First public release (v0.4.0)

Dockerfile

@@ -0,0 +1,34 @@
+FROM debian:9.4-slim@sha256:91e111a5c5314bc443be24cf8c0d59f19ffad6b0ea8ef8f54aedd41b8203e3e1
+
+ENV DEBIAN_FRONTEND noninteractive
+
+COPY create-iso.sh .
+COPY variables.sh .
+COPY SHA256SUMS .
+COPY tools/ /tools/
+
+RUN sha256sum -c SHA256SUMS
+
+RUN . ./variables.sh && \
+    rm -f /etc/apt/sources.list && \
+    echo "deb http://snapshot.debian.org/archive/debian/$(date --date "$DATE" '+%Y%m%dT%H%M%SZ') $DIST main" >> /etc/apt/sources.list && \
+    echo "deb http://snapshot.debian.org/archive/debian/$(date --date "$DATE" '+%Y%m%dT%H%M%SZ') "$DIST"-updates main" >> /etc/apt/sources.list && \
+    echo "deb http://snapshot.debian.org/archive/debian-security/$(date --date "$DATE" '+%Y%m%dT%H%M%SZ') "$DIST"/updates main" >> /etc/apt/sources.list
+
+RUN apt-get update -o Acquire::Check-Valid-Until=false && \
+    apt-get install -o Acquire::Check-Valid-Until=false --no-install-recommends --yes \
+    liblzo2-2 xorriso debootstrap \
+    locales && \
+    sed -i -e 's/# en_US.UTF-8 UTF-8/en_US.UTF-8 UTF-8/g' /etc/locale.gen && \
+    locale-gen en_US.UTF-8
+
+ENV LANG en_US.UTF-8
+ENV LANGUAGE en_US:en
+ENV LC_ALL en_US.UTF-8
+
+RUN dpkg-reconfigure locales
+
+RUN dpkg -i /tools/squashfs-tools_4.3-3.0tails4_amd64.deb && \
+    dpkg -i /tools/debuerreotype_0.7-1_all.deb
+
+CMD ["/create-iso.sh"]

LICENSE.md

@@ -0,0 +1,14 @@
+Copyright (c) 2018 Internet Corporation for Assigned Names and Numbers
+("ICANN")
+
+Permission to use, copy, modify, and distribute this software for any
+purpose with or without fee is hereby granted, provided that the above
+copyright notice and this permission notice appear in all copies.
+
+THE SOFTWARE IS PROVIDED “AS IS" AND ICANN DISCLAIMS ALL WARRANTIES
+WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL ICANN BE LIABLE FOR ANY
+SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.

Makefile

@@ -0,0 +1,30 @@
+RELEASE = 0.4.0
+
+.PHONY: usage build remove run copy all default
+
+usage:
+	@echo "Please provide an option:"
+	@echo " make build	--- Build the COEN ISO image"
+	@echo " make run	--- Run a container to build the ISO image"
+	@echo " make remove	--- Remove the container"
+	@echo " make copy	--- Copy the ISO image into the host directory"
+	@echo " make all	--- Execute build, remove, run and copy"
+
+build:
+	docker build -t coen:$(RELEASE) .
+
+remove:
+	-docker rm coen
+
+run:
+	docker run -i -t \
+	--privileged \
+	--name=coen \
+	coen:$(RELEASE)
+
+copy:
+	-docker cp coen:/opt/coen-${RELEASE}-amd64.iso .
+
+all: build remove run copy
+
+default: usage

