Mail archive

Re: [alpine-devel] Report from Reproducible builds summit 2018

From: Max Rees <>
Date: Sun, 30 Dec 2018 17:52:59 -0500

On Dec 17 11:07 PM, Chloe Kudryavtsev wrote:
> On 12/17/18 7:33 AM, Natanael Copa wrote:
> > * we may need to store the exact versions and/or hashes of the
> > dependencies used when a package was built. I am not sure where we
> > want store this. Maybe in the APKINDEX?
> I think this is a good idea. Mostly a note in regards to the next comment.
> > * we embed the signature in the .apk, which means its not possible to
> > re-create the exact same .apk without having access to the private
> > key. I'm not sure how to deal with that.
> I do not believe we need to allow for that.
> Since we want to store exact versions/hashes of dependencies in the .apk, I
> believe we can also store a hash of the resulting tree, pre-signature
> (meaning we sign the hash as well).
> This hash should be visible using apk(1), to allow people to
> programmatically verify that two .apks are the same internally, and
> guarantees the integrity of the has in mirrors.

[apologies to Chloe - I forgot to list-reply on the first draft of this

The "datahash" field of the .PKGINFO file should be able to serve this
purpose - it's the SHA256 checksum of the data.tar.gz file (i.e. the
actual tree contents), and since it's located in control.tar.gz it's
signed as part of the existing .apk file creation process. I agree that
apk(1) or perhaps a standalone utility should make it easier to
get the datahash of an .apk file.

As long as data.tar.gz is created reproducibly, then the datahash should
end up being the same.


Received on Sun Dec 30 2018 - 17:52:59 UTC