot/usr/lib/syslinux/modules/bios/libmenu.c32 $WD/image/isolinux/
+cp -p $WD/chroot/usr/lib/syslinux/modules/bios/libcom32.c32 $WD/image/isolinux/
+cp -p $WD/chroot/usr/lib/syslinux/modules/bios/libgpl.c32 $WD/image/isolinux/
+cp -p $WD/chroot/usr/share/misc/pci.ids $WD/image/isolinux/
+
+# Fixing dates to SOURCE_DATE_EPOCH
+debuerreotype-fixup $WD/chroot
+
+# Fixing main folder timestamps to SOURCE_DATE_EPOCH
+find "$WD/" -exec touch --no-dereference --date="@$SOURCE_DATE_EPOCH" '{}' +
+
+# Compressing the chroot environment into a squashfs
+mksquashfs $WD/chroot/ $WD/image/live/filesystem.squashfs -comp xz -Xbcj x86 -b 1024K -Xdict-size 1024K -no-exports -processors 1 -no-fragments -wildcards -ef $TOOL_DIR/mksquashfs-excludes
+
+# Setting permissions for squashfs.img
+chmod 644 $WD/image/live/filesystem.squashfs
+
+# Fixing squashfs folder timestamps to SOURCE_DATE_EPOCH
+find "$WD/image/" -exec touch --no-dereference --date="@$SOURCE_DATE_EPOCH" '{}' +
+
+# Creating the iso
+xorriso -outdev $ISONAME -volid COEN \
+ -map $WD/image/ / -chmod 0755 / -- -boot_image isolinux dir=/isolinux \
+ -boot_image isolinux system_area=$WD/chroot/usr/lib/ISOLINUX/isohdpfx.bin \
+ -boot_image isolinux partition_entry=gpt_basdat
+
+echo "Calculating SHA-256 HASH of the $ISONAME"
+NEWHASH=$(sha256sum < "${ISONAME}")
+  if [ "$NEWHASH" != "$SHASUM" ]
+    then
+      echo "ERROR: SHA-256 hashes mismatched reproduction failed"
+      echo "Please send us an issue report: https://github.com/iana-org/coen"
+  else
+      echo "Successfully reproduced coen-${RELEASE}"
+  fi
+
+# END

tools/hooks/00-install-ksk-packages.sh

@@ -0,0 +1,29 @@
+#!/bin/bash
+# Installs KSK software and XFCE customisation from Debian packages
+
+set -x   # Print each command before executing it
+set -e   # Exit immediately should a command fail
+set -u   # Treat unset variables as an error and exit immediately
+
+PKG1="ksk-tools-0.1.0coen_amd64.deb"
+SHAPKG1="93e954744ec11e1d6837a792e26cc93b88f0735f7184337c4e65babca65503ab  -"
+
+PKG2="ksk-xfce-custom-0.1.0coen_amd64.deb"
+SHAPKG2="2080347093bc714b92d2f02e9c19e51ca23804776c2b52958c25630330b25f1d  -"
+
+for PKG in "${PKG1} ${SHAPKG1}" "${PKG2} ${SHAPKG2}"
+do
+	set -- $PKG # parses variable PKG $1 name and $2 hash and $3 "-"
+	cp $PACKAGE_DIR/$1 $WD/chroot/tmp
+	echo "Calculating SHA-256 HASH of the $1"
+	HASH=$(sha256sum < "$WD/chroot/tmp/$1")
+		if [ "$HASH" != "$2  $3" ]
+		then
+			echo "ERROR: SHA-256 hashes mismatched"
+			exit 1
+		fi
+	debuerreotype-chroot $WD/chroot dpkg -i /tmp/$1
+	rm -f $WD/chroot/tmp/$1
+done
+
+# END

tools/hooks/01-fix-fontconfig-cache.sh

@@ -0,0 +1,35 @@
+#!/bin/bash
+# fontconfig generates non-reproducible cache files under
+# /var/cache/fontconfig
+# Reference https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=864082
+# The fontconfig packages from tails fixed the above
+
+set -x   # Print each command before executing it
+set -e   # Exit immediately should a command fail
+set -u   # Treat unset variables as an error and exit immediately
+
+PKG1="fontconfig-config_2.11.0-6.7.0tails4_all.deb"
+SHAPKG1="390fdc4c915aeed379196335e672d6a9af6677e6d675093f8855c85953aae246  -"
+
+PKG2="libfontconfig1_2.11.0-6.7.0tails4_amd64.deb"
+SHAPKG2="933adbbead4fd8ced095b5f43fd82b092298aaf95436d8b051b2ee9a4abee917  -"
+
+PKG3="fontconfig_2.11.0-6.7.0tails4_amd64.deb"
+SHAPKG3="892a2c0b4f8e4874161165cb253755b3bd695ce238b30c3b8e5447ff269c2740  -"
+
+for PKG in "${PKG1} ${SHAPKG1}" "${PKG2} ${SHAPKG2}" "${PKG3} ${SHAPKG3}"
+do
+	set -- $PKG # parses variable PKG $1 name and $2 hash and $3 "-"
+	cp $PACKAGE_DIR/$1 $WD/chroot/tmp
+	echo "Calculating SHA-256 HASH of the $1"
+	HASH=$(sha256sum < "$WD/chroot/tmp/$1")
+		if [ "$HASH" != "$2  $3" ]
+		then
+			echo "ERROR: SHA-256 hashes mismatched"
+			exit 1
+		fi
+	debuerreotype-chroot $WD/chroot dpkg -i /tmp/$1
+	rm -f $WD/chroot/tmp/$1
+done
+
+# END

