summaryrefslogtreecommitdiffstats
path: root/config/chroot_local-hooks/99-zzzzzz_reproducible-builds-post-processing
blob: 5dc6a220bfdfa0784f9b343b423125ef3889d123 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
#! /bin/sh

set -e

echo "Post processing filesystem to make it reproducible"

if [ -z "${SOURCE_DATE_EPOCH}" ]; then
    echo "SOURCE_DATE_EPOCH was not set!" >&2
    exit 1
fi

# These files are pretty useless for us and mainly occupy space on the
# image. They are, for instance, not useful for checking the
# authenticity of the filesystem (an external verification tool and
# source of these checksums would be required), and checking for
# corruption is less relevant in Tails' context, where the system
# partition is read-only (the point being: if they do differ, chances
# are problems would manifest in much more obvious ways).
rm /var/lib/dpkg/info/*.md5sums

# Clear caches and remove precompiled code. These will be generated
# on-the-fly when needed instead of being shipped on the image, so
# we'll require a bit more RAM and startup times, while the image will
# be smaller (and more reproducible!).
rm /etc/console-setup/cached_setup_keyboard.sh
rm /var/cache/ldconfig/aux-cache
rm /var/lib/systemd/catalog/database

# Delete non-deterministically generated files, that should not be shared among
# all Tails systems anyway. We don't ship SSHd, so we don't bother generating
# them at boot.
# We remove with -f due to a suspected race condition: it seems that
# .../authentication/sphere/S.gpg-agent can be removed (by gpg-agent?)
# *right after* `rm -r` has listed it, so that when `rm` tries to
# remove it, it doesn't exist any more and it fails.
if [ -d /var/lib/monkeysphere/authentication/ ]; then
    rm -rf /var/lib/monkeysphere/authentication/
else
    echo 'Cannot remove /var/lib/monkeysphere/authentication/:' \
         'directory does not exist' >&2
    exit 1
fi

# Empty non-deterministically generated file. If it exists and is empty, systemd
# will automatically set up a new unique ID. But if does not exist, systemd
# will populate /etc with preset unit settings, which will for example re-enable
# units we have disabled (#11970).
: > /etc/machine-id

# Remove logs.
rm -r /var/lib/dkms/*/*/*/*/log

# Post-process /etc/shadow by setting the sp_lstchg field to the number of days
# since SOURCE_DATE_EPOCH instead of 1st Jan 1970. (#12339)
# XXX:Buster: drop this if https://bugs.debian.org/857803 is fixed.
cut -d: -f1 /etc/shadow | \
    xargs -L1 \
        chage --lastday \
            "$(($(date --utc --date "@${SOURCE_DATE_EPOCH}" "+%s") / 86400))"

# A user reported all executable bits of /etc/hostname being set when
# trying to reproduce Tails 3.1. See #13623 for details.
chmod u=rw,go=r /etc/hostname