almet/dangerzone
1
0
Fork 0
mirror of https://github.com/freedomofpress/dangerzone.git synced 2025-05-05 21:21:49 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions 7

Use an image digest to enforce container image determinism

Browse source 
66600f32dc introduced various improvements
to the determinism of the container image in this repository. This
change builds on this effort by introducing support for a container
image digest. Image digests are immutable references, unlike tags, which
are mutable (except when optionally configured as immutable in certain
container registries, but not `docker.io`).
This commit is contained in:
sudoforge 2025-03-29 22:23:37 -07:00
parent dfcb74b427
commit 83f6e430f3
No known key found for this signature in database
GPG key ID: 41BF61468C327D5A
4 changed files with 9 additions and 4 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

7
Dockerfile
View file

@ -3,8 +3,9 @@
# docs/developer/reproducibility.md.
ARG DEBIAN_IMAGE_DATE=20250224
ARG DEBIAN_IMAGE_DIGEST=sha256:12c396bd585df7ec21d5679bb6a83d4878bc4415ce926c9e5ea6426d23c60bdc
FROM debian:bookworm-${DEBIAN_IMAGE_DATE}-slim AS dangerzone-image
FROM debian:bookworm-${DEBIAN_IMAGE_DATE}-slim@${DEBIAN_IMAGE_DIGEST} AS dangerzone-image
ARG GVISOR_ARCHIVE_DATE=20250217
ARG DEBIAN_ARCHIVE_DATE=20250226
@ -185,8 +186,8 @@ RUN mkdir -p \
# Copy the /etc and /var directories under the new root directory. Also,
# copy /etc/, /opt, and /usr to the Dangerzone image rootfs.
#
# NOTE: We also have to remove the resolv.conf file, in order to not leak any DNS
# servers added there during image build time.
# NOTE: We also have to remove the resolv.conf file, in order to not leak any
# DNS servers added there during image build time.
RUN cp -r /etc /var /new_root/ \
&& rm /new_root/etc/resolv.conf
RUN cp -r /etc /opt /usr /new_root/home/dangerzone/dangerzone-image/rootfs \

2
Dockerfile.env
View file

@ -1,5 +1,7 @@
# Can be bumped to the latest date in https://hub.docker.com/_/debian/tags?name=bookworm-
DEBIAN_IMAGE_DATE=20250224
# Should be the INDEX DIGEST for the tag with the selected build date
DEBIAN_IMAGE_DIGEST=sha256:12c396bd585df7ec21d5679bb6a83d4878bc4415ce926c9e5ea6426d23c60bdc
# Can be bumped to today's date
DEBIAN_ARCHIVE_DATE=20250226
# Can be bumped to the latest date in https://github.com/google/gvisor/tags

3
Dockerfile.in
View file

@ -3,8 +3,9 @@
# docs/developer/reproducibility.md.
ARG DEBIAN_IMAGE_DATE={{DEBIAN_IMAGE_DATE}}
ARG DEBIAN_IMAGE_DIGEST={{DEBIAN_IMAGE_DIGEST}}
FROM debian:bookworm-${DEBIAN_IMAGE_DATE}-slim AS dangerzone-image
FROM debian:bookworm-${DEBIAN_IMAGE_DATE}-slim@${DEBIAN_IMAGE_DIGEST} AS dangerzone-image
ARG GVISOR_ARCHIVE_DATE={{GVISOR_ARCHIVE_DATE}}
ARG DEBIAN_ARCHIVE_DATE={{DEBIAN_ARCHIVE_DATE}}

1
docs/developer/reproducibility.md
View file

@ -28,6 +28,7 @@ This means that rebuilding the image without updating our Dockerfile will
Here are the necessary variables that make up our image in the `Dockerfile.env`
file:
* `DEBIAN_IMAGE_DATE`: The date that the Debian container image was released
* `DEBIAN_IMAGE_DIGEST`: The date that the Debian container image was released
* `DEBIAN_ARCHIVE_DATE`: The Debian snapshot repo that we want to use
* `GVISOR_ARCHIVE_DATE`: The gVisor APT repo that we want to use
* `H2ORESTART_CHECKSUM`: The SHA-256 checksum of the H2ORestart plugin