Deterministic signatures digest prefix

Richard Ulrich richard.ulrich at aminagroup.com
Thu May 29 14:55:25 CEST 2025


Hi,

we sign some files such as grub config, kernel, initrd for a Live DVD so that
grub can verify them when the system boots. Most of the DVD ISO builds
reproducibly. At the moment I am trying to get also those signatures
reproducible.
By using faketime, I harmonized the timestamp that is part of the signature. The
main difference I see at the moment is the "Digest prefix"
Even with lots of searching and reading all sorts of documentation and forum
posts, I was not able to figure out how to make the digest prefix constant.

This is one of the commands I use to produce the signature:

faketime -f "2025-05-29 00:00:00" gpg --local-user ccc --digest-algo SHA512 --
detach-sign boot/vmlinuz

The actual private key is on a YubiKey, but I don't think that makes a
difference.

Then I examine the signature with:

sq packet dump --hex boot/vmlinuz.sig

With kind regards
Richard
This e-mail is for the intended recipient only and may contain confidential and/or privileged information. If you have received this e-mail by mistake, please contact us immediately, completely delete it (and any attachments) and do not forward it or inform any other person of its content. E-mail transmission can involve substantial risks, e.g. content or sender/recipient information could be intercepted or manipulated by third parties, lost, arrive late or incomplete or contain viruses. Based on previous e-mail correspondence with you and/or an agreement reached with you, AMINA considers itself authorized to contact you via e-mail. AMINA assumes no responsibility for any loss or damage resulting from the use of e-mails. We reserve the right to retain, intercept and monitor any messages processed through our networks, if legally permitted. All messages sent to or from our e-mail account are securely archived and stored by an external supplier in Switzerland. Messages are protected and accessed only in legally justified cases. For information on how AMINA processes personal data, please see our Privacy Notice https : // aminagroup.com / legal-notices .'


More information about the Gnupg-users mailing list