feat(docker): unify wrapper helpers, add reproducibility checks, and expand docs

Introduce a shared docker/common.sh helper library and refactor docker_* wrappers
to use consistent image resolution, USB/KVM/X11 handling, and reproducibility
verification. Add new tooling to fetch/pin image digests and improve
documentation for users, developers, and maintainers.

Key changes:
- Add shared docker helper library with Nix setup, image resolution, USB cleanup,
  X11/KVM passthrough, and reproducibility comparison logic in
  [docker/common.sh](docker/common.sh).
- Add reproducibility verification flow and configurable remote target via
  HEADS_CHECK_REPRODUCIBILITY and HEADS_CHECK_REPRODUCIBILITY_REMOTE in
  [docker/common.sh](docker/common.sh) and document behavior in [README.md](README.md).
- Provide standalone reproducibility checker in
  [docker/check_reproducibility.sh](docker/check_reproducibility.sh).
- Add digest utilities and pinning helpers:
  [docker/get_digest.sh](docker/get_digest.sh) and
  [docker/pin-and-run.sh](docker/pin-and-run.sh).
- Add a pinned digest file for reproducible builds:
  [docker/DOCKER_REPRO_DIGEST](docker/DOCKER_REPRO_DIGEST).
- Add Nix installer fetch helper with checksum guidance:
  [docker/fetch_nix_installer.sh](docker/fetch_nix_installer.sh).
- Refactor wrapper scripts to use shared helpers and digest pinning:
  [docker_latest.sh](docker_latest.sh),
  [docker_local_dev.sh](docker_local_dev.sh),
  [docker_repro.sh](docker_repro.sh).
- Update QEMU documentation to prefer Docker wrappers and clarify supported
  workflow in [targets/qemu.md](targets/qemu.md).
- Expand README with reproducibility verification, wrapper options, fork/maintainer
  overrides, and workflow guidance in [README.md](README.md).

Behavioral highlights:
- docker_latest.sh and docker_repro.sh now resolve pinned digests and validate
  against .circleci/config.yml when applicable.
- docker_local_dev.sh can optionally verify reproducibility against a configured
  remote image.
- docker/common.sh shows usage when executed directly (meant to be sourced).

Files changed:
- [README.md](README.md)
- [docker/DOCKER_REPRO_DIGEST](docker/DOCKER_REPRO_DIGEST)
- [docker/check_reproducibility.sh](docker/check_reproducibility.sh)
- [docker/common.sh](docker/common.sh)
- [docker/fetch_nix_installer.sh](docker/fetch_nix_installer.sh)
- [docker/get_digest.sh](docker/get_digest.sh)
- [docker/pin-and-run.sh](docker/pin-and-run.sh)
- [docker_latest.sh](docker_latest.sh)
- [docker_local_dev.sh](docker_local_dev.sh)
- [docker_repro.sh](docker_repro.sh)
- [targets/qemu.md](targets/qemu.md)

Signed-off-by: Thierry Laurion <insurgo@riseup.net>

Author: tlaurion

README.md

@@ -0,0 +1,12 @@
+# Optional: pin the Docker image used by ./docker_repro.sh to an immutable digest
+# This file is read by docker_repro.sh if DOCKER_REPRO_DIGEST is not set in the
+# environment. The first non-empty, non-comment line is used as the digest value.
+# Acceptable formats are:
+#  - sha256:<64-hex>
+#  - sha256-<64-hex>  (will be normalized to sha256:<hex>)
+#  - <64-hex>         (will be normalized to sha256:<hex>)
+# Example:
+# sha256:aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
+
+# Place the digest on the first non-comment line below (remove the leading '#')
+sha256-50a9110cdfc6a74a383169d7c624139c3b3e05567b87203498118a8a33dd79f1

