fix building images when non-binary reproducible builds are present

closure-info has one flaw, it's possible that this file contains stale
information when build are not reproducible and the local checksum
doesn't match what the remote build created.
The work-around here is that we disregard the hashes and re-compute with
what nar's we actually have locally instead.
This commit is contained in:
Jörg Thalheim 2024-05-06 19:29:20 +02:00
parent e5b3299a14
commit 4f8c8580b4
2 changed files with 48 additions and 1 deletions

45
lib/closure-info.nix Normal file
View file

@ -0,0 +1,45 @@
# This is a modified version of the closure-info derivation from nixpkgs.
# Unlike the original, it does not include hashes in the registration file,
# which might be incorrect if a build is not binary reproducible.
# This derivation builds two files containing information about the
# closure of 'rootPaths': $out/store-paths contains the paths in the
# closure, and $out/registration contains a file suitable for use with
# "nix-store --register-validity".
{ stdenv, coreutils, jq }:
{ rootPaths }:
assert builtins.langVersion >= 5;
stdenv.mkDerivation {
name = "closure-info";
__structuredAttrs = true;
exportReferencesGraph.closure = rootPaths;
preferLocalBuild = true;
nativeBuildInputs = [ coreutils jq ];
empty = rootPaths == [];
buildCommand =
''
out=''${outputs[out]}
mkdir $out
if [[ -n "$empty" ]]; then
echo 0 > $out/total-nar-size
touch $out/registration $out/store-paths
else
jq -r ".closure | map(.narSize) | add" < "$NIX_ATTRS_JSON_FILE" > $out/total-nar-size
jq -r '.closure | map([.path, "", (.references | length)] + .references) | add | map("\(.)\n") | add' < "$NIX_ATTRS_JSON_FILE" | head -n -1 > $out/registration
jq -r '.closure[].path' < "$NIX_ATTRS_JSON_FILE" > $out/store-paths
fi
'';
}

View file

@ -38,6 +38,8 @@ let
${lib.concatMapStringsSep "\n" (disk: "mv ${disk.name}.raw \"$out\"/${disk.name}.raw") (lib.attrValues nixosConfig.config.disko.devices.disk)}
${extraPostVM}
'';
closureInfo = pkgs.callPackage ./closure-info.nix { };
partitioner = ''
# running udev, stolen from stage-1.sh
echo "running udev..."
@ -55,7 +57,7 @@ let
# populate nix db, so nixos-install doesn't complain
export NIX_STATE_DIR=$TMPDIR/state
nix-store --load-db < ${pkgs.closureInfo {
${pkgs.fakeroot}/bin/fakeroot nix-store --register-validity --reregister < ${closureInfo {
rootPaths = [ systemToInstall.config.system.build.toplevel ];
}}/registration