Pin nixpkgs version

[jethrogb]

Trying to do the reproducible build right now results in the following error in step 10 of the Dockerfile:

error: evaluation aborted with the following error message: '
       This version of Nixpkgs requires an implementation of Nix with the following features:
       - `builtins.nixVersion` reports at least 2.18

       Your are evaluating with Nix 2.9.0, please upgrade:

       - If you are running NixOS, `nixos-rebuild' can be used to upgrade your system.

       - Alternatively, with Nix > 2.0 `nix upgrade-nix' can be used to imperatively
         upgrade Nix. You may use `nix-env --version' to check which version you have.

       - If you installed Nix using the install script (https://nixos.org/nix/install),
         it is safe to upgrade by running it again:

             curl -L https://nixos.org/nix/install | sh

       For more information, please see the NixOS release notes at
       https://nixos.org/nixos/manual or locally at
       /nix/store/6hg0kq5x9sdma1bmva3qj18zbqdpp5q5-nixpkgs/nixpkgs/nixos/doc/manual/release-notes.

       If you need further help, see https://nixos.org/nixos/support.html
       '
(use '--show-trace' to show detailed location information)
The command '/bin/sh -c . /home/user/.nix-profile/etc/profile.d/nix.sh && nix-shell' returned a non-zero code: 1
Unable to find image 'sgx.build.env:latest' locally
docker: Error response from daemon: pull access denied for sgx.build.env, repository does not exist or may require 'docker login': denied: requested access to the resource is denied.

The problem seems to be that nixpkgs is not pinned and always using the latest version. This PR pins the nixpkgs version to 22.05, which is the version that was available when Nix 2.9 was released.

More details about nixpkgs pinning:
https://nix.dev/tutorials/first-steps/towards-reproducibility-pinning-nixpkgs.html
https://nix.dev/reference/pinning-nixpkgs.html

[jethrogb]

Strangely enough, with this change I still get a similar error:

error: evaluation aborted with the following error message: '
       This version of Nixpkgs requires an implementation of Nix with the following features:
       - `builtins.nixVersion` reports at least 2.18

       Your are evaluating with Nix 2.9.0, please upgrade:

       - If you are running NixOS, `nixos-rebuild' can be used to upgrade your system.

       - Alternatively, with Nix > 2.0 `nix upgrade-nix' can be used to imperatively
         upgrade Nix. You may use `nix-env --version' to check which version you have.

       - If you installed Nix using the install script (https://nixos.org/nix/install),
         it is safe to upgrade by running it again:

             curl -L https://nixos.org/nix/install | sh

       For more information, please see the NixOS release notes at
       https://nixos.org/nixos/manual or locally at
       /nix/store/6hg0kq5x9sdma1bmva3qj18zbqdpp5q5-nixpkgs/nixpkgs/nixos/doc/manual/release-notes.

       If you need further help, see https://nixos.org/nixos/support.html
       '
will use bash from your environment

However, the build continues and I'm able to reproduce the most recent AEs.

[bgotowal]

hi @jethrogb!

The issue is now resolved on the main branch and latest reproducible tag: https://github.com/intel/confidential-computing.sgx/tree/sgx_2.27_reproducible. We suggest using this approach instead of the reproducible branch.

I'm also considering removing the sgx_reproducible branch so that there is only one, tag-based, approach to reproducible builds. Do you have a use case that would prevent you from using such a tag-based approach?

Recent changes to reproducibility, including nix update: 9f5eb70 and d8e22e8.

[jethrogb]

I'm fine with the tag-based approach, but I'm fairly certain you still need to implement a fix like this PR to make sure the releases remain reproducible into the future.