docker/DOCKER_REPRO_DIGEST

@@ -0,0 +1,122 @@
+#!/bin/bash
+# Helper to compare local Docker image digest with remote docker.io
+# Usage: ./docker/check_reproducibility.sh [local_image] [remote_image]
+# Example:
+#   ./docker/check_reproducibility.sh linuxboot/heads:dev-env tlaurion/heads-dev-env:latest
+
+set -euo pipefail
+
+usage() {
+  cat <<'USAGE' >&2
+Usage: $0 [local_image] [remote_image]
+
+Compare a local Docker image digest with a remote docker.io image.
+
+Arguments:
+  local_image   Local image to check (default: linuxboot/heads:dev-env)
+  remote_image  Remote docker.io image to compare against (default: ${HEADS_MAINTAINER_DOCKER_IMAGE}:latest, where HEADS_MAINTAINER_DOCKER_IMAGE defaults to tlaurion/heads-dev-env)
+
+Environment:
+  HEADS_MAINTAINER_DOCKER_IMAGE  Override the canonical maintainer's image repository (default: tlaurion/heads-dev-env)
+
+Examples:
+  ./docker/check_reproducibility.sh
+  ./docker/check_reproducibility.sh linuxboot/heads:dev-env tlaurion/heads-dev-env:latest
+  ./docker/check_reproducibility.sh linuxboot/heads:dev-env tlaurion/heads-dev-env:v0.2.7
+  HEADS_MAINTAINER_DOCKER_IMAGE="myuser/heads-dev-env" ./docker/check_reproducibility.sh
+
+Requirements:
+  - docker CLI (to inspect local images)
+  - Network access (to pull remote images for digest comparison)
+
+USAGE
+}
+
+if [ "${1:-}" = "-h" ] || [ "${1:-}" = "--help" ]; then
+  usage
+  exit 0
+fi
+
+# Respect HEADS_MAINTAINER_DOCKER_IMAGE environment variable for fork maintainers
+HEADS_MAINTAINER_DOCKER_IMAGE="${HEADS_MAINTAINER_DOCKER_IMAGE:-tlaurion/heads-dev-env}"
+
+local_image="${1:-linuxboot/heads:dev-env}"
+remote_image="${2:-${HEADS_MAINTAINER_DOCKER_IMAGE}:latest}"
+
+echo "=== Docker Image Reproducibility Check ===" >&2
+echo "" >&2
+
+# Get local image digest
+echo "Fetching local image digest from: ${local_image}" >&2
+local_digest=$(docker inspect --format='{{.Id}}' "${local_image}" 2>/dev/null || true)
+if [ -z "${local_digest}" ]; then
+  echo "Error: Local image '${local_image}' not found" >&2
+  exit 1
+fi
+
+# Normalize to just the hex part
+local_digest_hex="${local_digest##*:}"
+echo "  Found: ${local_digest}" >&2
+echo "" >&2
+
+# Get remote image digest
+echo "Fetching remote image digest from: ${remote_image}" >&2
+
+# Try skopeo first (if available, doesn't require full image pull)
+remote_digest=""
+if command -v skopeo >/dev/null 2>&1; then
+  echo "  Attempting with skopeo (no pull required)..." >&2
+  remote_digest=$(skopeo inspect "docker://${remote_image}" 2>/dev/null | grep -o '"Digest":"[^"]*' | head -n1 | cut -d'"' -f4 || true)
+  if [ -n "${remote_digest}" ]; then
+    echo "  Found: ${remote_digest}" >&2
+  fi
+fi
+
+# If skopeo didn't work, pull the image and inspect it locally
+if [ -z "${remote_digest}" ]; then
+  echo "  Pulling image locally to inspect..." >&2
+  if docker pull "${remote_image}" >/dev/null 2>&1; then
+    remote_digest=$(docker inspect --format='{{.Id}}' "${remote_image}" 2>/dev/null || true)
+    if [ -n "${remote_digest}" ]; then
+      echo "  Found: ${remote_digest}" >&2
+    fi
+  else
+    echo "Error: Could not pull remote image '${remote_image}'" >&2
+    exit 1
+  fi
+fi
+
+if [ -z "${remote_digest}" ]; then
+  echo "Error: Failed to retrieve remote digest" >&2
+  exit 1
+fi
+
+# Normalize to just the hex part
+remote_digest_hex="${remote_digest##*:}"
+
+echo "" >&2
+echo "=== Comparison ===" >&2
+echo "Local:  ${local_image}" >&2
+echo "        ${local_digest_hex}" >&2
+echo "" >&2
+echo "Remote: ${remote_image}" >&2
+echo "        ${remote_digest_hex}" >&2
+echo "" >&2
+
+# Compare
+if [ "${local_digest_hex}" = "${remote_digest_hex}" ]; then
+  echo "✓ SUCCESS: Digests match!" >&2
+  echo "  Your local build is reproducible and identical to ${remote_image}" >&2
+  echo "" >&2
+  exit 0
+else
+  echo "✗ MISMATCH: Digests differ" >&2
+  echo "" >&2
+  echo "This is expected if:" >&2
+  echo "  - Nix/flake.lock versions differ from the remote build" >&2
+  echo "  - There are uncommitted changes in flake.nix" >&2
+  echo "  - Different Nix dependencies are resolved locally vs remotely" >&2
+  echo "" >&2
+  exit 1
+fi
+