[Git][reproducible-builds/reproducible-website][issue-56/getting-started-guide] Quickstart guide: attempt to clarify and distinguish checksums from cryptographic signatures
James Addison (@jayaddison)
gitlab at salsa.debian.org
Wed Oct 23 22:18:55 UTC 2024
James Addison pushed to branch issue-56/getting-started-guide at Reproducible Builds / reproducible-website
Commits:
30d226e0 by James Addison at 2024-10-23T23:18:48+01:00
Quickstart guide: attempt to clarify and distinguish checksums from cryptographic signatures
- - - - -
1 changed file:
- _docs/getting-started.md
Changes:
=====================================
_docs/getting-started.md
=====================================
@@ -8,9 +8,9 @@ This is a brief guide to help you get started writing software that builds [repr
The easiest check that you can perform, without installing any additional software tooling, is to build your software twice and to compare the build output files.
-**Tip**: A common approach is to [compare cryptographic hashes](https://reproducible-builds.org/docs/checksums/) rather than the artifacts, but using diff tools or the `cmp` command are also valid alternatives.
+**Tip**: A common approach is to [compare file checksums](https://reproducible-builds.org/docs/checksums/) rather than the artifacts, but using diff tools or the `cmp` command are also valid alternatives.
-This works as long as the builds are reproducible byte-by-byte, but embedded signatures make this difficult. You can check [this page](https://reproducible-builds.org/docs/embedded-signatures/) for some suggestions on how to deal with them.
+**Note**: Software builds that involve [cryptographic code signing](https://en.wikipedia.org/wiki/Code_signing) may complicate basic file-to-file comparisons, because some code signing techniques intentionally introduce randomness. To learn how to deal with those situations, refer to the [embedded signatures](https://reproducible-builds.org/docs/embedded-signatures/) documentation.
If the results differ, then you have found a reproducibility bug either in your software or in your toolchain, and can proceed directly to the [troubleshooting](/docs/reproducibility-troubleshooting/) guide.
View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-website/-/commit/30d226e04cc77414bb0d66c0b01ae5a11f44f9c4
--
View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-website/-/commit/30d226e04cc77414bb0d66c0b01ae5a11f44f9c4
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.reproducible-builds.org/pipermail/rb-commits/attachments/20241023/9bada542/attachment.htm>
More information about the rb-commits
mailing list