2

Let's I would like to verify if the package mksh can be built in a reproducible way. I am trying with

apt build-dep mksh
apt source mksh
cd mksh; dpkg-buildpackage -uc -us
cd ..; sha256sum <freshly build dep>

If I now do

apt download mksh

and compare the checksum of the downloaded deb with the debian package I created locally, the checksum differs (expected as I did not sign the deb)

How to make those checksums match ?

Manu
  • 576
  • 1
    Typically in Debian, you don't sign the DEB package directly but the APT archive manifests instead, so the checksums on the package itself won't differ for that reason. However, for a reproducible build, you need to use exactly the same versions of the packages as the original builder used. – bk2204 Oct 14 '21 at 01:24

2 Answers2

4

The mksh source package builds reproducibly, which means that it would be possible to recreate a given .deb package if you can reproduce its build environment. That information is stored in .buildinfo files, and with the help of Debian snapshots, it is possible to retrieve the exact versions of all the packages used to build a given .deb.

Currently, .buildinfo files aren’t published alongside binary packages in the Debian repositories, but they are published on buildinfos.debian.net, and this has the .buildinfo files for the version of mksh currently in Debian 11 (e.g. the amd64 version). Using that, you can determine what the build environment for a given mksh binary package was, and then try reproduce it.

There’s another subtlety here — the current mksh package in Debian 11 is a binNMU, whose source doesn’t exactly match the published package source. To reproduce the existing binary package, you’d have to include the additional binNMU changelog (e.g. changelog.Debian.amd64.gz in the amd64 package) with the same contents:

mksh (59c-9+b2) sid; urgency=low, binary-only=yes

    

  • Binary-only non-maintainer upload for amd64; no source changes.
    • 

  • Rebuild for outdated Built-Using
    • 



-- amd64 / i386 Build Daemon (x86-ubc-01) <buildd_amd64-x86-ubc-01@buildd.debian.org>  Thu, 05 Aug 2021 11:52:19 +0000

Note that if you can reproduce a given build environment, the resulting .deb files should be exactly identical — binary packages published in Debian aren’t signed themselves, it’s the metadata describing them that is.

Stephen Kitt
  • 434,908
0

You cannot. The underlying data differs, therefore the computed checksum will differ. Finding 2 values thar have the same checksum is a Hard Problem.

waltinator
  • 4,865