|
|
Subscribe / Log in / New account

Just strip the signature before comparing the rebuilt artifacts?

Just strip the signature before comparing the rebuilt artifacts?

Posted Mar 7, 2025 18:41 UTC (Fri) by bluca (subscriber, #118303)
In reply to: Just strip the signature before comparing the rebuilt artifacts? by josh
Parent article: Hash-based module integrity checking

You still can't have the kernel package reproducible without the signing key, as the kernel PE image itself needs to be signed.

Considering inline signatures as part of the reproducible envelope doesn't provide any useful information about the state of the builds. It's not interesting data - it's just RSA. Given the same input, and the same key, you get the same output, so it's reproducible by definition.

to post comments

Just strip the signature before comparing the rebuilt artifacts?

Posted Mar 13, 2025 14:24 UTC (Thu) by pjones (subscriber, #31722) [Link]

I think this is a problem of how we're discussing it more than anything else - the signed kernel is reproducible in the meaningful sense, but the data to validate it is effectively encapsulating it.

Which means you're right that this is primarily a tooling problem in our comparisons.


Copyright © 2025, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds