Steve Lawrence created DAFFODIL-3037:
----------------------------------------
Summary: check-release script does not handle rpm signatures for
reproducibility checks
Key: DAFFODIL-3037
URL: https://issues.apache.org/jira/browse/DAFFODIL-3037
Project: Daffodil
Issue Type: Bug
Components: Infrastructure
Reporter: Steve Lawrence
Assignee: Steve Lawrence
Fix For: 4.0.0
When dist RPMs are created, they are signed with an embedded signature. This
can make reproducibility difficult. To handle this, we currently use rpmsign
--delsign to delete the embedded signatures before performing the diff. But
rpmsign --delsign sometimes deletes the signature in a way that is technically
correct in that the RPM does not have a signature, but the RPM is still not
identical to the same RPM that was never
signed.
We need an alternative approach to deleting the signature to allow move
consistent reproducibility checks.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
