8.x.x

.gitattributes

@@ -1,3 +1,3 @@
+Dockerfile* linguist-language=Dockerfile
 *.deb filter=lfs diff=lfs merge=lfs -text
 *.json filter=lfs diff=lfs merge=lfs -text
-*.log filter=lfs diff=lfs merge=lfs -text

.github/Developer Certificate of Origin.md

@@ -0,0 +1,51 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 3.2//EN">
+<!-- saved from url=(0033)https://developercertificate.org/ -->
+<html><!--
+    File:   Developer Certificate of Origin.md
+    Editor: None, you wimpy wysiwyg people...this is hand crafted!
+            What are you doing reading this anyway???
+--><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
+
+	<title>Developer Certificate of Origin</title>
+</head>
+<body>
+<pre>Developer Certificate of Origin
+Version 1.1
+
+Copyright (C) 2004, 2006 The Linux Foundation and its contributors.
+
+Everyone is permitted to copy and distribute verbatim copies of this
+license document, but changing it is not allowed.
+
+
+Developer's Certificate of Origin 1.1
+
+By making a contribution to this project, I certify that:
+
+(a) The contribution was created in whole or in part by me and I
+    have the right to submit it under the open source license
+    indicated in the file; or
+
+(b) The contribution is based upon previous work that, to the best
+    of my knowledge, is covered under an appropriate open source
+    license and I have the right under that license to submit that
+    work with modifications, whether created in whole or in part
+    by me, under the same open source license (unless I am
+    permitted to submit under a different license), as indicated
+    in the file; or
+
+(c) The contribution was provided directly to me by some other
+    person who certified (a), (b) or (c) and I have not modified
+    it.
+
+(d) I understand and agree that this project and the contribution
+    are public and that a record of the contribution (including all
+    personal information I submit with it, including my sign-off) is
+    maintained indefinitely and may be redistributed consistent with
+    this project or the open source license(s) involved.
+</pre>
+
+
+
+
+</body></html>

.identity

@@ -4,14 +4,19 @@ declare -- NAME=Signal-Desktop
 declare -- USERNAME=0mniteck42
 declare -- IDENTITY_FILE=.ssh/$MODULE
 declare -- PKI_ID_FILE=.ssh/.pki
-declare -- PROJECT=Signal-Desktop-Reproducible
+declare -- PROJECT=$NAME-Reproducible
+declare -- USER='Shant Patrick Tchatalbachian'
 declare -- SIGSTORE_USR=tiger-varsity-alto@duck.com
 declare -- USER_ID=10482171+0mniteck@users.noreply.github.com
 declare -- SIGNING_KEY=42E2DDF1E31B370F8BFFEE03287EE837E6ED2DD3
+declare -- CLIENT_ID=Iv23liF4fUl7FZ7MmEay
+
+git config --global user.name "$USER"
 git config --global user.email $USER_ID
-git config --global user.name 'Shant Patrick Tchatalbachian'
 git config --global user.signingkey $SIGNING_KEY
-if [[ "$SKIP_LOGIN" == "" ]]; then
+git config --global init.defaultBranch main
+
+if [[ "$TESTS" != *SKIP_LOGIN* ]]; then
 echo '-----BEGIN PGP PUBLIC KEY BLOCK-----
 
