Just strip the signature before comparing the rebuilt artifacts?

But that's the same issue, just in reverse. If you want to strip signatures, you have to parse the PE format anyway. With signatures in a separate package, you can have easy checks by just doing `diff`, and the non-deterministic PE artifacts are produced locally.

This is fine for two reasons:
1. The PE binaries need to be placed on a separate EFI partition anyway.
2. You still need to handle custom signing keys for people using their own secure boot keys.