Notes for shim - reproducible builds result

Version annotated: 0.9+1474479173.6c180c6-1
Comments: Signed EFI files differ.
.
1) One of the differences looks suspiciously like a notBefore/notAfter X.509 certificate difference:
.
│ │ │ │ 00011420: 7479 3110 300e 0603 5504 0a0c 0753 6f6d ty1.0...U....Som
│ │ │ │ -00011430: 654f 7267 301e 170d 3137 3131 3139 3139 eOrg0...17111919
│ │ │ │ -00011440: 3135 3235 5a17 0d31 3831 3131 3931 3931 1525Z..181119191
│ │ │ │ -00011450: 3532 355a 3041 310b 3009 0603 5504 0613 525Z0A1.0...U...
│ │ │ │ +00011430: 654f 7267 301e 170d 3136 3130 3137 3132 eOrg0...16101712
│ │ │ │ +00011440: 3533 3235 5a17 0d31 3731 3031 3731 3235 5325Z..171017125
│ │ │ │ +00011450: 3332 355a 3041 310b 3009 0603 5504 0613 325Z0A1.0...U...
│ │ │ │ 00011460: 0255 5331 1130 0f06 0355 0407 0c08 536f .US1.0...U....So
│ │ │ │ 00011470: 6d65 4369 7479 3110 300e 0603 5504 0a0c meCity1.0...U...
.
The diff seems as though the build signs the artifact for one year starting at the build date.
.
Looking at the source, that seems to be exactly what's happening (see line 9):
.
% 1 #!/bin/bash -e
2 #
3 # Generate a root CA cert for signing, and then a subject cert.
4 # Usage: make-certs.sh hostname [user[@domain]] [more ...]
5 # For testing only, probably still has some bugs in it.
6 #
7
8 DOMAIN=xn--u4h.net
9 DAYS=365
10 KEYTYPE=RSA
.
2) There are probably additional issues. Some of the other differences
would be fallout of the above (e.g., checksums), but the signature itself
is probably random.
.
Provisional patch here: https://gist.github.com/lamby/543afd9420d9d740d1320d77faf8c4fc/raw
 

Our notes about issues affecting packages are stored in notes.git and are targeted at packages in Debian in 'unstable/amd64' (unless they say otherwise).