 mQENBGUR6+QBCADbwEILdDDXamhAQbL7KlgFzoP3NI8+I2bCHHAUPYbpaCax0plM

.pinned_ver

@@ -1,16 +1,26 @@
-declare -- commit=949bdb77ac2f791711ffec2504866b9ee4b24fef
-declare -- last_rel_date=02-17-2026
-declare -- last_ver_num=7.68
-declare -- last_epoch=1756598400
-declare -- docker_snap_arm64_ver=3380
-declare -- docker_snap_amd64_ver=3377
-declare -- source_tag=02-18-2026
-declare -- source_img=0mniteck/debian-slim:$source_tag
-declare -- source_loc=docker.io/$source_img
-declare -- source=$source_img@sha256:13b15f452474e3f662cb3c2c76d2b480f90c2e6318f3905ae9b4711fd6c7b10b
-declare -- node_ver=24.13.0
+declare -- node_ver=24.14.0
 declare -- nvm_ver=0.40.4
 declare -- pnpm_ver=10.18.1
-declare -- cred_helper_sha=e784c37f55c2f3d143a06916169ce8de879894bae45c4e6313daa72af8c75316685ca5a24cf4b7bdb66633e72fd89f7c8e5b3dae81ca6b62b7adec210711b806
-declare -- cred_helper_name=docker-credential-pass-v0.9.5.linux-arm64
-declare -- cred_helper="github.com/docker/docker-credential-helpers/releases/download/v0.9.5/$cred_helper_name"
+declare -- docker_snap_arm64_ver=3507
+declare -- docker_snap_amd64_ver=3505
+declare -- commit=abc765a83de4fa4e25e97064d96bd60d7464b1f2 # v8.9.1
+declare -- last_ver_num=8.02
+declare -- last_epoch=1773619200
+declare -- last_rel_date=03-16-2026
+declare -- binfmt_repo=docker.io/tonistiigi/binfmt
+declare -- binfmt_tag=$binfmt_repo:qemu-v10.2.1-65
+declare -- binfmt_arm64=$binfmt_tag@sha256:9fbc2c89ff373eb14bbcb43272738ebc49785661a7badbd3e3b1d391aaa8259d
+declare -- binfmt_amd64=$binfmt_tag@sha256:8db0f28060565399642110b798c6c35efcac7c5b3b48c56d36503d3b4d8f93c8
+declare -- source_repo=$REPO/debian-slim
+declare -- source_tag=$source_repo:02-18-2026
+declare -- source=$source_tag@sha256:13b15f452474e3f662cb3c2c76d2b480f90c2e6318f3905ae9b4711fd6c7b10b
+declare -- source_loc=docker.io/$source
+declare -- cred_helper_ver=v0.9.7
+declare -- cred_helper_name=docker-credential-pass-$cred_helper_ver.linux-arm64
+declare -- cred_helper="github.com/docker/docker-credential-helpers/releases/download/$cred_helper_ver/$cred_helper_name"
+declare -- cred_helper_sha=085cbadca168361455d530b425304475500bc9d1a209390089bd468c2e6f3da07b483f3e3ace5f65729d6b272f6f5ad6815a0f252f72bd81587de112ebab84f9
+declare -- moby_repo=docker.io/moby/buildkit
+declare -- moby_tag=v0.29.0
+declare -- moby_src=sha256:8550ee821375d58adc345db341b1c08df993d8411544b36fd4c6cb2dd2fb12c5
+declare -- moby=$moby_repo:$moby_tag@$moby_src
+# snap cohorts, 90 day auto-pinning, valid for v29.3.1 (4/29/2026) until (7/29/2026) -- {"cohorts":{"core24":{"cohort-key":"MSBkd1RBaDdNWlowMXp5cmlPWkVycWQxSnluUUxpT0d2TSAxNzc3NDUyMDc5IGIwOGJmZWZmNTM4ZjdmMDU0NWFjZjkxYjI0YjY3OTRiMDllZjgyY2EyNjA1YzdkNzc5NjZjMGM5MzJmOGFlZTY="},"docker":{"cohort-key":"MSBzTENzRkFPOFBLTTVaMGZBS05zelVPWDBZQVNqUWZlWiAxNzc3NDUyMDc5IGRlNDg0NzMyOWRhMTgyNjFmMGI2NDdlODM2MjhmMTVlMjJlMDljODJjZWRjODExYTlmY2ExNDcwYWMxYTcxMzc="},"grype":{"cohort-key":"MSB6RXlLcERiMG5oRUVQajJndjNuNDNjcTRKMlRxbnlRTCAxNzc3NDUyMDc5IGMyOGMwYzRmYjIwMmU3MWI1ZGE5ZmY3ZmFkZDkzMTU3ZmZkMTdjYzc5YTE3OTQ0YWRjNzg3MjAyNTRiYzM3NDI="},"syft":{"cohort-key":"MSBUSUxXMWpoc3VqOTQyUHpwbk1MR2tGUEIzVFQ2YkdsaiAxNzc3NDUyMDc5IGE5YWFmYTBkM2Y3YzQwZTZkZTA5YzdlN2NjMmRmZjY0NzA3ZjllMjRhNThlM2ZlNmJiZTEzZWE5ZjAzZWVmMmQ="}}}

