SilverLABS/SilverMetal
1
0
Fork 0
Code Issues 1 Pull Requests Actions Packages Projects Releases Wiki Activity
Files
4a3971cb069d843787d6e7c1303880a9ffda7c1d
SilverMetal/linux/build
History
SysAdmin 4a3971cb06
Some checks failed
Build SilverMetal Linux ISO (reproducibility-gated) / build-and-verify (push) Failing after 1m13s
Details
fix(linux/build): correct derivative-maker CLI invocation (M1.1) 
Run #4253 finally got past all the harness failures and into
derivative-maker's actual build steps, where 1100_sanity-tests
rejected our invocation with:

    unknown option (1): '--build'

The CLI we'd been passing was built from invented flag names rather
than the real grammar in derivative-maker/help-steps/parse-cmd.
Concretely:

  - `--build`  is not a real option (just wrong)
  - `--flavour` should be `--flavor` (upstream uses American spelling)
  - `--dist`   is not a real option; dist is implicit from `--flavor`
                (kicksecure-cli ⇒ bookworm)
  - `--config` is not a real option; the silvermetal-base.conf is
                sourced into env above the invocation, no flag needed
  - `--freedom true|false` was missing entirely; parse-cmd requires it
                for `--arch amd64` (line 70 in parse-cmd) — the script
                exits if neither is set

Fix: build-inner.sh now invokes
    ./derivative-maker --flavor … --target … --arch … --freedom …
which is the minimal valid form per parse-cmd's case-branches.

Set DERIVATIVE_FREEDOM=false in silvermetal-base.conf, matching
Kicksecure's own public-ISO choice — `--freedom true` would omit
firmware-nonfreedom and the resulting ISO wouldn't initialise wifi /
many GPUs / Intel microcode on most hardware. Privacy/functionality
trade-off documented inline; the hardening overlay in M1.2+ can
revisit if that conversation becomes useful.

Verified: bash -n on both scripts. No image rebuild needed — pure
script and config changes.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-07 11:18:38 +01:00
..
config
fix(linux/build): correct derivative-maker CLI invocation (M1.1)
2026-05-07 11:18:38 +01:00
derivative-maker @ 51358698cd
feat(linux/build): scaffold reproducible ISO build pipeline (M1.1)
2026-04-26 04:25:48 +01:00
docker
fix(linux/build): run derivative-maker as unprivileged builder user (M1.1)
2026-05-07 11:09:42 +01:00
runner
feat(linux/build): silvermetal-builder Gitea Actions runner deployment
2026-04-26 11:59:44 +01:00
scripts
fix(linux/build): correct derivative-maker CLI invocation (M1.1)
2026-05-07 11:18:38 +01:00
.gitignore
feat(linux/build): scaffold reproducible ISO build pipeline (M1.1)
2026-04-26 04:25:48 +01:00
derivative-maker.PIN.md
feat(linux/build): scaffold reproducible ISO build pipeline (M1.1)
2026-04-26 04:25:48 +01:00
README.md
feat(linux/build): scaffold reproducible ISO build pipeline (M1.1)
2026-04-26 04:25:48 +01:00

README.md

SilverMetal Linux — reproducible ISO build pipeline

Milestone: Phase 1 / M1.1 — Kicksecure fork builds reproducibly. Exit criterion: two clean builds of the same commit produce a byte-identical SHA256.

This directory holds everything that turns a SilverMetal commit into a SilverMetal Linux ISO. M1.1 ships only the base (un-hardened) Kicksecure derivative. Hardening overlay, kernel swap, AppArmor profiles, etc. land in M1.2+ and must not be added here in the M1.1 PR.

