Version annotated: | 0.9+1474479173.6c180c6-1 |
Comments: |
Signed EFI files differ. . 1) One of the differences looks suspiciously like a notBefore/notAfter X.509 certificate difference: . │ │ │ │ 00011420: 7479 3110 300e 0603 5504 0a0c 0753 6f6d ty1.0...U....Som │ │ │ │ -00011430: 654f 7267 301e 170d 3137 3131 3139 3139 eOrg0...17111919 │ │ │ │ -00011440: 3135 3235 5a17 0d31 3831 3131 3931 3931 1525Z..181119191 │ │ │ │ -00011450: 3532 355a 3041 310b 3009 0603 5504 0613 525Z0A1.0...U... │ │ │ │ +00011430: 654f 7267 301e 170d 3136 3130 3137 3132 eOrg0...16101712 │ │ │ │ +00011440: 3533 3235 5a17 0d31 3731 3031 3731 3235 5325Z..171017125 │ │ │ │ +00011450: 3332 355a 3041 310b 3009 0603 5504 0613 325Z0A1.0...U... │ │ │ │ 00011460: 0255 5331 1130 0f06 0355 0407 0c08 536f .US1.0...U....So │ │ │ │ 00011470: 6d65 4369 7479 3110 300e 0603 5504 0a0c meCity1.0...U... . The diff seems as though the build signs the artifact for one year starting at the build date. . Looking at the source, that seems to be exactly what's happening (see line 9): . % 2 # 3 # Generate a root CA cert for signing, and then a subject cert. 4 # Usage: make-certs.sh hostname [user[@domain]] [more ...] 5 # For testing only, probably still has some bugs in it. 6 # 7 8 DOMAIN=xn--u4h.net 9 DAYS=365 10 KEYTYPE=RSA . 2) There are probably additional issues. Some of the other differences would be fallout of the above (e.g., checksums), but the signature itself is probably random. . Provisional patch here: https://gist.github.com/lamby/543afd9420d9d740d1320d77faf8c4fc/raw |
Our notes about issues affecting packages are stored in notes.git and are targeted at packages in Debian in 'unstable/amd64' (unless they say otherwise). |