> On May 26, 2026, at 5:19 PM, kpcyrd <[email protected]> wrote:
>
> On 5/23/26 12:02 AM, brian m. carlson wrote:
>> We'd need Sequoia to provide some way to provide deterministic
>> signatures for at least v4 signatures, and probably v6 signatures as
>> well. I realize that v6 does not intend to allow this, but it is
>> functionally required for testsuites as well as some cases with
>> reproducible builds[0].
>> [...]
>> [0] While this might not be useful for _Debian_ reproducible builds, it
>> is useful for _general_ reproducible builds where a trusted authority
>> signs their builds in a reproducible way or includes a signature inside
>> an archive which must be bit-for-bit identical.
> The trend regarding signatures in Reproducible Builds is towards "signatures
> are build inputs", meaning:
>
> - you build an unsigned artifact
> - sign it with your private key out-of-band
> - declare a 2nd build, with your signatures and unsigned artifact as build
> input
> - the 2nd build merges them together, without private key access
>
> This is necessary or the independent verifier would not be able to reproduce
> anything, unless you share your private key with them - either by permanently
> revealing the secret number, or letting them borrow your hardware signing key.
It's actually worse than that. Several cryptographic signing algorithms require
nonces (long random values); to get the same signature result, you'd need the
same artifact, same private key, *and* same nonce.
However, in several algorithms, if you *ever* reuse a nonce for a differen
artifact and a given private key, you reveal the private key. So if you retain
a nonce, generate something but it turns out to be different, and sign, you've
exposed the private key. This footgun will happen sooner or later if you try to
re-sign with the same private key in a way that reproduces the final signature.
Things also get weird when you have hardware keys where the secret key *cannot*
be extracted. When (not if) the key dies, does that mean that you can't
reproduce the artifact? The correct answer is obviously no.
Signatures should *not* be considered part of the item you're reproducing.
Signatures attest something about an artifact; added signatures of attestation
do not change the artifact being attested.
--- David A. Wheeler