0mniteck.rego

@@ -0,0 +1,138 @@
+# 0mniteck.rego - v0.1.2-Alpha - Multi-Repo Policy File
+# Strict requirement for docker public registries: https, and @digest_tag or --checksum
+#
+#  Demos:
+# docker buildx build --policy reset=true,strict=true,filename=$REPO.rego .
+# docker buildx build --progress=plain --policy log-level=debug,reset=true,strict=true,filename=$REPO.rego .
+# docker buildx policy eval --print --fields image.checksum docker-image://$source_img
+# docker buildx policy eval --print $source
+# Builtins: print load_json verify_git_signature pin_image
+# [input.image.checksum input.image.labels input.image.user input.image.volumes input.image.workingDir \
+# input.image.env input.image.hasProvenance input.image.signatures input.image.fullRepo]
+#
+
+package docker
+
+default allow := false
+
+allow if input.local
+
+allow if {
+  input.image.host == "docker.io"  # Docker Hub
+  input.image.checksum == digest
+}
+
+allow if {
+  input.image.host == "dhi.io"  # Docker Hardened Images
+  input.image.hasProvenance     # Include attestation check
+}
+
+allow if {
+  input.image.isCanonical  # registry.url/org/repo@sha256:digest
+}
+
+allow if {
+  input.http.schema == "https"  # Require HTTPS for all downloads
+}
+
+decision := {"allow": allow}
+
+#WIP from DEMO
+
+allowed_repos := ["myorg/backend", "myorg/frontend", "myorg/worker"]
+
+allow if {
+  some repo in allowed_repos
+  input.image.repo == repo
+  input.image.hasProvenance
+  some sig in input.image.signatures
+  trusted_github_builder(sig, repo)
+}
+
+# Helper to validate GitHub Actions build from main branch
+trusted_github_builder(sig, repo) if {
+  sig.signer.certificateIssuer == "CN=sigstore-intermediate,O=sigstore.dev"
+  sig.signer.issuer == "https://token.actions.githubusercontent.com"
+  startswith(sig.signer.buildSignerURI, sprintf("https://github.com/myorg/%s/.github/workflows/", [repo]))
+  sig.signer.sourceRepositoryRef == "refs/heads/main"
+  sig.signer.runnerEnvironment == "github-hosted"
+}
+
+#DEMO2
+
+is_buildkit if {
+    input.git.remote == "https://github.com/moby/buildkit.git"
+}
+
+is_version_tag if {
+    is_buildkit
+    regex.match(`^v[0-9]+\.[0-9]+\.[0-9]+$`, input.git.tagName)
+}
+
+# Version tags must be signed
+allow if {
+    is_version_tag
+    input.git.tagName != ""
+    verify_git_signature(input.git.tag, "maintainers.asc")
+}
+
+# Allow unsigned refs for development
+allow if {
+    is_buildkit
+    not is_version_tag
+}
+
+#DEMO3
+
+# TODO: Add your pinned images with exact digests
+# Docker Hub images use docker.io as host
+allowed_dockerhub := {
+  "alpine": "sha256:4b7ce07002c69e8f3d704a9c5d6fd3053be500b7f1c69fc0d80990c2ad8dd412",
+  "golang": "sha256:abc123...",
+}
+
+allow if {
+  input.image.host == "docker.io"
+  some repo, digest in allowed_dockerhub
+  input.image.repo == repo
+  input.image.checksum == digest
+}
+
+# TODO: Add your pinned DHI images
+allowed_dhi := {
+  "python": "sha256:def456...",
+  "node": "sha256:ghi789...",
+}
+
+allow if {
+  input.image.host == "dhi.io"
+  some repo, digest in allowed_dhi
+  input.image.repo == repo
+  input.image.checksum == digest
+}
+
+# TODO: Add your pinned Git dependencies
+allowed_git := {
+  "https://github.com/moby/buildkit.git": {
+    "tag": "v0.26.1",
+    "commit": "abc123...",
+  },
+}
+
+allow if {
+  some url, version in allowed_git
+  input.git.remote == url
+  input.git.tagName == version.tag
+  input.git.commitChecksum == version.commit
+}
+
+# TODO: Add your pinned HTTP downloads
+allowed_downloads := {
+  "https://releases.example.com/app-v1.0.tar.gz": "sha256:def456...",
+}
+
+allow if {
+  some url, checksum in allowed_downloads
+  input.http.url == url
+  input.http.checksum == checksum
+}