README.md

@@ -0,0 +1,126 @@
+# Ceremony Operating ENvironment (COEN)
+
+COEN is a live operating system consisting of:
+
+- A custom Debian GNU/Linux Live CD
+- The [Key Management Tools](https://github.com/iana-org/dnssec-keytools)
+- The AEP Keyper PKCS#11 provider
+- Assorted utilities.
+
+## Reproducible ISO image to make The Root Zone DNSSEC Key Signing Key Ceremony System more Trustworthy
+
+This **Reproducible** ISO image provide a verifiable process to obtain the same
+hash every time at build the ISO image to increase the confidence in the DNSSEC Key
+Signing Key (KSK) for the Root Zone.
+
+### What are reproducible builds?
+
+Quoted from https://reproducible-builds.org
+
+> Reproducible builds are a set of software development practices that create a
+verifiable path from human readable source code to the binary code used by
+computers.
+>
+> Most aspects of software verification are done on source code, as that is what
+humans can reasonably understand. But most of the time, computers require
+software to be first built into a long string of numbers to be used. With
+reproducible builds, multiple parties can redo this process independently and
+ensure they all get exactly the same result. We can thus gain confidence that a
+distributed binary code is indeed coming from a given source code.
+
+## Acknowledgments
+
+This project cannot be possible without:
+- The [Reproducible Builds](https://reproducible-builds.org/) project
+- [Debian as trust anchor](https://wiki.debian.org/ReproducibleBuilds)
+- [Debuerreotype](https://github.com/debuerreotype/debuerreotype) a reproducible, snapshot-based Debian rootfs builder ([License](https://github.com/debuerreotype/debuerreotype/blob/master/LICENSE))
+- (The Amnesic Incognito Live System)[https://tails.boum.org/index.en.html] ([License](https://tails.boum.org/doc/about/license/index.en.html))
+
+## Requirements for building the ISO image
+
+Building the ISO image requires:
+
+* [Docker](https://www.docker.com/). The recommended Docker version is 18.03.
+* SELinux to be disabled. SELinux must be completely disabled rather than with **permissive mode** since the behave is differently.
+
+### Disabling SELinux
+
+If you are running a Red Hat based distribution, including RHEL, CentOS and
+Fedora, you will probably have the SELinux security module installed.
+
+To check your SELinux mode, run `sestatus` and check the output.
+
+If you see **enforcing** or **permissive** on *"Current mode"*, SELinux is
+enabled and enforcing rules or is enable and log rather than enforce errors.
+
+> **Warning** before proceeding with this, disabling SELinux also disables the
+generation of file contexts so an entire system relabeling is needed afterwards.
+
+To disable SELinux:
+
+- Edit `/etc/sysconfig/selinux` or `/etc/selinux/config` depending of your distro
+- Set the `SELINUX` parameter to `disabled`
+- For the changes to take effect, you need to **reboot** the machine, since
+SELinux is running within the kernel
+- Check the status of SELinux using `sestatus` command
+
+## Building the ISO image
+
+Execute the following commands to build the ISO image:
+
+```
+git clone https://github.com/iana-org/coen && \
+cd coen && \
+make all
+```
+* If you have a error executing `make all` as a non-root user, try to
+execute `sudo make all`.
+
+This will build a docker image with the proper environment to build the
+ISO. Then will run a container executing a bash script to build the ISO and
+if the build succeeded it will copy the resulting ISO into the host directory.
+
+You can execute `make` command to see more options.
+
+## Contributing
+
+### If the build failed
+
+Please send us an issue report at https://github.com/iana-org/coen with the error
+that is displayed in your terminal window.
+
+### If the reproduction succeeded
+
+Congrats for successfully reproducing the ISO image!
+
+You can compute the SHA-256 checksum of the resulting ISO image by yourself:
+
+```
+sha256sum coen-0.4.0-amd64.iso
+```
+or
+```
+shasum -a 256 coen-0.4.0-amd64.iso
+```
+
+Then, comparing it with the following checksum:
+
+```
+8105b885b176741d25ef9d391c6a302aed3f6c916093a621a865cb90d560774f  coen-0.4.0-amd64.iso
+```
+
+### If the reproduction failed
+
+Please help us to improve it. You can install `diffoscope` https://diffoscope.org/
+and download the image from:
+https://github.com/iana-org/coen/releases/tag/v0.4.0-20180311
+and then compare it with your image executing the following command:
+
+```
+diffoscope \
+  --text diffoscope.txt \
+  path/to/public/coen-0.4.0-amd64.iso \
+  path/to/your/coen-0.4.0-amd64.iso
+```
+Please send us an issue report at https://github.com/iana-org/coen attaching the
+diffoscope.txt file.

