[
https://issues.apache.org/jira/browse/DAFFODIL-3037?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Steve Lawrence resolved DAFFODIL-3037.
--------------------------------------
Resolution: Fixed
Fixed in commit 8d4ed58bf33be3ddf642d278511a44c11be5463d of the
daffodil-infrastructure repo
> check-release script does not handle rpm signatures for reproducibility checks
> ------------------------------------------------------------------------------
>
> Key: DAFFODIL-3037
> URL: https://issues.apache.org/jira/browse/DAFFODIL-3037
> Project: Daffodil
> Issue Type: Bug
> Components: Infrastructure
> Reporter: Steve Lawrence
> Assignee: Steve Lawrence
> Priority: Major
> Fix For: 4.0.0
>
>
> When dist RPMs are created, they are signed with an embedded signature. This
> can make reproducibility difficult. To handle this, we currently use rpmsign
> --delsign to delete the embedded signatures before performing the diff. But
> rpmsign --delsign sometimes deletes the signature in a way that is
> technically correct in that the RPM does not have a signature, but the RPM is
> still not identical to the same RPM that was never
> signed.
> We need an alternative approach to deleting the signature to allow move
> consistent reproducibility checks.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