tools/hooks/02-fix-initramfs-tools.sh

@@ -0,0 +1,31 @@
+#!/bin/bash
+# mkinitramfs generates non-reproducible ramdisk images
+# Reference https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=845034
+# The initramfs-tools packages from tails fixed the above
+
+set -x   # Print each command before executing it
+set -e   # Exit immediately should a command fail
+set -u   # Treat unset variables as an error and exit immediately
+
+PKG1="initramfs-tools-core_0.130.0tails1_all.deb"
+SHAPKG1="db1d9dcd6d0c9587136c5a65419ee9eaa7a8a20c163dd2718cd826056a893819  -"
+
+PKG2="initramfs-tools_0.130.0tails1_all.deb"
+SHAPKG2="36c39407b505015a80e666726018edad37211d594b862238475d59d3de4e0da9  -"
+
+for PKG in "${PKG1} ${SHAPKG1}" "${PKG2} ${SHAPKG2}"
+do
+	set -- $PKG # parses variable PKG $1 name and $2 hash and $3 "-"
+	cp $PACKAGE_DIR/$1 $WD/chroot/tmp
+	echo "Calculating SHA-256 HASH of the $1"
+	HASH=$(sha256sum < "$WD/chroot/tmp/$1")
+		if [ "$HASH" != "$2  $3" ]
+		then
+			echo "ERROR: SHA-256 hashes mismatched"
+			exit 1
+		fi
+	debuerreotype-chroot $WD/chroot dpkg -i /tmp/$1
+	rm -f $WD/chroot/tmp/$1
+done
+
+# END

tools/hooks/03-fix-gtk-immodules-cache.sh

@@ -0,0 +1,44 @@
+#!/bin/bash
+# gtk+2.0 and gtk+3.0 immodules.cache is not reproducible
+# Reference https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=872729
+# and https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=875700
+# The gtk+ packages from tails fixed the above
+
+set -x   # Print each command before executing it
+set -e   # Exit immediately should a command fail
+set -u   # Treat unset variables as an error and exit immediately
+
+PKG1="libgtk2.0-common_2.24.31-2.0tails1_all.deb"
+SHAPKG1="0862890d70bafeb6b4a7a1c1da05c90569e0147522d6526fad6d146d6335b79f  -"
+
+PKG2="libgtk2.0-0_2.24.31-2.0tails1_amd64.deb"
+SHAPKG2="a0ae2652c5ca8461752f17ab22aa385c588481351b7b4aeb199a3d23d6479c34  -"
+
+PKG3="gir1.2-gtk-3.0_3.22.11-1.0tails1_amd64.deb"
+SHAPKG3="01db265c90f351367c73cd7ecedeca2f490374579320c5240feecdc70040917e  -"
+
+PKG4="gtk-update-icon-cache_3.22.11-1.0tails1_amd64.deb"
+SHAPKG4="4e49e6161a93424700ced09d0225574d3f6dd406ba9f9e14c36a50e870faab16  -"
+
+PKG5="libgtk-3-common_3.22.11-1.0tails1_all.deb"
+SHAPKG5="605e3c77857d9c55932c7f497f56c70d46af65af59600e5507f42aea3832a848  -"
+
+PKG6="libgtk-3-0_3.22.11-1.0tails1_amd64.deb"
+SHAPKG6="a8946b779ccf305da8dadefa9d7d9402ccfe756246dd70a251e4375076a83648  -"
+
+for PKG in "${PKG1} ${SHAPKG1}" "${PKG2} ${SHAPKG2}" "${PKG3} ${SHAPKG3}" "${PKG4} ${SHAPKG4}" "${PKG5} ${SHAPKG5}" "${PKG6} ${SHAPKG6}"
+do
+	set -- $PKG # parses variable PKG $1 name and $2 hash and $3 "-"
+	cp $PACKAGE_DIR/$1 $WD/chroot/tmp
+	echo "Calculating SHA-256 HASH of the $1"
+	HASH=$(sha256sum < "$WD/chroot/tmp/$1")
+		if [ "$HASH" != "$2  $3" ]
+		then
+			echo "ERROR: SHA-256 hashes mismatched"
+			exit 1
+		fi
+	debuerreotype-chroot $WD/chroot dpkg -i /tmp/$1
+	rm -f $WD/chroot/tmp/$1
+done
+
+# END