SHA256SUMS

@@ -0,0 +1,24 @@
+f9fd8d851d5a855cfa97eafe062418fb97e9cb574bab77326e9a34f9e8aa2c98  ./create-iso.sh
+c93b498e8599dd2368ae92622aee2342a312f84ae216eb2ece659fa9e4864ca3  ./tools/debuerreotype_0.7-1_all.deb
+dbed950a8b2e9c35dd76002e414268697a4b84749625753266c13bfbfa5eccb8  ./tools/hooks/00-install-ksk-packages.sh
+fa97bedd94635866336547f7f5c2aaeff10e8533ed86e4819d3820d8ccb1c862  ./tools/hooks/01-fix-fontconfig-cache.sh
+86441e5494f5444c4d14c6e78d0250d86706e4422fc030d538197b0a60ddf5bf  ./tools/hooks/02-fix-initramfs-tools.sh
+fc6ad08b3d8d5fd08e64e031b31766355a6faa4249971fca17fd382f42318df1  ./tools/hooks/03-fix-gtk-immodules-cache.sh
+76b8539898c19f12f9f1ef26da6b1514cb44dfd2b79f34ae81f2494259a763d6  ./tools/hooks/04-fix-gdk-pixbuf-glib2.0-shadow.sh
+b0cb9c6e8ca58353afc5643ba184fc24a501c6f091c354b720ecce736171a951  ./tools/hooks/05-fix-non-reproducible-files.sh
+72e4e673e75466fddd5f3964e3db3f941e0d40214ec37f167fe425b33e60e1c0  ./tools/mksquashfs-excludes
+390fdc4c915aeed379196335e672d6a9af6677e6d675093f8855c85953aae246  ./tools/packages/fontconfig-config_2.11.0-6.7.0tails4_all.deb
+892a2c0b4f8e4874161165cb253755b3bd695ce238b30c3b8e5447ff269c2740  ./tools/packages/fontconfig_2.11.0-6.7.0tails4_amd64.deb
+01db265c90f351367c73cd7ecedeca2f490374579320c5240feecdc70040917e  ./tools/packages/gir1.2-gtk-3.0_3.22.11-1.0tails1_amd64.deb
+4e49e6161a93424700ced09d0225574d3f6dd406ba9f9e14c36a50e870faab16  ./tools/packages/gtk-update-icon-cache_3.22.11-1.0tails1_amd64.deb
+db1d9dcd6d0c9587136c5a65419ee9eaa7a8a20c163dd2718cd826056a893819  ./tools/packages/initramfs-tools-core_0.130.0tails1_all.deb
+36c39407b505015a80e666726018edad37211d594b862238475d59d3de4e0da9  ./tools/packages/initramfs-tools_0.130.0tails1_all.deb
+93e954744ec11e1d6837a792e26cc93b88f0735f7184337c4e65babca65503ab  ./tools/packages/ksk-tools-0.1.0coen_amd64.deb
+2080347093bc714b92d2f02e9c19e51ca23804776c2b52958c25630330b25f1d  ./tools/packages/ksk-xfce-custom-0.1.0coen_amd64.deb
+933adbbead4fd8ced095b5f43fd82b092298aaf95436d8b051b2ee9a4abee917  ./tools/packages/libfontconfig1_2.11.0-6.7.0tails4_amd64.deb
+a8946b779ccf305da8dadefa9d7d9402ccfe756246dd70a251e4375076a83648  ./tools/packages/libgtk-3-0_3.22.11-1.0tails1_amd64.deb
+605e3c77857d9c55932c7f497f56c70d46af65af59600e5507f42aea3832a848  ./tools/packages/libgtk-3-common_3.22.11-1.0tails1_all.deb
+a0ae2652c5ca8461752f17ab22aa385c588481351b7b4aeb199a3d23d6479c34  ./tools/packages/libgtk2.0-0_2.24.31-2.0tails1_amd64.deb
+0862890d70bafeb6b4a7a1c1da05c90569e0147522d6526fad6d146d6335b79f  ./tools/packages/libgtk2.0-common_2.24.31-2.0tails1_all.deb
+5c7ab880233139bc213d2ef214dc6c433eac488eaa51f8d59c4eb791fa777293  ./tools/squashfs-tools_4.3-3.0tails4_amd64.deb
+eb66b37b4c0a81285e0c2fa18787b942fdee63a4d1c25cb4343ab50c03d1524a  ./variables.sh