sbctl icon indicating copy to clipboard operation
sbctl copied to clipboard
verified publisher icon Foxboron

Reproducible signatures

Open behrmann opened this issue 2 years ago • 3 comments

Currently, signing an artifact with sbctl is not reproducible. Signing it once and and signing the same input artifact again with the same key, will lead to two different output artifacts.

I'm not sure if there are deeper technical reasons for this or if it is "just" some embedded timestamps, that could be wrangled by making the timestamps match the second time around, but it would be great if for the same inputs the outputs could be made reproducible.

behrmann avatar Jan 25 '23 09:01 behrmann

I'm not sure if there are deeper technical reasons for this or if it is "just" some embedded timestamps, that could be wrangled by making the timestamps match the second time around, but it would be great if for the same inputs the outputs could be made reproducible.

I'm not (currently) using sbctl, but when trying to make the UKI build using objcopy reproducible, I've found that you need to pass --preserve-dates, otherwise objcopy will put the current time into the PEI header.

Perhaps that saves someone some debugging time.

bauen1 avatar Mar 27 '23 20:03 bauen1