Gitiles
Code Review Sign In
gerrit-dev.monogon.dev / monogon / 3871fa1003840be797fc3f49efb716ae5f4862b1
commit3871fa1003840be797fc3f49efb716ae5f4862b1[log] [tgz]
authorJan Schär <jan@monogon.tech>Wed Jul 09 17:30:00 2025 +0000
committerJan Schär <jan@monogon.tech>Thu Jul 10 11:11:12 2025 +0000
tree22394cf2fbae2c134fc297b9e7231b640b3b9218
parent58bbc85c27d2d91276113640ba1fe6ea0f2e8b0c [diff]
osbase/build/mkverity: make build reproducible

The verity encoder previously generated a random salt. To make the build
reproducible, the salt is now taken from a hash of the entire input
file.

I shortened the salt from 64 bytes to 16 bytes. This is enough for the
purpose of the salt, which is to make hash collisions not reusable
across images. A potential benefit of the 64 byte salt is that it fills
a sha256 block and thus the remaining data is aligned to that block
size. On the other hand, with a 16 byte salt, one fewer hash block is
needed because the sha256 length fits in the last partially filled
block.

The encoder also generated a random UUID, but this did not affect
reproducibility as we do not write the superblock. For now, I removed
the UUID generation as it is completely unused.

Now, the build of //metropolis/node:oci_image is reproducible on my
machine.

Change-Id: I756ca31d02e65c7d6ce7bbfd6749c835ab696f3f
Reviewed-on: https://review.monogon.dev/c/monogon/+/4418
Reviewed-by: Lorenz Brun <lorenz@monogon.tech>
Tested-by: Jenkins CI
3 files changed
tree: 22394cf2fbae2c134fc297b9e7231b640b3b9218
  1. .github/
  2. .vscode/
  3. build/
  4. cloud/
  5. go/
  6. metropolis/
  7. osbase/
  8. third_party/
  9. tools/
  10. version/
  11. .bazelignore
  12. .bazelproject
  13. .bazelrc
  14. .bazelrc.ci
  15. .bazelversion
  16. .git-ignore-revs
  17. .gitignore
  18. BUILD.bazel
  19. CODING_STANDARDS.md
  20. go.mod
  21. go.sum
  22. LICENSE
  23. MODULE.bazel
  24. MODULE.bazel.lock
  25. README.md
  26. SETUP.md
  27. shell.nix
README.md

Monogon Monorepo

This is the main repository containing the source code for the Monogon Platform.

This is pre-release software - take a look, and check back later! In the meantime, join us on Matrix (#monogon-os-community:matrix.org) or Discord.

Environment

Our build environment is self-contained and requires only minimal host dependencies:

  • A Linux machine or VM.
  • Bazelisk >= v1.15.0 (or a working Nix environment).
  • A reasonably recent kernel with user namespaces enabled.
  • Working KVM with access to /dev/kvm (if you want to run tests).

Our docs assume that Bazelisk is available as bazel on your PATH.

Refer to SETUP.md for detailed instructions.

Monogon OS

The source code lives in //metropolis (Metropolis is the codename of Monogon OS).

See the //metropolis/README.md for a developer quick start guide, or see the Monogon OS Handbook for user documentation.