|
|
Subscribe / Log in / New account

Just strip the signature before comparing the rebuilt artifacts?

Just strip the signature before comparing the rebuilt artifacts?

Posted Mar 7, 2025 17:44 UTC (Fri) by t-8ch (subscriber, #90907)
In reply to: Just strip the signature before comparing the rebuilt artifacts? by bluca
Parent article: Hash-based module integrity checking

> Why not just improve the tools that do the diffing to strip the signatures from the modules before comparing them? If they are bit-by-bit identical, the same signature could even be just reattached and the result should be identical.

One-off exceptions would have to be maintained in all comparison tools.
And it gets much more complicated with derived build artifacts.
For example a package index of an archive containing a package repository with a kernel package.
Suddenly the tool would need to know which checksum in that package index are valid to be non-reproducible.
Or a built-from-source root filesystem.

Also in addition to the appended signatures the keyring embedded into vmlinux (but only the one used for modules!) would need to be ignored, which is not as straight-forward.

(disclaimer: I'm the author of the patchset under discussion)

to post comments

Just strip the signature before comparing the rebuilt artifacts?

Posted Mar 7, 2025 18:39 UTC (Fri) by bluca (subscriber, #118303) [Link]

You need to be able to handle exceptions anyway, as there are many signed artifacts. For example, EFI binaries.


Copyright © 2025, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds