[Git][reproducible-builds/reproducible-website][issue-56/getting-started-guide] Quickstart guide: attempt to clarify and distinguish checksums from cryptographic signatures

James Addison (@jayaddison) gitlab at salsa.debian.org
Wed Oct 23 22:18:55 UTC 2024



James Addison pushed to branch issue-56/getting-started-guide at Reproducible Builds / reproducible-website


Commits:
30d226e0 by James Addison at 2024-10-23T23:18:48+01:00
Quickstart guide: attempt to clarify and distinguish checksums from cryptographic signatures

- - - - -


1 changed file:

- _docs/getting-started.md


Changes:

=====================================
_docs/getting-started.md
=====================================
@@ -8,9 +8,9 @@ This is a brief guide to help you get started writing software that builds [repr
 
 The easiest check that you can perform, without installing any additional software tooling, is to build your software twice and to compare the build output files.
 
-**Tip**: A common approach is to [compare cryptographic hashes](https://reproducible-builds.org/docs/checksums/) rather than the artifacts, but using diff tools or the `cmp` command are also valid alternatives.
+**Tip**: A common approach is to [compare file checksums](https://reproducible-builds.org/docs/checksums/) rather than the artifacts, but using diff tools or the `cmp` command are also valid alternatives.
 
-This works as long as the builds are reproducible byte-by-byte, but embedded signatures make this difficult. You can check [this page](https://reproducible-builds.org/docs/embedded-signatures/) for some suggestions on how to deal with them.
+**Note**: Software builds that involve [cryptographic code signing](https://en.wikipedia.org/wiki/Code_signing) may complicate basic file-to-file comparisons, because some code signing techniques intentionally introduce randomness. To learn how to deal with those situations, refer to the [embedded signatures](https://reproducible-builds.org/docs/embedded-signatures/) documentation.
 
 If the results differ, then you have found a reproducibility bug either in your software or in your toolchain, and can proceed directly to the [troubleshooting](/docs/reproducibility-troubleshooting/) guide.
 



View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-website/-/commit/30d226e04cc77414bb0d66c0b01ae5a11f44f9c4

-- 
View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-website/-/commit/30d226e04cc77414bb0d66c0b01ae5a11f44f9c4
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.reproducible-builds.org/pipermail/rb-commits/attachments/20241023/9bada542/attachment.htm>


More information about the rb-commits mailing list