Ben Hutchings:
> At some point we're hopefully going to support Secure Boot on amd64.
> That means there will be a signed kernel image (separate from the
> current linux-image packages) and a signed GRUB image.  The kernel
> modules in the linux-image packages will also be signed, probably with
> an ephemeral key.
> All these signatures will all be embedded within binaries and will of
> course not be reproducible.  The locations of differences will however
> be predictable.
> How should we deal with this limited variability?  Could source
> packages or buildinfo describe the expected variations somehow?

One way to solve this, although a bit wasteful on resource, is to use
the clean rule to perform a first build and create a signature to be
added to the source package.

See my suggest patch for wireless-regdb which implements this idea:

Would that be a good fit for Linux or GRUB?

Lunar                                .''`.                    : :Ⓐ  :  # apt-get install anarchism
                                    `. `'` 

Attachment: signature.asc
Description: Digital signature

Reproducible-builds mailing list

Reply via email to