From dc6a22375b4bae4c45276a5071da09073966df5e Mon Sep 17 00:00:00 2001
From: James Westby <james@jameswestby.net>
Date: Thu, 26 Sep 2019 19:42:38 +0100
Subject: [PATCH] Fix reproducible builds by fixing date in /etc/shadow

The builds were reproducible provided they were done on the same day.

However if they were done on different days they had different dates
in /etc/shadow and so changed. This meant that the images were
updated every day, and sometimes the reproducibility check would
fail if the day ticked over between the builds.
---
 mkimage |  5 +++++
 test    | 11 +++++++++++
 2 files changed, 16 insertions(+)

diff --git a/mkimage b/mkimage
index 813d7e0..ff6a434 100755
--- a/mkimage
+++ b/mkimage
@@ -197,6 +197,11 @@ rm -r /var/lib/apt/lists /var/cache/apt/archives
 EOF
 chmod 0755 "$rootfsDir/usr/sbin/install_packages"
 
+# Set the password change date to a fixed date, otherwise it defaults to the current
+# date, so we get a different image every day. SOURCE_DATE_EPOCH is designed to do this, but
+# was only implemented recently, so we can't rely on it for all versions we want to build
+# We also have to copy over the backup at /etc/shadow- so that it doesn't change
+chroot "$rootfsDir" getent passwd | cut -d: -f1 | xargs -n 1 chroot "$rootfsDir" chage -d 17885 && cp "$rootfsDir/etc/shadow" "$rootfsDir/etc/shadow-"
 
 # Capture the most recent date that a package in the image was changed.
 # We don't care about the particular date, or which package it comes from,
diff --git a/test b/test
index d675c85..6381538 100755
--- a/test
+++ b/test
@@ -60,3 +60,14 @@ fi
 # See https://github.com/bitnami/minideb/issues/16
 desc "Check that we can install mysql-server (#16)"
 test install_packages $MYSQL_PACKAGE
+
+function shadow_check() {
+    local path=$1
+    test bash -c "(! cut -d: -f3 < $path | grep -v 17885 >/dev/null) || (cat $path && false)"
+}
+
+desc "Check that all users have a fixed day as the last password change date in /etc/shadow"
+shadow_check /etc/shadow
+
+desc "Check that all users have a fixed day as the last password change date in /etc/shadow-"
+shadow_check /etc/shadow-