Wheezy reproducibility

[tianon]

(Filing an official issue to give a single place for discussion/findings.)

From the current README:

Wheezy is a little sad, and will have a delta similar to the following (as seen via diffoscope):

├── etc/apt/trustdb.gpg
│ │ @@ -1,8 +1,8 @@
│ │ -0000000: 0167 7067 0303 0105 0102 0000 591b faa5  .gpg........Y...
│ │ +0000000: 0167 7067 0303 0105 0102 0000 591b fc0c  .gpg........Y...
│ │  0000010: 0000 0000 0000 0000 0000 0000 0000 0000  ................
│ │  0000020: 0000 0000 0000 0001 0a00 0000 0000 0000  ................
│ │  0000030: 0000 0000 0000 0000 0000 0000 0000 0000  ................
│ │  0000040: 0000 0000 0000 0000 0000 0000 0000 0000  ................
│ │  0000050: 0a00 0000 0000 0000 0000 0000 0000 0000  ................
│ │  0000060: 0000 0000 0000 0000 0000 0000 0000 0000  ................
│ │  0000070: 0000 0000 0000 0000 0a00 0000 0000 0000  ................

Presumably this is some sort of timestamp, but that's just a guess. Suggestions for ways of fixing this would be most welcome! (Otherwise, we'll just wait for Wheezy to go EOL and forget this ever happened. )

[tianon]

Something insane involving gpg --export and gpg --import via faketime -f ala https://labs.riseup.net/code/projects/tails/repository/revisions/b48826f3f89c4f0c1710cb4d346cad4024d93476/entry/config/chroot_local-hooks/55-create-tails-keyring is my only real idea so far (besides hex editing the file somehow).

I was hoping there was some way to simply open the file and force GnuPG to re-save it, but couldn't find anything good (in my testing, it was pretty aggressive about not re-saving when there have been no changes).

[yosifkit]

Using faketime with gpg export/import sounds reasonable to me. 👍

[DonKult]

(accidentally stumbling over this report, no docker nor debuereo user, "just" an apt developer… so take with a bit of salt)

apt doesn't really use trustdb.gpg, but gpg is insisting on it existing in some versions (just like it does for secret keyring). Wheezy is a while ago so my memory is fuzzy and in recent versions of apt they don't exist anymore (at least not in permanent form). Perhaps something simple as removing the file entirely already works in wheezy. If apt-key complains [I think "apt-key update" is the simplest way to test] try touching the file into existence. There is at least no user configuration stored in that file you could loose while testing.

[tianon]

@DonKult "just" an apt developer 😆 ❤️

So, I gave this a shot, and apt-key immediately re-created the file:

root@cd5987d31d7f:/# rm /etc/apt/trustdb.gpg 
root@cd5987d31d7f:/# apt-key list
gpg: /etc/apt//trustdb.gpg: trustdb created
/etc/apt/trusted.gpg.d//debian-archive-jessie-automatic.gpg
-----------------------------------------------------------
pub   4096R/2B90D010 2014-11-21 [expires: 2022-11-19]
uid                  Debian Archive Automatic Signing Key (8/jessie) <ftpmaster@debian.org>

/etc/apt/trusted.gpg.d//debian-archive-jessie-security-automatic.gpg
--------------------------------------------------------------------
pub   4096R/C857C906 2014-11-21 [expires: 2022-11-19]
uid                  Debian Security Archive Automatic Signing Key (8/jessie) <ftpmaster@debian.org>

/etc/apt/trusted.gpg.d//debian-archive-jessie-stable.gpg
--------------------------------------------------------
pub   4096R/518E17E1 2013-08-17 [expires: 2021-08-15]
uid                  Jessie Stable Release Key <debian-release@lists.debian.org>

/etc/apt/trusted.gpg.d//debian-archive-squeeze-automatic.gpg
------------------------------------------------------------
pub   4096R/473041FA 2010-08-27 [expires: 2018-03-05]
uid                  Debian Archive Automatic Signing Key (6.0/squeeze) <ftpmaster@debian.org>

