On Sat, 2025-05-03 at 01:43 +0200, kpcyrd wrote: > On 5/2/25 3:30 PM, James Bottomley wrote: [...] > > Or you simply ship tools to remove the signature; > > > > sbattach --remove <signed efi variable> > > > > already does this for you ... > > It reads like you assume somebody sits down and explicitly looks at > the linux package manually, but the reproducible builds tooling > considers the package content to be fully opaque and doesn't have any > special-casing of any package: > > https://github.com/archlinux/archlinux-repro > https://salsa.debian.org/debian/devscripts/-/blob/main/scripts/debrebuild.pl?ref_type=heads
How something is packaged for consumers and what the outputs of a build are are two entirely different things. But if you control packaging, you could actually strip the signatures and place them in an unchecked section as long as you make sure to combine them on installation. > I'd rather not deal with the consequences of weakening the comparison > and possibly introducing exploitable loop-holes in any of the layers > we wouldn't be able to bit-for-bit compare anymore (like e.g. tar). To repeat the point: what everyone would like to do to make life easy is a bit different from what has to be done in the modern era of build provenance requirements. > It would also break the concept of `f(source) -> binary`, "you can > deterministically derive the binary packages from the documented > build inputs", and instead you'd always need to fuzzy-match against > what somebody else built. I think you'll find f -> strip signature ° build Works in the above equation. The point being it's deterministic, not fuzzy. Regards, James
