On Fri, Jul 23, 2021 at 08:09:07PM +0300, Andrei POPESCU wrote: > Unless I'm missing something (which is very much possible, I'm way out > of my depth here) rebuilding to verify it matches the official binary > should still be possible. > > Care to elaborate on why you think this would be a problem?
I suppose that if there is a way to chop up the binary blob into "program" and "signature", then you could compare the two program segments to each other, and ignore the signature segments. It would depend on how this binary-blob-with-signature format is defined. A simple cmp(1) of the two would clearly not work, as the signatures wouldn't match. But... even if the signature segments can be snipped off, it's possible that there would be differences in the program segments, depending on the compiler used, particularly optimizations. There could also be timestamps, or pieces of the build environment such as directory paths, embedded in the binary blob. I'd have to defer to the "reproducible builds" people on that one. They would have more experience with those kinds of issues.