Layout

linux/build/
├── README.md                    (this file)
├── derivative-maker/            git submodule -> Kicksecure/derivative-maker
├── config/
│   ├── silvermetal-base.conf    derivative selection + branding
│   ├── snapshot-pin.env         pinned snapshot.debian.org timestamp
│   └── source-date-epoch.env    optional SOURCE_DATE_EPOCH override
├── docker/
│   └── Dockerfile.builder       pinned debian:bookworm-slim builder image
└── scripts/
    ├── build.sh                 wrapper: container run -> derivative-maker
    ├── verify-reproducibility.sh build twice, compare SHA256
    └── diagnose-divergence.sh   diffoscope on mismatch

How reproducibility is achieved

The same levers any deterministic Debian build relies on, stacked together:

Lever Where it lives
Pinned snapshot.debian.org mirror config/snapshot-pin.env
SOURCE_DATE_EPOCH from commit time scripts/build.sh (auto)
Pinned builder image (by digest) docker/Dockerfile.builder + BUILDER_IMAGE
Deterministic mksquashfs flags MKSQUASHFS_OPTIONS in base conf
Pinned upstream toolchain derivative-maker/ submodule
LC_ALL=C.UTF-8, TZ=UTC scripts/build.sh

diffoscope is the diagnostic tool used by diagnose-divergence.sh; the gate itself is plain sha256sum.

Reproduce a release locally

Procedure mirrors docs/trust-model.md § Reproducible builds.

Prerequisites: a Linux host (or WSL2) with Docker, ~30 GB free disk, ~8 GB RAM.

# 1. Clone the repo at the release tag.
git clone --recurse-submodules https://git.silverlabs.uk/SilverLABS/SilverMetal.git
cd SilverMetal
git checkout v1.1.0   # whichever release you want to verify

# 2. Build twice and compare. ~60-90 minutes per build.
linux/build/scripts/verify-reproducibility.sh

# 3. Compare against the published release.
sha256sum -c <(curl -fsSL https://git.silverlabs.uk/SilverLABS/SilverMetal/releases/download/v1.1.0/SHA256SUMS)

Mismatch with the published artefact = supply-chain anomaly. Report channel: security@silverlabs.uk.

Build once (no reproducibility check)

linux/build/scripts/build.sh
# Output lands in linux/build/output/<short-sha>/

The wrapper requires BUILDER_IMAGE to be pinned by digest. Local dev that hasn't built and pushed an image yet should override:

BUILDER_IMAGE=docker-registry:5000/silvermetal-builder@sha256:<digest> \
    linux/build/scripts/build.sh

Gitea Actions

The CI workflow (.gitea/workflows/build-iso-linux.yaml) is the authority for "did this commit build reproducibly?". It:

  1. Checks out the commit with submodules.
  2. Runs build.sh twice in ${GITHUB_WORKSPACE}/build-{a,b}.
  3. Fails the run if the two ISO SHA256s differ, and uploads a diffoscope report as an artefact.
  4. On a tag push, attaches the verified ISO + SHA256SUMS + BUILD_INFO to a Gitea release.

Self-hosted runner setup

The workflow runs on runs-on: silvermetal-builder, a self-hosted, privileged-capable Gitea Actions runner. Create it before merging the workflow:

  1. Provision a Debian 12 VM on the cluster with ≥ 8 vCPU, ≥ 16 GB RAM, ≥ 100 GB disk.
  2. Install Docker (apt install docker.io); ensure the runner user can run docker run --privileged.
  3. Register act_runner against git.silverlabs.uk with label silvermetal-builder.
  4. Pre-pull the builder image so the first reproducibility run isn't a cold start: docker pull docker-registry:5000/silvermetal-builder:latest
  5. Cache the apt snapshot in a Docker volume to avoid throttling: docker volume create silvermetal-apt-cache

The runner host name must not leak into ISO content. LC_ALL=C.UTF-8 and a constant TZ in the wrapper guard against that, but spot-check with diagnose-divergence.sh.

Bumping pinned inputs

Each of these is a deliberate, reviewed action — never automate:

  • derivative-maker submodule — bump in its own PR, with a verification log showing two clean builds match.
  • snapshot-pin.env — same procedure.
  • Builder image (Dockerfile.builder digest) — rebuild, push, update BUILDER_IMAGE in build.sh, run reproducibility check, commit all four together.

What this milestone is not

  • No hardening overlay (M1.2)
  • No SilverBrowser/SilverVPN/SilverSync/SilverChat integration (M1.61.9)
  • No installer branding (M1.5)
  • No update server (M1.10)
  • No SBOM publication (M1.11)
  • No signing ceremony / MOK / Secure Boot wiring (separate milestone)

If a change to this directory expands its scope into one of those, push back — the M1.1 gate is intentionally narrow.

Reference in New Issue View Git Blame Copy Permalink