Package: gpg-from-sq Version: 0.13.1-11 Severity: normal I'm trying to get Git's testsuite to work with the Sequoia-PGP chameleon. However, even with a faked system time, Sequoia includes a salt annotation in signatures, which results in non-deterministic output. Because Git object IDs are generated from a hash which covers the signature, this causes objects to differ and therefore tests to fail.
We'd need Sequoia to provide some way to provide deterministic signatures for at least v4 signatures, and probably v6 signatures as well. I realize that v6 does not intend to allow this, but it is functionally required for testsuites as well as some cases with reproducible builds[0]. Could you please add support for some method for signing reproducibly, ideally either based on `--faked-system-time` or `SOURCE_BUILD_EPOCH`? [0] While this might not be useful for _Debian_ reproducible builds, it is useful for _general_ reproducible builds where a trusted authority signs their builds in a reproducible way or includes a signature inside an archive which must be bit-for-bit identical. -- System Information: Debian Release: forky/sid APT prefers unstable APT policy: (500, 'unstable'), (500, 'testing'), (1, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 7.0.4+deb14-amd64 (SMP w/24 CPU threads; PREEMPT) Locale: LANG=en_CA.UTF-8, LC_CTYPE=en_CA.UTF-8 (charmap=UTF-8), LANGUAGE not set Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages gpg-from-sq depends on: ii gpg-sq 0.13.1-11 Versions of packages gpg-from-sq recommends: ii gpgv-from-sq 0.13.1-11 gpg-from-sq suggests no packages. -- no debconf information -- brian m. carlson (they/them) Toronto, Ontario, CA
signature.asc
Description: PGP signature
