[Reproducible-builds] Reproducibility vs signatures

Jérémy Bobbio lunar at debian.org
Wed Aug 5 08:52:55 UTC 2015


Ben Hutchings:
> On Mon, 2015-08-03 at 10:27 +0200, Jérémy Bobbio wrote:
> > Ben Hutchings:
> > > At some point we're hopefully going to support Secure Boot on amd64.
> > > That means there will be a signed kernel image (separate from the
> > > current linux-image packages) and a signed GRUB image.  The kernel
> > > modules in the linux-image packages will also be signed, probably with
> > > an ephemeral key.
> > > 
> > > All these signatures will all be embedded within binaries and will of
> > > course not be reproducible.  The locations of differences will however
> > > be predictable.
> > > 
> > > How should we deal with this limited variability?  Could source
> > > packages or buildinfo describe the expected variations somehow?
> > 
> > One way to solve this, although a bit wasteful on resource, is to use
> > the clean rule to perform a first build and create a signature to be
> > added to the source package.
> 
> That sort of works as long as there's only one architecture we want to
> do this for.  But the ability to verify modules is useful in general so
> I would like to turn that on for all architectures.

Here's a solution I had in my mind when opening my eyes this
morning [1]:

Ship signatures in a separate source package, e.g. linux-signatures.
Have linux-image Recommends linux-signatures. Ideally, I think the
signatures should be shipped in extra files. Another solution would be
to use xattrs and set them in a postinst script [2]. Or mangle the files
in place to add signatures, but that would prevent using debsums.

Both linux-image and linux-signatures can be built reproducibly.
linux-signatures will have the actual signatures in its source,
generated for a specific linux-image version.

That way the release process can be: upload new linux, wait for buildds,
retrieve results from archive, create linux-signatures, upload
linux-signatures. Have linux build reproducibly can help the signers
gain exta confidence that the buildd are not compromised by performing
extra builds on different systems.

What do you think?

 [1]: Yes, human brains seem to also have background tasks.
 [2]: xattrs are used by IMA, see <https://lwn.net/Articles/488906/> and
      #766267.

-- 
Lunar                                .''`. 
lunar at debian.org                    : :Ⓐ  :  # apt-get install anarchism
                                    `. `'` 
                                      `-   
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/reproducible-builds/attachments/20150805/3d055e08/attachment.sig>


More information about the Reproducible-builds mailing list