/etc/apt/trusted.gpg.d//debian-archive-squeeze-stable.gpg
---------------------------------------------------------
pub   4096R/B98321F9 2010-08-07 [expired: 2017-08-05]
uid                  Squeeze Stable Release Key <debian-release@lists.debian.org>

/etc/apt/trusted.gpg.d//debian-archive-wheezy-automatic.gpg
-----------------------------------------------------------
pub   4096R/46925553 2012-04-27 [expires: 2020-04-25]
uid                  Debian Archive Automatic Signing Key (7.0/wheezy) <ftpmaster@debian.org>

/etc/apt/trusted.gpg.d//debian-archive-wheezy-stable.gpg
--------------------------------------------------------
pub   4096R/65FFB764 2012-05-08 [expires: 2019-05-07]
uid                  Wheezy Stable Release Key <debian-release@lists.debian.org>

The resulting new file is ~40 bytes, but the old file is ~1200 bytes.

This is a better test IMO:

root@48eea63f4bed:/# rm /etc/apt/trustdb.gpg
root@48eea63f4bed:/# apt-get update
Get:1 http://security.debian.org wheezy/updates Release.gpg [1554 B]
Get:2 http://deb.debian.org wheezy Release.gpg [2373 B]
Get:3 http://security.debian.org wheezy/updates Release [39.0 kB]                  
Get:4 http://security.debian.org wheezy/updates/main amd64 Packages [697 kB]
Get:5 http://deb.debian.org wheezy-updates Release.gpg [1554 B]             
Get:6 http://deb.debian.org wheezy Release [191 kB]                                        
Get:7 http://deb.debian.org wheezy-updates Release [155 kB]                          
Get:8 http://deb.debian.org wheezy/main amd64 Packages [7634 kB]
Get:9 http://deb.debian.org wheezy-updates/main amd64 Packages [7481 B]
Fetched 8729 kB in 4s (1751 kB/s)                       
Reading package lists... Done
root@48eea63f4bed:/# ls -l /etc/apt/trustdb.gpg
ls: cannot access /etc/apt/trustdb.gpg: No such file or directory

[tianon]

