[Pkg-rust-maintainers] Bug#1137357: gpg-from-sq: provide a way to provide (or default to) deterministic signatures

brian m. carlson sandals at crustytoothpaste.net
Fri May 22 23:02:20 BST 2026 

Package: gpg-from-sq
Version: 0.13.1-11
Severity: normal

I'm trying to get Git's testsuite to work with the Sequoia-PGP
chameleon.  However, even with a faked system time, Sequoia includes a
salt annotation in signatures, which results in non-deterministic
output.  Because Git object IDs are generated from a hash which covers
the signature, this causes objects to differ and therefore tests to
fail.

We'd need Sequoia to provide some way to provide deterministic
signatures for at least v4 signatures, and probably v6 signatures as
well.  I realize that v6 does not intend to allow this, but it is
functionally required for testsuites as well as some cases with
reproducible builds[0].

Could you please add support for some method for signing reproducibly,
ideally either based on `--faked-system-time` or `SOURCE_BUILD_EPOCH`?

[0] While this might not be useful for _Debian_ reproducible builds, it
is useful for _general_ reproducible builds where a trusted authority
signs their builds in a reproducible way or includes a signature inside
an archive which must be bit-for-bit identical.

-- System Information:
Debian Release: forky/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (500, 'testing'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 7.0.4+deb14-amd64 (SMP w/24 CPU threads; PREEMPT)
Locale: LANG=en_CA.UTF-8, LC_CTYPE=en_CA.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages gpg-from-sq depends on:
ii  gpg-sq  0.13.1-11

Versions of packages gpg-from-sq recommends:
ii  gpgv-from-sq  0.13.1-11

gpg-from-sq suggests no packages.

-- no debconf information

-- 
brian m. carlson (they/them)
Toronto, Ontario, CA
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 325 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-rust-maintainers/attachments/20260522/9e227511/attachment.sig>

More information about the Pkg-rust-maintainers mailing list