tools/hooks/04-fix-gdk-pixbuf-glib2.0-shadow.sh

@@ -0,0 +1,33 @@
+#!/bin/bash
+# gdk-pixbuf's loaders.cache is not reproducible
+# Reference https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=875704
+# giomodule.cache is not reproducible
+# Reference https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=873625
+# The file /etc/shadow is not reproducible
+# Reference https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=857803
+# The packages from sid (unstable) fixed the above
+
+set -x   # Print each command before executing it
+set -e   # Exit immediately should a command fail
+set -u   # Treat unset variables as an error and exit immediately
+
+# Adding sid (unstable) to /etc/apt/sources.list
+debuerreotype-chroot $WD/chroot sed -i "$ a\deb \
+http://snapshot.debian.org/archive/debian/$(date --date "$DATE" '+%Y%m%dT%H%M%SZ') \
+sid main" /etc/apt/sources.list
+
+# Installing sid (unstable) packages
+debuerreotype-apt-get $WD/chroot update
+debuerreotype-chroot $WD/chroot DEBIAN_FRONTEND=noninteractive apt-get -o Acquire::Check-Valid-Until=false install \
+  --no-install-recommends --yes -t sid \
+	gir1.2-gdkpixbuf-2.0 libgdk-pixbuf2.0-common libgdk-pixbuf2.0-0 \
+	libglib2.0-0 \
+	login passwd
+debuerreotype-apt-get $WD/chroot --yes --purge autoremove
+debuerreotype-apt-get $WD/chroot --yes clean
+
+# Turning off the shadow passwords
+debuerreotype-chroot $WD/chroot shadowconfig off
+debuerreotype-chroot $WD/chroot rm -f /etc/shadow-
+
+# END

tools/hooks/05-fix-non-reproducible-files.sh

@@ -0,0 +1,21 @@
+#!/bin/bash
+# Fixing non-reproducible files
+
+set -x   # Print each command before executing it
+set -e   # Exit immediately should a command fail
+set -u   # Treat unset variables as an error and exit immediately
+
+# Truncating the snakeoil SSL key pair and deleting the symbolic link generated
+# by ssl-cert because is not reproducible
+
+debuerreotype-chroot $WD/chroot truncate -s 0 /etc/ssl/certs/ssl-cert-snakeoil.pem
+debuerreotype-chroot $WD/chroot truncate -s 0 /etc/ssl/private/ssl-cert-snakeoil.key
+debuerreotype-chroot $WD/chroot find "/etc/ssl/certs" -lname "ssl-cert-snakeoil.pem" -exec rm -f '{}' +
+
+# Truncating not reproducible file
+debuerreotype-chroot $WD/chroot truncate -s 0 /etc/machine-id
+
+# Removing python compiled bytecode
+debuerreotype-chroot $WD/chroot find "/usr" -name "*.pyc" -exec rm -f '{}' +
+
+# END

tools/mksquashfs-excludes

@@ -0,0 +1,10 @@
+boot/*
+tmp/*
+var/lib/apt/lists/*
+usr/share/doc/*
+usr/share/icons/*/.icon-theme.cache
+usr/share/icons/*/icon-theme.cache
+var/cache/debconf/*
+var/lib/dpkg/info/*.md5sums
+var/lib/systemd/catalog/database
+var/log/*

variables.sh

@@ -0,0 +1,19 @@
+#!/bin/bash
+# Configuration for creation of the ISO image. This script is executed by
+# create-iso.sh
+
+set -x   # Print each command before executing it
+set -e   # Exit immediately should a command fail
+set -u   # Treat unset variables as an error and exit immediately
+
+export RELEASE=0.4.0   # Release version number
+export DATE=20180311   # Timestamp to use for version packages (`date +%Y%m%d`)
+export DIST=stretch    # Debian distribution to base image on
+export ARCH=amd64      # Target architecture
+export SHASUM="8105b885b176741d25ef9d391c6a302aed3f6c916093a621a865cb90d560774f  -" # ISO image SHA-256 
+export SOURCE_DATE_EPOCH="$(date --utc --date="$DATE" +%s)" # defined by reproducible-builds.org
+export WD=/opt/coen-${RELEASE}	       # Working directory to create the image
+export ISONAME=${WD}-${ARCH}.iso       # Final name of the ISO image
+export TOOL_DIR=/tools                 # Location to install the tools
+export HOOK_DIR=$TOOL_DIR/hooks        # Hooks
+export PACKAGE_DIR=$TOOL_DIR/packages  # Packages