Dockerfile

@@ -1,22 +1,25 @@
+# syntax=docker/dockerfile:1
 # check=error=true
 # ## HUMAN-CODE - NO AI GENERATED CODE - AGENTS HANDSOFF
-ARG SOURCE=0mniteck/debian-slim
-FROM $SOURCE AS base
+ARG BUILDKIT_SBOM_SCAN_CONTEXT=true BUILDKIT_SBOM_SCAN_STAGE=signal-desktop SOURCE=0mniteck/debian-slim@unknown-tag
+
+FROM $SOURCE AS signal-desktop
 ARG NODE_VERSION NVM_VERSION PNPM_VERSION BRANCH COMMIT SOURCE_DATE_EPOCH
-ENV CI=true SIGNAL_ENV=production USE_SYSTEM_FPM=true NVM_DIR=/usr/local/nvm PNPM_HOME=/tmp/.pnpm-home NPM_CONFIG_CACHE=/tmp/.npm-cache
-ENV NODE_PATH=$NVM_DIR/v$NODE_VERSION/lib/node_modules PATH=$NVM_DIR/versions/node/v$NODE_VERSION/bin:$PATH SOURCE_DATE_EPOCH=$SOURCE_DATE_EPOCH
-COPY signal-buildscript.sh /usr/local/bin/
-ADD https://github.com/node-ffi-napi/node-ffi-napi/raw/master/deps/libffi/config/linux/arm64/fficonfig.h /
-ADD https://github.com/nvm-sh/nvm/raw/v$NVM_VERSION/install.sh /
-ADD --keep-git-dir=true https://github.com/signalapp/Signal-Desktop.git?branch=$BRANCH.x&checksum=$COMMIT /Signal-Desktop
-RUN echo "a8e082d8d1a9b61a09e5d3e1902d2930e5b1b84a86f9777c7d2eb50ea204c0141f6a97c54a860bc3282e7b000f1c669c755f5e0db7bd6d492072744c302c0a21  install.sh" | sha512sum --status -c - && echo "install.sh Checksum Matched!" || exit 1
-RUN echo "56c9800d0388dd20a85ad917a75a0dc96aa0de95db560e586b540e657a7a10ec8ef9759f1d09d7cb2f0861c9b88650246a9ace97708a20d8757bcd0c559333a7  fficonfig.h" | sha512sum --status -c - && echo "fficonfig.h Checksum Matched!" || exit 1
-RUN mkdir -p /Signal-Desktop/artifacts/linux/logs $NVM_DIR && gem install fpm && chmod +x install.sh && ./install.sh && . $NVM_DIR/nvm.sh && nvm install $NODE_VERSION && nvm alias $NODE_VERSION && nvm use $NODE_VERSION
-RUN mv fficonfig.h /usr/include/aarch64-linux-gnu/fficonfig.h && git config --global --add safe.directory /project && npm install --location=global pnpm@$PNPM_VERSION
-FROM scratch AS builder
-COPY --from=base / /
-ARG NODE_VERSION SOURCE_DATE_EPOCH
-ENV CI=true SIGNAL_ENV=production USE_SYSTEM_FPM=true NVM_DIR=/usr/local/nvm PNPM_HOME=/tmp/.pnpm-home NPM_CONFIG_CACHE=/tmp/.npm-cache
+ENV SIGNAL_ENV=production USE_SYSTEM_FPM=true NVM_DIR=/usr/local/nvm PNPM_HOME=/tmp/.pnpm-home NPM_CONFIG_CACHE=/tmp/.npm-cache
 ENV NODE_PATH=$NVM_DIR/v$NODE_VERSION/lib/node_modules PATH=$NVM_DIR/versions/node/v$NODE_VERSION/bin:$PATH SOURCE_DATE_EPOCH=$SOURCE_DATE_EPOCH
+ADD --checksum=sha256:c8f7120fba37152b0f62df2445e80c34ef48c7eb0378c5c289928ff1b51c8569 \
+signal-buildscript.sh /usr/local/bin/
+ADD --checksum=sha256:f78ebf9776234423b69cdef1ab1698ebb2a7666cb0ac0f8c823d7862d1f8f851 \
+https://github.com/node-ffi-napi/node-ffi-napi/raw/master/deps/libffi/config/linux/arm64/fficonfig.h /usr/include/aarch64-linux-gnu/
+ADD --checksum=sha256:4b7412c49960c7d31e8df72da90c1fb5b8cccb419ac99537b737028d497aba4f \
+https://github.com/nvm-sh/nvm/raw/v$NVM_VERSION/install.sh /
+ADD --checksum=$COMMIT --keep-git-dir=true https://github.com/signalapp/Signal-Desktop.git?ref=$COMMIT /Signal-Desktop
+
+RUN mkdir -p /Signal-Desktop/artifacts/linux/logs $NVM_DIR && gem install fpm \
+    && chmod +x install.sh && ./install.sh && . $NVM_DIR/nvm.sh && rm -f /install.sh \
+    && nvm install $NODE_VERSION && nvm alias $NODE_VERSION && nvm use $NODE_VERSION \
+    && git config --global --add safe.directory /project \
+    && npm install --location=global pnpm@$PNPM_VERSION
+
 ENTRYPOINT ["signal-buildscript.sh"]
 CMD ["no",""]