[rb-general] Different checksum for libgcrypt20

Matt Bearup mbearup at microsoft.com
Thu Jul 11 17:54:51 UTC 2019

Hello all,
I'm experimenting with reproducible builds and, while I've managed to generate several packages with correct hashsums (per reproducible-builds.org), there are ~9 packages where I consistently get a different checksum.
Focusing on one package for this discussion...

  *   Libgcrypt20 shows as reproducible on reproducible-builds.org (https://tests.reproducible-builds.org/debian/rb-pkg/buster/amd64/libgcrypt20.html)
  *   The expected sha256 checksum for the amd64 buster binary package (libgcrypt20_1.8.4-5_amd64.deb) is 2bc9a895cb63bea72bf2145ff44f37b9a746ba97a967f0b4c73691d07793303c.
  *   However, I've tried multiple build tools (pbuilder and sbuild), multiple build machines, and multiple host OSes (Stretch and Buster - though the chroot is always buster). I *consistently* get a different sha256 checksum for this package: bbde6cee1fd915e5257b7c47977d8e88dc5e45816fe241fd8751a50aea98c6b8.
  *   I have already confirmed that the downloaded sources (libgcrypt20_1.8.4-5.debian.tar.xz, libgcrypt20_1.8.4.orig.tar.bz2) match the expected sha256 checksums.
  *   The resultant "dev" packages (libgcrypt20-dev_1.8.4-5_amd64.deb and libgcrypt20-dev-dbgsym_1.8.4-5_amd64.deb) *do* have checksums that match those on reproducible-builds.org, but none of the other packages match.
  *   The documentation (https://wiki.debian.org/ReproducibleBuilds/Howto#Testing_procedure) indicates that sbuild is the preferred tool, but the build (https://tests.reproducible-builds.org/debian/rbuild/buster/amd64/libgcrypt20_1.8.4-5.rbuild.log.gz<(https:/tests.reproducible-builds.org/debian/rbuild/buster/amd64/libgcrypt20_1.8.4-5.rbuild.log.gz>) is clearly using pbuilder. So one of these should work. And they both ultimately call dpkg-buildpackage anyway. Is there another recommended toolchain?
  *   All of my builds have been on VM's - maybe this package requires a "bare metal" build host?
  *   Anything else I could have missed? I've looked at the documentation, but most of it centers on how to make a package reproducible (e.g. build paths and timestamps) not how to configure a build environment. I also don't see anything in the libgcrypt20 source providing specific build environment instructions. It seems like this should "just work" when the correct toolchain is used - which it does for most cases.

Thanks for any recommendations,

Matt Bearup
Software Developer - CEH, CISSP, GCUX
Microsoft Azure [cid:image001.png at 01D537D0.F3198980]  Linux

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.reproducible-builds.org/pipermail/rb-general/attachments/20190711/65f27218/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 649 bytes
Desc: image001.png
URL: <http://lists.reproducible-builds.org/pipermail/rb-general/attachments/20190711/65f27218/attachment.png>

More information about the rb-general mailing list