image: unset password reset date to ensure reprodicibility (#3466)

* image: unset password reset date
edgelesssys · Nov 4, 2024 · 960499a · 960499a
1 parent 54058ee
commit 960499a
Show file tree

Hide file tree

Showing 2 changed files with 15 additions and 0 deletions.
diff --git a/image/base/BUILD.bazel b/image/base/BUILD.bazel
@@ -30,6 +30,7 @@ copy_to_directory(
     mkosi_image(
         name = "base_" + kernel_variant,
         srcs = [
+            "mkosi.finalize",
             "mkosi.postinst",
             "mkosi.prepare",
         ] + glob([

diff --git a/image/base/mkosi.finalize b/image/base/mkosi.finalize
@@ -0,0 +1,14 @@
+#!/usr/bin/env bash
+set -euxo pipefail
+
+# For some reason yet unknown, SourceDateEpoch is not applied correctly to the
+# users added by systemd-sysusers. This has only been observed in our mkosi
+# flake so far, not in an upstream mkosi configuration.
+# TODO(burgerdev): wait for a couple of Nix package upgrades and try again?
+
+# Strategy: unset the "last password change" date without leaving a trace in
+# /etc/shadow-.
+tmp=$(mktemp)
+cp -a "${BUILDROOT}/etc/shadow-" "${tmp}"
+mkosi-chroot chage -d "" etcd
+cp -a "${tmp}" "${BUILDROOT}/etc/shadow-"