image: unset password reset date to ensure reprodicibility (#3466)

* image: unset password reset date
2025-03-14 19:16:42 -04:00 · 2024-11-04 14:53:35 +01:00 · 2024-11-04 14:53:35 +01:00 · 960499a937
commit 960499a937
parent 54058eed2a
2 changed files with 15 additions and 0 deletions
--- a/image/base/BUILD.bazel
+++ b/image/base/BUILD.bazel
@ -30,6 +30,7 @@ copy_to_directory(
    mkosi_image(
        name = "base_" + kernel_variant,
        srcs = [
+            "mkosi.finalize",
            "mkosi.postinst",
            "mkosi.prepare",
        ] + glob([
--- a/image/base/mkosi.finalize
+++ b/image/base/mkosi.finalize
@ -0,0 +1,14 @@
+#!/usr/bin/env bash
+set -euxo pipefail
+
+# For some reason yet unknown, SourceDateEpoch is not applied correctly to the
+# users added by systemd-sysusers. This has only been observed in our mkosi
+# flake so far, not in an upstream mkosi configuration.
+# TODO(burgerdev): wait for a couple of Nix package upgrades and try again?
+
+# Strategy: unset the "last password change" date without leaving a trace in
+# /etc/shadow-.
+tmp=$(mktemp)
+cp -a "${BUILDROOT}/etc/shadow-" "${tmp}"
+mkosi-chroot chage -d "" etcd
+cp -a "${tmp}" "${BUILDROOT}/etc/shadow-"