mkosi is a tool for building customized OS images. This repository shows how to use Nix to pin mkosi and required tools and build bit-by-bit reproducible OS images.
- Clone the repository
git clone https://github.com/edgelesssys/reproducible-mkosi cd reproducible-mkosi
- Install nix (we recommend the determinate systems installer)
- Enter a shell with mkosi and package manager tools for Fedora or Ubuntu
nix develop .#mkosi-fedora # or nix develop .#mkosi-ubuntu
- Perform two builds and compare the output
nix run .#diffimage fedora # or nix run .#diffimage ubuntu
Hours of debugging went into making this fully reproducible, and there are still things left to do, especially regarding the handling of packages pulled in by the package manger of the target distro. In the following, we list some work we did upstream that explicitly fix reproducibility issues.
- systemd/mkosi propagate SOURCE_DATE_EPOCH when calling systemd-repart
- systemd/mkosi add config setting seed to set systemd-repart --seed
- systemd/mkosi normalize mtime
- systemd/mkosi make_tar: do not emit extended PAX headers for atime, ctime and mtime
- systemd/mkosi make_cpio: sort files used as cpio input
- systemd/mkosi "-C" flag results in inconsistent relative path handling
- systemd/systemd repart: temporary hardlink store leaks into final image when host uses btrfs
- systemd/systemd mkfs-util: propagate SOURCE_DATE_EPOCH to mcopy
- authselect/authselect remove timestamp from generated files
- NixOS/nixpkgs dosfstools: backport reproducible builds patch
- Pin and archive rpm/deb packages
- Build more parts of the CVM TCB (firmware, kernel, packages from source)