Reproducible but individually signed?

Posted Mar 8, 2025 1:29 UTC (Sat) by JoeBuck (subscriber, #2330)
In reply to: Reproducible but individually signed? by SLi
Parent article: Hash-based module integrity checking

Seems that if there were an efficient way to segregate everything that is expected to be reproducible and bit-for-bit identical, from the small amount of data (signatures, perhaps build info) that is expected not to be, in such a way to guarantee that all of the code falls into the first bucket, we could satisfy both requirements. So, instead of just running the equivalent of 'cmp' on everything, there'd be a smarter compare tool.

I recall that the GCC bootstrap procedure, where it checks that the stage 2 and stage 3 compilers are bit-for-bit identical, had a way to exclude time stamps on OSes that add time stamps to object files and only compare the rest. So, something like that.