The diffoscope result is appropriately boring! 😄

$ diffoscope trustdb-old.gpg trustdb.gpg
 |############################|  100%                             Time: 0:00:00 
--- /home/tianon/temp/trustdb-old.gpg
+++ /home/tianon/temp/trustdb.gpg
@@ -1,75 +1,3 @@
-0000000: 0167 7067 0303 0105 0102 0000 5974 649e  .gpg........Ytd.
+0000000: 0167 7067 0303 0105 0102 0000 5989 f903  .gpg........Y...
 0000010: 0000 0000 0000 0000 0000 0000 0000 0000  ................
-0000020: 0000 0000 0000 0001 0a00 0000 0000 0000  ................
-0000030: 0000 0000 0000 0000 0000 0000 0000 0000  ................
-0000040: 0000 0000 0000 0000 0000 0000 0000 0000  ................
-0000050: 0a00 0000 0000 0000 0000 0000 0000 0000  ................
-0000060: 0000 0000 0000 0000 0000 0000 0000 0000  ................
-0000070: 0000 0000 0000 0000 0a00 0000 0000 0000  ................
-0000080: 0000 0000 0000 0000 0000 0000 0000 0000  ................
-0000090: 0000 0000 0000 0000 0000 0000 0000 0000  ................
-00000a0: 0a00 0000 0000 0000 0000 0000 0000 0000  ................
-00000b0: 0000 0000 0000 0000 0000 0000 0000 0000  ................
-00000c0: 0000 0000 0000 0000 0a00 0000 0000 0000  ................
-00000d0: 0000 0000 0000 0000 0000 0000 0000 0000  ................
-00000e0: 0000 0000 0000 0000 0000 0000 0000 0000  ................
-00000f0: 0a00 0000 0000 0000 0000 0000 0000 0000  ................
-0000100: 0000 0000 0000 0000 0000 0000 0000 0000  ................
-0000110: 0000 0000 0000 0000 0a00 0000 0000 0000  ................
-0000120: 0000 0000 0000 0000 0000 0000 0000 0000  ................
-0000130: 0000 0000 0000 0000 0000 0000 0000 0000  ................
-0000140: 0a00 0000 0000 0000 0000 0000 0000 0000  ................
-0000150: 0000 0000 0000 0000 0000 0000 0000 0000  ................
-0000160: 0000 0000 0000 0000 0a00 0000 0000 0000  ................
-0000170: 0000 0000 0000 0000 0000 0000 0000 0000  ................
-0000180: 0000 0000 0000 0000 0000 0000 0000 0000  ................
-0000190: 0a00 0000 0000 0000 0000 0000 0000 0000  ................
-00001a0: 0000 0000 0000 0000 0000 0000 0000 0000  ................
-00001b0: 0000 0000 0000 0000 0a00 0000 0000 0000  ................
-00001c0: 0000 0000 0000 0000 0000 0000 0000 0000  ................
-00001d0: 0000 0000 0000 0000 0000 0000 0000 0000  ................
-00001e0: 0a00 0000 0000 0000 0000 0000 0000 0000  ................
-00001f0: 0000 0000 0000 0000 0000 0000 0000 0000  ................
-0000200: 0000 0000 0000 0000 0a00 0000 0000 0000  ................
-0000210: 0000 0000 0000 0000 0000 0000 0000 0000  ................
-0000220: 0000 0000 0000 0000 0000 0000 0000 0000  ................
-0000230: 0a00 0000 0000 0000 0000 0000 0000 0000  ................
-0000240: 0000 0000 0000 0000 0000 0000 0000 0000  ................
-0000250: 0000 0000 0000 0000 0a00 0000 0000 0000  ................
-0000260: 0000 0000 0000 0000 0000 0000 0000 0000  ................
-0000270: 0000 0000 0000 0000 0000 0000 0000 0000  ................
-0000280: 0a00 0000 0000 0000 0000 0000 0000 0000  ................
-0000290: 0000 0000 0000 0000 0000 0000 0000 0000  ................
-00002a0: 0000 0000 0000 0000 0a00 0000 0000 0000  ................
-00002b0: 0000 0000 0000 0000 0000 0000 0000 0000  ................
-00002c0: 0000 0000 0000 0000 0000 0000 0000 0000  ................
-00002d0: 0a00 0000 0000 0000 0000 0000 0000 0000  ................
-00002e0: 0000 0000 0000 0000 0000 0000 0000 0000  ................
-00002f0: 0000 0000 0000 0000 0a00 0000 0000 0000  ................
-0000300: 0000 0000 0000 0000 0000 0000 0000 0000  ................
-0000310: 0000 0000 0000 0000 0000 0000 0000 0000  ................
-0000320: 0a00 0000 0000 0000 0000 0000 0000 0000  ................
-0000330: 0000 0000 0000 0000 0000 0000 0000 0000  ................
-0000340: 0000 0000 0000 0000 0a00 0000 0000 0000  ................
-0000350: 0000 0000 0000 0000 0000 0000 0000 0000  ................
-0000360: 0000 0000 0000 0000 0000 0000 0000 0000  ................
-0000370: 0a00 0000 0000 0000 0000 0000 0000 0000  ................
-0000380: 0000 0000 0000 0000 0000 0000 0000 0000  ................
-0000390: 0000 0000 0000 0000 0a00 0000 0000 0000  ................
-00003a0: 0000 0000 0000 0000 0000 0000 0000 0000  ................
-00003b0: 0000 0000 0000 0000 0000 0000 0000 0000  ................
-00003c0: 0a00 0000 0000 0000 0000 0000 0000 0000  ................
-00003d0: 0000 0000 0000 0000 0000 0000 0000 0000  ................
-00003e0: 0000 0000 0000 0000 0a00 0000 0000 0000  ................
-00003f0: 0000 0000 0000 0000 0000 0000 0000 0000  ................
-0000400: 0000 0000 0000 0000 0000 0000 0000 0000  ................
-0000410: 0a00 0000 0000 0000 0000 0000 0000 0000  ................
-0000420: 0000 0000 0000 0000 0000 0000 0000 0000  ................
-0000430: 0000 0000 0000 0000 0a00 0000 0000 0000  ................
-0000440: 0000 0000 0000 0000 0000 0000 0000 0000  ................
-0000450: 0000 0000 0000 0000 0000 0000 0000 0000  ................
-0000460: 0a00 0000 0000 0000 0000 0000 0000 0000  ................
-0000470: 0000 0000 0000 0000 0000 0000 0000 0000  ................
-0000480: 0000 0000 0000 0000 0a00 0000 0000 0000  ................
-0000490: 0000 0000 0000 0000 0000 0000 0000 0000  ................
-00004a0: 0000 0000 0000 0000 0000 0000 0000 0000  ................
+0000020: 0000 0000 0000 0000                      ........

[tianon]

Ah, jessie/stretch don't even include this file. Maybe we just add it to the tar-excludes and call it good?

[DonKult]

I suggested "apt-key update" for a test as this is the (back in the day) most used function needing gpg in apt – and it was called by maintainer scripts of many keyring packages (usually pointlessly, but details). "apt update" on the other hand doesn't need gpg, it uses gpgv which can only verify signatures and hence just uses the public keyrings.

So apt-key operations might or might not need a bunch of files depending on gnupg version, luck and probably also moonphase even if they sound like as if they were read-only or would never need a file (like importing a public key requiring atomic rename & write permission on secret keyring).

Your test seems to indicate that gpg/wheezy creates the trustdb.gpg file if it "needs" it, so I would indeed suggest to just excluding it from the image and call it a day. I was just not sure if that is the case in wheezy already. And yes, shortly after wheezy release we managed to remove the need for /etc/apt/trustdb.gpg by generating it on the fly in a temp location (without runtime penalties like additional output and too much additional runtime [with many keys]. If you are bored look at the shellscript /usr/bin/apt-key some day and be shocked^Wamazed).

[tianon]

Hahahaha, that's some awesome history! ❤️

For completeness, here's the result with apt-key update:

root@b682a4c8d038:/# rm /etc/apt/trustdb.gpg 
root@b682a4c8d038:/# apt-key update
gpg: key B98321F9: "Squeeze Stable Release Key <debian-release@lists.debian.org>" not changed
gpg: key 473041FA: "Debian Archive Automatic Signing Key (6.0/squeeze) <ftpmaster@debian.org>" not changed
gpg: key 65FFB764: "Wheezy Stable Release Key <debian-release@lists.debian.org>" not changed
gpg: key 46925553: "Debian Archive Automatic Signing Key (7.0/wheezy) <ftpmaster@debian.org>" not changed
gpg: key 518E17E1: "Jessie Stable Release Key <debian-release@lists.debian.org>" not changed
gpg: key 2B90D010: "Debian Archive Automatic Signing Key (8/jessie) <ftpmaster@debian.org>" not changed
gpg: key C857C906: "Debian Security Archive Automatic Signing Key (8/jessie) <ftpmaster@debian.org>" not changed
gpg: Total number processed: 7
gpg:              unchanged: 7
gpg: /etc/apt//trustdb.gpg: trustdb created

(auto-recreated, as expected)

I'm almost done testing a change which simply excludes the file entirely for the sake of reproducible tarballs (since we don't care as much what happens afterwards, as long as it's consistent, working, non-broken), and should have a PR up before EOD. 😄 👍