osbase/build/mkverity: make build reproducible
The verity encoder previously generated a random salt. To make the build
reproducible, the salt is now taken from a hash of the entire input
file.
I shortened the salt from 64 bytes to 16 bytes. This is enough for the
purpose of the salt, which is to make hash collisions not reusable
across images. A potential benefit of the 64 byte salt is that it fills
a sha256 block and thus the remaining data is aligned to that block
size. On the other hand, with a 16 byte salt, one fewer hash block is
needed because the sha256 length fits in the last partially filled
block.
The encoder also generated a random UUID, but this did not affect
reproducibility as we do not write the superblock. For now, I removed
the UUID generation as it is completely unused.
Now, the build of //metropolis/node:oci_image is reproducible on my
machine.
Change-Id: I756ca31d02e65c7d6ce7bbfd6749c835ab696f3f
Reviewed-on: https://review.monogon.dev/c/monogon/+/4418
Reviewed-by: Lorenz Brun <lorenz@monogon.tech>
Tested-by: Jenkins CI
diff --git a/osbase/verity/encoder_test.go b/osbase/verity/encoder_test.go
index 012cb27..2c9c35b 100644
--- a/osbase/verity/encoder_test.go
+++ b/osbase/verity/encoder_test.go
@@ -93,7 +93,8 @@
// Create a Verity encoder, backed with hfd. Configure it to write the
// Verity superblock. Use 4096-byte blocks.
bs := uint32(4096)
- verityEnc, err := NewEncoder(hfd, bs, bs, true)
+ salt := []byte("testsalt")
+ verityEnc, err := NewEncoder(hfd, bs, bs, salt, true)
require.NoError(t, err, "while creating a Verity encoder")
// Write pseudorandom data both to the Verity-protected data device, and