Merge 83f6e430f3 into dfcb74b427

Use an image digest to enforce container image determinism
66600f32dc introduced various improvements to the determinism of the container image in this repository. This change builds on this effort by introducing support for a container image digest. Image digests are immutable references, unlike tags, which are mutable (except when optionally configured as immutable in certain container registries, but not `docker.io`).
2025-05-05 21:21:49 +02:00 · 2025-03-29 23:24:23 -07:00 · 2025-03-29 23:22:33 -07:00
4 changed files with 9 additions and 4 deletions
--- a/7
+++ b/7
@ -3,8 +3,9 @@
 # docs/developer/reproducibility.md.
 ARG DEBIAN_IMAGE_DATE=20250224
 ARG DEBIAN_IMAGE_DIGEST=sha256:12c396bd585df7ec21d5679bb6a83d4878bc4415ce926c9e5ea6426d23c60bdc
-FROM debian:bookworm-${DEBIAN_IMAGE_DATE}-slim AS dangerzone-image
+FROM debian:bookworm-${DEBIAN_IMAGE_DATE}-slim@${DEBIAN_IMAGE_DIGEST} AS dangerzone-image
 ARG GVISOR_ARCHIVE_DATE=20250217
 ARG DEBIAN_ARCHIVE_DATE=20250226
@ -185,8 +186,8 @@ RUN mkdir -p \
 # Copy the /etc and /var directories under the new root directory. Also,
 # copy /etc/, /opt, and /usr to the Dangerzone image rootfs.
 #
-# NOTE: We also have to remove the resolv.conf file, in order to not leak any DNS
+# NOTE: We also have to remove the resolv.conf file, in order to not leak any
-# servers added there during image build time.
+# DNS servers added there during image build time.
 RUN cp -r /etc /var /new_root/ \
    && rm /new_root/etc/resolv.conf
 RUN cp -r /etc /opt /usr /new_root/home/dangerzone/dangerzone-image/rootfs \
--- a/Dockerfile.env
+++ b/Dockerfile.env
@ -1,5 +1,7 @@
 # Can be bumped to the latest date in https://hub.docker.com/_/debian/tags?name=bookworm-
 DEBIAN_IMAGE_DATE=20250224
 # Should be the INDEX DIGEST for the tag with the selected build date
 DEBIAN_IMAGE_DIGEST=sha256:12c396bd585df7ec21d5679bb6a83d4878bc4415ce926c9e5ea6426d23c60bdc
 # Can be bumped to today's date
 DEBIAN_ARCHIVE_DATE=20250226
 # Can be bumped to the latest date in https://github.com/google/gvisor/tags
--- a/Dockerfile.in
+++ b/Dockerfile.in
@ -3,8 +3,9 @@
 # docs/developer/reproducibility.md.
 ARG DEBIAN_IMAGE_DATE={{DEBIAN_IMAGE_DATE}}
 ARG DEBIAN_IMAGE_DIGEST={{DEBIAN_IMAGE_DIGEST}}
-FROM debian:bookworm-${DEBIAN_IMAGE_DATE}-slim AS dangerzone-image
+FROM debian:bookworm-${DEBIAN_IMAGE_DATE}-slim@${DEBIAN_IMAGE_DIGEST} AS dangerzone-image
 ARG GVISOR_ARCHIVE_DATE={{GVISOR_ARCHIVE_DATE}}
 ARG DEBIAN_ARCHIVE_DATE={{DEBIAN_ARCHIVE_DATE}}
--- a/docs/developer/reproducibility.md
+++ b/docs/developer/reproducibility.md
@ -28,6 +28,7 @@ This means that rebuilding the image without updating our Dockerfile will
 Here are the necessary variables that make up our image in the `Dockerfile.env`
 file:
 * `DEBIAN_IMAGE_DATE`: The date that the Debian container image was released
 * `DEBIAN_IMAGE_DIGEST`: The date that the Debian container image was released
 * `DEBIAN_ARCHIVE_DATE`: The Debian snapshot repo that we want to use
 * `GVISOR_ARCHIVE_DATE`: The gVisor APT repo that we want to use
 * `H2ORESTART_CHECKSUM`: The SHA-256 checksum of the H2ORestart plugin