On Sat, 2025-05-03 at 01:43 +0200, kpcyrd wrote:

On 5/2/25 3:30 PM, James Bottomley wrote:

[...]

quoted

Or you simply ship tools to remove the signature;

sbattach --remove <signed efi variable>

already does this for you ...

It reads like you assume somebody sits down and explicitly looks at
the linux package manually, but the reproducible builds tooling
considers the package content to be fully opaque and doesn't have any
special-casing of any package:

https://github.com/archlinux/archlinux-repro
https://salsa.debian.org/debian/devscripts/-/blob/main/scripts/debrebuild.pl?ref_type=heads

How something is packaged for consumers and what the outputs of a build
are are two entirely different things.  But if you control packaging,
you could actually strip the signatures and place them in an unchecked
section as long as you make sure to combine them on installation.

I'd rather not deal with the consequences of weakening the comparison
and possibly introducing exploitable loop-holes in any of the layers
we wouldn't be able to bit-for-bit compare anymore (like e.g. tar).

To repeat the point: what everyone would like to do to make life easy
is a bit different from what has to be done in the modern era of  build
provenance requirements.

It would also break the concept of `f(source) -> binary`, "you can 
deterministically derive the binary packages from the documented
build inputs", and instead you'd always need to fuzzy-match against
what somebody else built.

I think you'll find

f -> strip signature ° build

Works in the above equation.  The point being it's deterministic, not
fuzzy.

Regards,

James