Bug 1217967

Summary: grub2: verification build issue
Product: [openSUSE] openSUSE Tumbleweed Reporter: Bernhard Wiedemann <bwiedemann>
Component: OtherAssignee: Joey Lee <jlee>
Status: NEW --- QA Contact: E-mail List <qa-bugs>
Severity: Normal    
Priority: P5 - None CC: bwiedemann, glin, mchang
Version: Current   
Target Milestone: ---   
Hardware: Other   
OS: Other   
Whiteboard:
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Bernhard Wiedemann 2023-12-12 06:42:41 UTC 
While working on reproducible builds for ALP + openSUSE, I found that our
grub2 package produced different results when built locally
compared to the official Factory build on OBS.

My guess is that it comes from
https://github.com/openSUSE/pesign-obs-integration

filterdiff 'rpm -qp --qf %{PLATFORM}\n' binaries*/grub2-2.12~rc1-12.1.x86_64.rpm
--- rpm -qp --qf %{PLATFORM}\n binaries/grub2-2.12~rc1-12.1.x86_64.rpm
+++ rpm -qp --qf %{PLATFORM}\n binaries.nachbau/grub2-2.12~rc1-12.1.x86_64.rpm
@@ -1 +1 @@
-x86_64-suse-linux
+i386-suse-linux-gnu

using https://github.com/bmwiedemann/reproducibleopensuse/blob/master/filterdiff


Apart from that, there is the (probably unavoidable) sig itself:
--- old /usr/share/grub2/x86_64-efi/grub.efi (hex)
+++ new /usr/share/grub2/x86_64-efi/grub.efi (hex)
@@ -1,6 +1,6 @@
 00000100  00 00 00 00 10 00 00 00  00 00 00 00 00 00 00 00  |................|
 00000110  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
-00000120  00 00 00 00 00 00 00 00  00 50 1f 00 70 07 00 00  |.........P..p...|
+*
 00000130  00 30 1f 00 00 20 00 00  00 00 00 00 00 00 00 00  |.0... ..........|
 00000140  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
 *
Comment 1 Joey Lee 2024-07-18 03:01:10 UTC 
(In reply to Bernhard Wiedemann from comment #0)
> While working on reproducible builds for ALP + openSUSE, I found that our
> grub2 package produced different results when built locally
> compared to the official Factory build on OBS.
> 
> My guess is that it comes from
> https://github.com/openSUSE/pesign-obs-integration
> 
> filterdiff 'rpm -qp --qf %{PLATFORM}\n'
> binaries*/grub2-2.12~rc1-12.1.x86_64.rpm
> --- rpm -qp --qf %{PLATFORM}\n binaries/grub2-2.12~rc1-12.1.x86_64.rpm
> +++ rpm -qp --qf %{PLATFORM}\n
> binaries.nachbau/grub2-2.12~rc1-12.1.x86_64.rpm
> @@ -1 +1 @@
> -x86_64-suse-linux
> +i386-suse-linux-gnu
> 
> using
> https://github.com/bmwiedemann/reproducibleopensuse/blob/master/filterdiff
> 
> 
> Apart from that, there is the (probably unavoidable) sig itself:
> --- old /usr/share/grub2/x86_64-efi/grub.efi (hex)
> +++ new /usr/share/grub2/x86_64-efi/grub.efi (hex)
> @@ -1,6 +1,6 @@
>  00000100  00 00 00 00 10 00 00 00  00 00 00 00 00 00 00 00 
> |................|
>  00000110  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00 
> |................|
> -00000120  00 00 00 00 00 00 00 00  00 50 1f 00 70 07 00 00 
> |.........P..p...|
> +*
>  00000130  00 30 1f 00 00 20 00 00  00 00 00 00 00 00 00 00  |.0...
> ..........|
>  00000140  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00 
> |................|
>  *

In factory, grub2 be signed by openSUSE key. I am not sure which key be used for signing in your local environment. 
Could you please use pesign to check the signatures list of grub2.efi? Just compare two different grub2.efi.

pesign -S -i ./grub2.efi
Comment 2 Bernhard Wiedemann 2024-07-18 04:45:05 UTC 
My local verification builds are not signed.
They should not differ in the PLATFORM rpm header from that.