Use a digest for the debian base image

66600f32dc introduced various improvements
to the determinism of the container image in this repository. This
change builds on this effort by ensuring that the base image is pulled
by digest. Image digests are immutable references, unlike tags, which
are mutable (except when optionally configured as immutable in certain
container registries, but not `docker.io`).

CHANGELOG.md

@@ -25,6 +25,11 @@ since 0.4.1, and this project adheres to [Semantic Versioning](https://semver.or
   but enables you to chose which one you want to use, independently of your
   platform. ([#925](https://github.com/freedomofpress/dangerzone/issues/925))
 
+### Changed
+
+- The `debian` base image is now fetched by digest. As a result, your local
+  container storage will no longer show a tag for this dependency.
+
 ## [0.8.1](https://github.com/freedomofpress/dangerzone/compare/v0.8.1...0.8.0)
 
 - Update the container image

Dockerfile

@@ -2,9 +2,9 @@
 # Dockerfile args below. For more info about this file, read
 # docs/developer/reproducibility.md.
 
-ARG DEBIAN_IMAGE_DATE=20250224
+ARG DEBIAN_IMAGE_DIGEST=sha256:12c396bd585df7ec21d5679bb6a83d4878bc4415ce926c9e5ea6426d23c60bdc
 
-FROM debian:bookworm-${DEBIAN_IMAGE_DATE}-slim AS dangerzone-image
+FROM debian@${DEBIAN_IMAGE_DIGEST} AS dangerzone-image
 
 ARG GVISOR_ARCHIVE_DATE=20250217
 ARG DEBIAN_ARCHIVE_DATE=20250226
@@ -185,8 +185,8 @@ RUN mkdir -p \
 # Copy the /etc and /var directories under the new root directory. Also,
 # copy /etc/, /opt, and /usr to the Dangerzone image rootfs.
 #
-# NOTE: We also have to remove the resolv.conf file, in order to not leak any DNS
-# servers added there during image build time.
+# NOTE: We also have to remove the resolv.conf file, in order to not leak any
+# DNS servers added there during image build time.
 RUN cp -r /etc /var /new_root/ \
     && rm /new_root/etc/resolv.conf
 RUN cp -r /etc /opt /usr /new_root/home/dangerzone/dangerzone-image/rootfs \

Dockerfile.env

@@ -1,5 +1,8 @@
-# Can be bumped to the latest date in https://hub.docker.com/_/debian/tags?name=bookworm-
-DEBIAN_IMAGE_DATE=20250224
+# Should be the INDEX DIGEST from an image tagged `bookworm-<DATE>-slim`:
+#     https://hub.docker.com/_/debian/tags?name=bookworm-
+#
+# Tag for this digest: bookworm-20250224-slim
+DEBIAN_IMAGE_DIGEST=sha256:12c396bd585df7ec21d5679bb6a83d4878bc4415ce926c9e5ea6426d23c60bdc
 # Can be bumped to today's date
 DEBIAN_ARCHIVE_DATE=20250226
 # Can be bumped to the latest date in https://github.com/google/gvisor/tags

Dockerfile.in

@@ -2,9 +2,9 @@
 # Dockerfile args below. For more info about this file, read
 # docs/developer/reproducibility.md.
 
-ARG DEBIAN_IMAGE_DATE={{DEBIAN_IMAGE_DATE}}
+ARG DEBIAN_IMAGE_DIGEST={{DEBIAN_IMAGE_DIGEST}}
 
-FROM debian:bookworm-${DEBIAN_IMAGE_DATE}-slim AS dangerzone-image
+FROM debian@${DEBIAN_IMAGE_DIGEST} AS dangerzone-image
 
 ARG GVISOR_ARCHIVE_DATE={{GVISOR_ARCHIVE_DATE}}
 ARG DEBIAN_ARCHIVE_DATE={{DEBIAN_ARCHIVE_DATE}}

docs/developer/reproducibility.md

@@ -27,7 +27,7 @@ This means that rebuilding the image without updating our Dockerfile will
 
 Here are the necessary variables that make up our image in the `Dockerfile.env`
 file:
-* `DEBIAN_IMAGE_DATE`: The date that the Debian container image was released
+* `DEBIAN_IMAGE_DIGEST`: The index digest for the Debian container image
 * `DEBIAN_ARCHIVE_DATE`: The Debian snapshot repo that we want to use
 * `GVISOR_ARCHIVE_DATE`: The gVisor APT repo that we want to use
 * `H2ORESTART_CHECKSUM`: The SHA-256 checksum of the H2ORestart plugin